Tag Archive

Below you'll find a list of all posts that have been tagged as "security"

5 DevSecOps Best Practices for Your Security Team

Pamela, Product Head of an ISV, envisions the transformation of her team’s Dev and Ops processes. Pamela establishes a DevOps team to facilitate ‘continuous everything.’ She intends to achieve unmatched product quality, process automation, and risk-averse digital infrastructure. Six months down the line – her team witnessed a faster development cycle. But Pamela isn’t satisfied. This is because, in the last six months, a couple of security incidents have been reported. After investigation, the cause was identified as undetected bugs, which were there right from the coding environment. Well, the fact remains that Pamela and her team aren’t only one to suffer. Per the 2019 Sonatype DevSecOps survey, every one in four companies has experienced a breach in 2018-2019. DevOps Mantra – Make Security its Core and not just a Preservative It is awesome how DevOps automates development, production, testing, and deployment environment. However, the automation chain often ignores the essential security protocols. Therefore, data, which is left unencrypted in the development environment, becomes an easy target for breaches. So, the key is to integrate security right at an earlier stage. When practicing DevOps, there are multiple changes in codes in less time. The speed often outdoes the security team’s efforts and leaves them flat-footed. This poor alignment between teams results in a lack of security disciplines – unplanned vulnerabilities, less robust codes, insecure passwords, to name a few. The Sonatype survey states that 48 percent of respondents admitted lack of time for not practicing security at an early stage of the SDCL lifecycle. An interesting thing to note is that this number hasn’t gone down since 2018. Honestly, DevSecOps completes the DevOps lifecycle by injecting security into its core. It helps companies transcend into a broader security blanket with source code analysis, vulnerability testing, penetration testing, and access management, among others. However, having in place a DevSecOps guide has been a matter of concern. Let us analyze the top two challenges experienced by organizations in implementing DevSecOps. People Neutralizing corporate mindsets to accepting the change is like untying an intricate knot. You need to bring the team on one page and show them the bigger picture. Make them realize the long-term benefits of practicing security since inception. The Sonatype survey says that only one in four respondents believe that safety and quality run parallel. Expertise A 2018-2019 survey, which was based on DevOps, showed that 58 percent of tech leaders think lack of skills hinders the embedment of security and testing within the SDCL. Lack of expertise will make the complete DevSecOps plan vulnerable. What to do is essential, but how to do is the key. Often organizations lack the skills to design an effective DevSecOps plan with defined milestones, clear operative procedures, and deliverables and project owners. Mapping DevSecOps process flow within an organization and ensuring its success requires the right mix of tools, policies, methodologies, and practices. The bottom-line remains smooth synchronization between Dev, Ops, and the Infosec team. So, let us now look at the five-pointer DevSecOps security checklist that can be included as DevSecOps best practices. 1 Embrace Automation The standard requirement for continuous testing and continuous integration is speed, which makes automation a fundamental requirement. Therefore, having essential security controls and trigger points is essential. Per the Sonatype 2019 survey, 63 percent of the respondents said to have automated their security practices. Further, it is also vital to have mindful automation is place. For example, your source code scan need not be done for the whole application daily. It can be confined to the daily codes committed only. Also, the key is to have not only static application security testing but also include dynamic application security testing. This way, we will ensure vulnerability scanning in real-time. It is equally important to have a relevant and optimal set of tools that will infuse automation to your configuration management, code analysis, patching, and access management. 2 Risk Management of Third-Party Tools & Technologies The use of open source technologies for application development is on the rise. Per the 2019 Red Hat report, 69% of respondents believe that open source technology is crucial. However, there are security concerns around the use of open source technologies that must be addressed. The Red Hat report cites – “Security is still cited as an open-source concern. Some of that fear likely stems from general security concerns since hacks and data breaches seem to be daily news. This concern may also reflect how unmanaged open source code—found across the web or brought in through dependencies—can introduce vulnerabilities in both open source and proprietary solutions.” Developers are too busy to review open-source codes. This might bring unidentified vulnerabilities and other security issues on the codes. Therefore, code dependency testing is necessary. Having an OWASP utility check will ensure that there is no vulnerability in codes, which are dependent on open-source components. 3 Uniform Security Management Process The security team will usually post the bugs report in different bug repositories. Developers don’t have the bandwidth to check all the reports. And top of it, multiple priorities result in precedence to functional testing over security issues. Therefore, it is fundamental to DevSecOps to have in place a uniform security application management system. This way any modification in codes is reflected in one place. The security team is also immediately notified of executing the authentication-testing protocol. Another critical point is to follow the ‘secure by design’ principle via the automation of security tasks. This helps to create and maintain collective software and security elements like correct authorization, control mechanisms, audit management, and safety protocol. Resultant – a transparent security culture. 4 Integrating Application Security System with Bugs Tracker The application security system should be integrated with your task management system. This will create a list of bugs tasks automatically that can be executed by the infosec team. Additionally, it will provide actionable details such as the nature of the bug, its severity and treatment required. Thus, the security team becomes empowered to fix issues before they land to the production and deployment environment. 5 Threat Modeling – The Last Key The SANS Institute advocates risk assessment before implementing DevSecOps methodology. Following threat modeling will result in risk-gap analysis – helping you identify software components, which are under threats, level of threats, and possible solutions to counter those threats. In fact, with threat modeling, the development team is equipped to locate fundamental glitches in the architecture. This way they can make necessary changes in application designs. Conclusion The ferocious rise in the competition demand reduction in time-to-market of the application. This must be supplemented with superior quality. Therefore, DevOps as a practice is only expected to increase. Rendering DevSecOps services for a while now, we have realized that imbibing security right from the early stages is only the key to maintain zero deployment downtime. Organizations must be thoughtful while shifting to Dev + Security + Operations. They should follow the idea of the People>Process>Technology. And, while doing so, the above 5 DevSecOps best practices will lay the foundation.

