Make Sure to Cover Your Auth

Today dev, ops, and security — all three silos — are working in synergy in top-performing DevOps organizations – what we know as DevSecOps.

Aditya Balapure (@adityabalapure) is an infosec specialist at Haven. He was at GrubHub when he spoke at the All Day DevOps conference. He emphasized the importance of protecting your authorizations, an area often overlooked.

Aditya started his presentation pointing out that in traditional DevSecOps, security is visibility and control. Organizations focus a lot on the pipeline, making sure the code is scanned, conducting static and dynamic analysis, building artifacts, scanning deployments, monitoring, and running automated penetration testing.

While organizations had great success focusing on the pipeline, adversaries are changing and working hard to stay ahead. Applications now have more and more vendors and third-party integrations, public API endpoints, and credentials, tokens, keys, and certificates that all need authentication. These are all potential vulnerabilities for attacks.

It underscores the need to know your whole ecosystem. He emphasizes that you need to continually look outside of our own infrastructure rather than just focusing on our pipeline. Aditya asks, are we looking at the public web? What about third-party integrations and libraries? What is the impact of employees and customers sharing confidential info and credentials, such as on public boards? Adversaries expect that users will reuse credentials – which, let’s be honest, is often true.

Aditya focuses in on how authentication has evolved. He specifically explores how, in the past, http sites hosted credentials. Yet, security in transit is hard to achieve. It is now easier and cheaper to get SSL and TSL as the cost of certificates came down. Now, certificate transparency is a savior. It is an open framework for real-time monitoring and auditing of SSL certificates. This helps you detect malicious certificates. It is (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)