Incident management: what we can learn from a crisis

In information security we have a saying: ‘never waste a good crisis’. As grim as this may sound, there are valuable lessons to be learned from situations like the recent corona outbreak. As seen in the news a lot of companies close down their offices to limit the transmission of the virus. However, this can impact your efficiency or introduce new risks. What can you do to assess this?

Read more →

CertShout: All your domains are public

TLS should be mandatory for every website. But, when you set it up, make sure you configure the certificate correctly. This includes not having any sensitive data in any of the fields of the certificate. Because that certificate will become publicly available if you use a CA supporting Certificate Transparency. By Marinus Kuivenhoven and Jeroen Willemsen .

Read more →

Build and secure containers to support your CI/CD pipeline

There are 2 systems in any company that are critical: the payroll system, and the CI/CD system. Why? You may ask…
If the payroll system doesn’t work, people will leave the company and the company (may) face legal problems; the CI/CD system is the gateway to production. If it is down and there is a bug in production, it will affect your business; loss of revenue, loss of customers, loss of money, just to name a few.

Usually, I find these problems regarding the CI/CD tooling:

  • Poor Software Lifecycle Management, with outdated software, containing critical vulnerabilities
  • Ancient capabilities in the build agents. In extreme cases, frameworks and tools that are no longer supported by the vendors
  • Drifting agents. It means that teams had to do some sorcery to get the software build
  • Lack of proper isolation between different builds. It means that a build could access to another build files
  • Lead teams to upgrade or install a new framework
  • Outdated and strict rules mandated by a operations team. Usually from people that outdated heuristics on how software should be developed

Read more →

Being An Agile Security Officer: Spread Your Knowledge

This is my fifth and last part of my blog series about Being an Agile Officer

In the previous parts I showed how Security Officers can align with the Agile process and let security become a standard considered quality attribute again. Unfortunately many teams not only need to be made aware of security requirements, but also need technical advise and guidance in designing and implementing them. As an Agile Security Officer you therefor need not only to act as a Stakeholder, but also as a Domain Expert for Security.

Read more →

Docker containers vulnerability scan with Clair

When you work with containers (Docker) you are not only packaging your application but also part of the OS. Therefore it is crucial to know what kind of libraries might be vulnerable in you container. One way to find this information is to use and look at the Docker Hub or Quay.io security scan. The problem whit these scans is that they are only showing you the information but are not part of your CI/CD that actually blocks your container when it contains vulnerabilities.
Read more →

Docker container secrets on AWS ECS

Almost every application needs some kind of a secret or secrets to do it’s work. There are all kind of ways to provide this to the containers but it all comes down to the following five:

  1. Save the secrets inside the image
  2. Provide the secrets trough ENV variables
  3. Provide the secrets trough volume mounts
  4. Use a secrets encryption file
  5. Use a secrets store

Read more →