CYBRIC CTO and Co-founder Mike Kail and I connected to discuss DevSecOps. First, Mike tells us what DevSecOps is and why we need it. We talk about the advantages and disadvantages (although we couldn’t really think of any compelling disadvantages) of changing the corporate culture of DevOps to include security. DevSecOps is really fixing the corporate mindset to include security in all facets of operations. It puts forth the radical notion that security is everyone’s responsibility. And, although I’m being a bit sarcastic with that previous comment, I do believe that for some companies and some individuals that this notion of everyone owning security is radical.
It shouldn’t be. Security affects us all. It affects us to the tune of $16+ billion in losses due to credit card fraud and identity theft. And that number grows every year.
Listen to the podcast for more details on DevSecOps and how you can help change the culture at your company to make security a priority for everyone.
Length: 16:52 mins. Format: MP3. Rating: G for all audiences and venues.
Copyright 2018 The SecurityNOW Podcast Show. License: CC BY.
Passwords, they used to say, are like toothbrushes–don’t share them and change them often. Indeed that rule is still true but security is more than just changing your passwords often and keeping them to yourself. Passwords, unfortunately, are our first line of defense in protecting our online accounts, our identities, and our transactions. Passwords should be as long and as complex as possible, which is why you should use a password manager such as LastPass. LastPass will generate a random, long, and complex password that you don’t have to remember because it remembers them for you. There’s only two things you have to remember when you use LastPass: logoff of LastPass before you leave your computer and the LastPass master password.
And since passwords aren’t your only defense in this cyber-connected and unsafe world, I’m providing a list of tips to help keep you safe and secure during your online excursions. Read and heed.
Use the screen lock feature of your phones, tablets, and computers.
Use a random non-guessable passcode for unlocking screens.
Use a password manager.
Use different passwords for each online account (saved in your password manager)
Install all hardware and software updates as they’re presented.
Only install apps from the app store and only those that have many good reviews.
Turn off tracking from your apps.
Use a VPN or your cellular network in public places.
Keep phone conversations private.
Perform online banking in private.
Use two-factor authentication on social media and financial sites.
Cover your device when entering passwords.
I know these are tips that you read and hear all the time but you need to remember them at all times. There is no trusted public environment and a secured WiFi connection is no guarantee of security. Anyone can setup a WiFi connection and supply a common password to it.
If you ever have questions about cybersecurity, use our contact page to ask your questions. We will reply.
Preston and I interviewed Twistlock CEO Ben Bernstein about his company’s approach to container-based security from a new perspective known as intent-based security, which also has us rethinking application security. Ben gives us an overview of intent-based security and a detailed explanation of why a new perspective is important to application security.
Ben’s concept of intent–basedsecurity is evolving not only the way organizations build applications as DevOps adoption, and with it container adoption, continues to rise, but also rethinking the approach to application security to address fundamental application intent issues
Why it is so difficult for IT, security and dev teams to look at an app and deduce intent
Why attacks on the application layer are harder to detect than the network layer and more difficult to contain
How to effectively add security to a container-based implementation of DevOps
Podcast details: Length – 20:55 minutes. MP3 format. G rating for all audiences.
As discussed in the podcast, don’t assume anything about security for your container hosts or your containers. Container hosts must be thoughtfully secured, because if someone compromises your host; he owns your containers. Securing applications and their containers requires more than cursory security tests. You must build your applications with security in mind and you must also securely build your containers for those applications.