Protecting Infrastructure With TLS Client Authentication
Here at Threat Stack we really like Yubikeys — and they’re a critical part of our security program. Many folks know Yubikeys for their ability to generate one-time codes for use as a second factor. Did you also know you can store certificates on them and use them in your ... Read More
Trash Taxi: Taking Out the Garbage in Your Infrastructure
Trash Taxi: A Lifecycle Management Tool for Superuser Discovery & Cleanup One of the security challenges we had at Threat Stack was managing developer access to production infrastructure. We already have a set of controls around managing scoped access depending on role (and if you’re on-call), and we have a ... Read More
How to Create a Threat Model for Cloud Infrastructure Security
Our Motto is: Threat Modeling: The sooner the better, but never too late. — OWASP The practice of creating a threat model can help teams proactively understand and develop a strategy for managing the possible vulnerabilities their organization faces, instead of waiting until after an incident occurs. OWASP defines threat ... Read More
How to Avoid Targeted AWS Attacks With Secure AWS Keys
If the headlines are any indication, hackers continue to exploit vulnerabilities in cloud infrastructure platforms, with targeted AWS attacks becoming very common. Many attacks follow similar patterns: Actors are typically looking opportunistically for AWS keys, which are either accidentally posted to open source code websites like GitHub or stolen from ... Read More
Access Management Lessons From Timehop’s Cloud Security Breach
Over the past couple of weeks, both Macy’s and Timehop experienced breaches as a result of authentication weaknesses. On July 4, social media startup Timehop experienced a data breach that affected 21 million customers and included information such as names, emails, and phone numbers. According to a preliminary investigation conducted ... Read More
Three Homegrown SecOps Tools Used by the Threat Stack Team
As a security company, there’s a lot of pressure to keep our data secure while still moving fast and innovating on product development. I find the intersection of security and speed the most interesting challenge as an infrastructure security professional. The unique thing about Threat Stack is that our Security ... Read More
21 InfoSec and AWS Experts Reveal the #1 Mistake Companies Make When It Comes to AWS Security (and How to Avoid It)
More companies are moving to the cloud than ever before. Amazon Web Services (AWS) is one of the most popular cloud platforms, and for good reason: AWS provides a robust set of features and services that give it broad appeal among businesses of all sizes. But when it comes to ... Read More
What Happens When You Sacrifice Security for Speed (And Common Ways Security Gets Sacrificed)
No matter where you sit in your organization, you should know what happens when you sacrifice security for speed. Threat Stack recently surveyed DevOps and security pros and found that more than half (52%) of companies make this very sacrifice, cutting back on security measures to meet a business deadline ... Read More
The 5 Biggest Obstacles to SecOps Success
Even organizations that understand the importance of cybersecurity in theory often stumble when it comes to marrying security initiatives with their development and operations processes. We recently surveyed a group of development, operations, and security professionals, compiling our findings in this report: Bridging the Gap Between SecOps Intent and Reality ... Read More
