Directionless Security and Devops
via Gary Southwell, writing at HelpNet Security, comes this interesting self-help(ish) posting, detailing a method to faciltate enhanced (read better) inter-operability between Security Teams and DevOps Organizations. Might be interesting to see the outcome of implementation of this advice, in a real-world setting...
So-Called 'Cybersecurity' Impetus For Agile Dev Adoption
via Zeljka Zorz, Managing Editor, whilst writing at HelpNet Security comes word of how opposites may in fact attract... That is, Agile Development efforts being stimulated by Cybersecurity efforts... The reality: Just another way to flog security products.
BSides Nashville 2015, Ron Parker's 'Agile and Security Oil and Water' →
"the Art of Secure Application Deployment" →
In my opinion, there is absolutely no 'art' in securely deployed applications...
Not withstanding this, the subject of this post is the well engineered conversational interview over at Linux.com, with Tim Mackey, an evangelist at Black Duck Software; in which the two participants in the conversation hold forth in 'DevOps and the Art of Secure Application Deployment' (scribed by Amber Ankerholz). Worth the read.
DevOps, The Security Mythos →
The remarkable truth about Information Security within DevOps driven organizations, and why, per se, those organizations are not secure with the utilization of DevOps integration of Development and Operations teams leading to continuous deployments. If you read anything about DevOps today, read George V. Hulme's interview of Adam Muntner an Application Security Engineer at Mozilla and the creator of FuzzDB (the interview is also posted at Adam's Blog). Absolutely Outstanding.
Bring Your Own Exploit →
DevOps' writer Chris Riley (Chris - aka @HoardingInfo) is a technologist and DevOps analyst for Fixate IO), regales us with s tale of the Rugged DevOps crypt - at least from the viewpoint of semi-like-minded security operators...
All Your Automatonic Security Are Not Belong To Us →
Well crafted thought piece appearing over at Darkmatters, a Norse blog, written by the inimitable Pete Herzog, regaling us with the truth of robotic security. Today's MustRead.
"The problem is that automating security creates a paradox. You see, in security, automation works best as a tool and not a wielder of tools. You see, your security automation is in charge of making periodic and systematic changes to controls and then verifying those changes." via Darkmatters, a Norse Security blog, by Pete Herzog
DevSecOps Edition, 10+ Hours of Information Security + DevOps Video →
The kind folks at DevOps have made their video collection of HD quality Security DevOps content from RSAC 2015 available (with the only catch of a registration form). Highly recommended.
'DevOps Connect was co-produced by DevOps.com and Sonatype, through the Nexus Community Project. The day started with a keynote delivered by Gene Kim and Joshua Corman, setting the stage for 13 more presentations.' - via Devops' Alan Shimel
Über Alles? →
Interesting Uber vs. John Doe (in this case GitHub) case, whence Uber issues what is fundamentally a Your Papers Please subpoena through a magistrate and demands records closely held by GitHub through the courts.
In this case, access has been granted by the magistrate permitting examination of the two Gists at GitHub, containing the unfortunate error made by Uber employees (whence an Uber developer/dba included internal passwords on a very public Gistto internal databases.
Uber argued (successfully - mh) during the hearing that the two Gist posts (both of which have been offline since the lawsuit was filed) should have had very little traffic, and the data on who visited them "should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download." - via El Reg's Kieren McCarthy