I started to write an apology for this week’s Summary, because I missed last week due to an unplanned stomach bug that hit at 4am Thursday, when I normally write these. It was nearly 5 days before I fully recovered. Then I realized I had fully drafted a Summary on March 11 – an abridged version due to my daughter waking up with a stomach infection. It turns out I left that one as a draft, and never even noticed… that’s what kids do to ya.
So I’m including all my post-RSA conference links here, and adding some newer content as well. We’re building up a massive backlog of content at this point, so there’s no shortage of things to write about. And if you didn’t believe in the germ theory of infection, my home is conclusive proof.
Someone emailed asking if we could cover more cloud providers than just AWS. We tend to focus on them because they are the biggest, and that’s where most of our work is, but we are actively trying to expand coverage. Email us at email@example.com if you have any interesting sites we should follow, or see any interesting presentations. There are a bunch of catch-up links here, but next week I plan to focus more on Microsoft and Google.
If you want to subscribe directly to the Friday Summary only list, just click here.
Top Posts for the Week
- My RSA presentation with Bill Shinn on how you can be more secure in the cloud.
- My Rugged DevOps at Scale presentation video from DevOps Connect at RSAC.
- Full Video Series Released: Rugged DevOps at RSA Conference 2016.
- Attack of the week: DROWN. This nasty one is affecting a lot of cloud deployments. Please review and patch.
- Rugged DevOps at RSAC 2016. A great summary by the author of Gauntlt. And not just because he mentions my session. Full disclosure: the idea of keeping all security documentation in GitHub comes from Bill Shinn of AWS.
- IAM best practice guides available now for Google Cloud. Google and Microsoft are starting to push hard to catch up with AWS on critical security capabilities.
- AWS launched a community repository for AWS Config Rules. Nice idea, and it gives you a good sense of various security and configuration requirements from different organizations.
- Snapchat shares security best practices for running on GCP.
- Migrating to AWS NAT Gateway. Expect to see more of these service endpoints. This one solves a problem we have seen customers hit: NAT instances aren’t always reliable. Although sometimes for security reasons you still want to proxy through instances rather than using this. Especially if you need to lock down Internet access beyond what you can do with security groups or ACLs.
- For 7 years Chris Hoff and I have co-presented an ongoing series at RSA on disruptive innovation and its impact on security. Chris couldn’t be there this year, and it seemed like time to bring things to a close. Mike Rothman filled in and you can see our review of all seven years, with implications, in our enormous deck.
- Innovating Security like the DevOps Unicorns. A nice interview with Shannon Lietz of Intuit. Probably one of the best DevOps security pros out there right now.
Tool of the Week
This is a new section highlighting a cloud, DevOps, or security tool we think you should take a look at. We still struggle to keep track of all the interesting tools that can help us, so if you have submissions please email them to firstname.lastname@example.org.
This week I want to focus on a tool that is one of the cornerstones of DevOps in many organizations, but with which not all security professionals are familiar. We need this as a foundation so we can start talking about some cool security extensions next week. Thus, ladies and gentlemen, today we will talk about Jenkins.
Jenkins is the most popular continuous integration tool right now. It’s Open Source with a very active community and a ton of support and plugins. For those of you without development experience, a CI server automates integrating application code changes and running tests. It can do a lot more than that, but continuously integrating changes (even from multiple teams’ contributors in massive projects) and making sure the code still works is a big deal. What makes Jenkins so special is that large community and massive plugin support. Instead of merely integrating updated code, it can detect when code is updated in a repository, pull it and integrate, automatically stand up a test environment, run thousands of tests, send alerts back on failures, or push code into further testing or production if it passes. The current version (and upcoming version 2.0) are automation servers that can handle complex workflows and pipelines for managing application updates.
This automation offers tremendous security benefits. For example there is a full audit trail of all code changes. Better yet, you can integrate security testing into your automation pipeline, far more effectively than previous ways we’ve used security testing tools. You can flag changes to security-sensitive parts of code like encryption or authentication to require a security sign-off. All this using the same tool developers use anyway, and integrated into their processes. Jenkins isn’t just for code – you can use it for server configuration, and using a tool like Packer it can create gold images and perform automatic security scans. You can even run complex vulnerability assessments on cloud/virtual infrastructure using code templates like Vagrant, Cloudformation, or Terraform.
Next week we’ll talk about one of the coolest security testing tools that integrates with Jenkins.
Securosis Blog Posts this Week
- Incite 4/6/2016: Hindsight
- Incite 3/30/2016: Rational People Disagree
- Incite 3/23/2016: The Madness
- Resilient Cloud Network Architectures: Design Patterns
- Securing Hadoop: Security Recommendations for Hadoop [New Paper]
- Resilient Cloud Network Architectures: Fundamentals
- Shadow Devices: The Exponentially Expanding Attack Surface [New Series]
Maximizing WAF Value
- Maximizing Value From Your WAF [New Series]
- Maximizing WAF Value: Deployment
- Maximizing WAF Value: Managing Your WAF
Other Securosis News and Quotes
- At Macworld, I wrote How FBI vs. Apple could cripple corporate and government security
- I joined Dennis Fisher on the On the Wire Podcast to talk about the farce of PCI, and the FTC finally asking some tough questions.
- I was quoted in the Seattle Times on the Apple/FBI mess.
- I was interviewed in Fortune on biometrics and fingerprint hacks.
Training and Events
- We are running two classes at Black Hat USA:
- Black Hat USA 2016 | Cloud Security Hands-On (CCSK-Plus)
- Black Hat USA 2016 | Advanced Cloud Security and Applied SecDevOps (SOLD OUT! But we are considering opening more slots).