Aziro Marketing

devops DevSecOps security

Big Data and Your Privacy: How Concerned Should You Really Be?

Today, every IT-related service online or offline is driven by data. In the last few years alone, explosion of social media has given rise to a humongous amount of data, which is sort of impossible to manipulate without specific high-end computing systems. In general, normal people like us are familiar with kilobytes, megabytes, and gigabytes of data, some even terabytes of data. But when it comes to the Internet, data is measured in entirely different scales. There are petabytes, exabytes, zettabytes, and yottabytes. A petabyte is a million gigabyte, an exabyte is a billion gigabyte, and so on.A Few Interesting StatisticsLet me pique your interest with a few statistics here from various sources: 90 percent of data in existence in the world was created in the last two years alone.90 percent of data in existence in the world was created in the last two years alone.The reason why Amazon sells five times Wal-Mart, Target, and Buy.com combined is because the company steadily grew to be of 74 billion dollar revenue from a miniature bookseller by incorporating all the statistical customer data it gathered since 1994. In a week, Amazon targets close to 130 million customers—imagine the enormous amount of big data it can gather from them.Google’s former CEO and current executive chairman, Eric Schmidt, once said: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” The significance of this statement is evident when you realize the magnitude of data that the search giant crunches every second. In its expansive index, Google has stored anywhere between 15 to 20 billion web pages, as in this statistic.On a daily basis, Google processes five billion queries. Beyond these, through numerous Google apps that you continuously use, such as Gmail, Maps, Android, Google+, Places, Blogger, News, YouTube, Play, Drive, Calendar, etc., Google is collecting data about you on a huge scale.All of this data is known in the industry circles as “big data.” Processing such huge chunks of data is not really possible with your existing hardware and software. That’s the reason why there are industry-standard algorithms for the purpose. Apache Hadoop, which Google also uses, is one such system. Various components of Hadoop–HDFS, MapReduce, YARN, etc.–are capable of intense data manipulation and processing capabilities. Similar to Hadoop, Apache Storm is a big data processing technology used by Twitter, Groupon, and Alibaba (the largest online retailer in the world).The effects and business benefits of big data can be quite significant. Imagine the growth of Amazon in the last few years. In that ginormous article, George Packer gives a “brief” account of Amazon’s growth in the past few years: from “the largest” bookseller to the multi-product online-retail behemoth it is today. What made that happen? In essence, the question is what makes the internet giants they are today? Companies such as Facebook, Google, Amazon, Microsoft, Apple, Twitter, etc., have reached the position they are today by systematically processing the big data generated by their users–including you.In essence, data processing is an essential tool for success in today’s Internet. How is the processing of your data affecting your privacy? Some of these internet giants gather and process more data than all governments combined. There really is a concern for your privacy, isn’t there?Look at National Security Agency of the US. It’s estimated that NSA has a tap on every smartphone communication that happens across the world, through any company that has been established in the United States. NSA is the new CIA, at least in the world of technology. Remember about PRISM program that the NSA contractor Edward Snowden blew the whistle on. For six years, PRISM remained under cover; now we know the extent of data collected by this program is several times in magnitude in comparison to the data collected by any technology company. Not only that, NSA, as reported by the Washington Post, has a surveillance system that can record hundred percent of telephone calls from any country, not only the United States. Also, NSA allegedly has the capability to remotely install a spy app (known as Dropoutjeep) in all iPhones. The spy app can then activate iPhone’s camera and microphone to gather real-time intelligence about the owner’s conversations. An independent security analyst and hacker Jacob Appelbaum reported this capability of the NSA.NSA gets a recording of every activity you do online: telephone and VoIP conversations, browsing history, messages, email, online purchases, etc. In essence, this big data collection is the biggest breach of personal privacy in human history. While the government assures that the entire process is for national security, there are definitely concerns from the general public.Privacy ConcernsWhile on one side companies are using your data to grow their profit, governments are using this big data to further surveillance. In a nutshell, this could all mean one thing: no privacy for the average individual. As far back as 2001, industry analyst Doug Laney signified big data with three v’s: volume, velocity, and variety. Volume for the vastness of the data that comes from the peoples of the world (which we saw earlier); velocity to mean the breathtaking speeds it takes for the data to arrive; and variety to mean the sizeable metadata used to categorize the raw data.What real danger is there in sharing your data with the world? For one thing, if you are strongly concerned about your own privacy, you shouldn’t be doing anything online or over your phone. While sharing your data can help companies like Google, Facebook, and Microsoft show you relevant ads (while increasing their advertising revenues), there virtually is no downside for you. The sizeable data generated by your activities goes into a processing phase wherein it is amalgamated to the big data generated by other users like you. It’s hence in many ways similar to disappearing in a crowd, something people like us do in the real world on a daily basis.However, online, there is always a trace that goes back to you, through your country’s internet gateway, your specific ISP, and your computer’s specific IP address (attached to a timestamp if you have dynamic IP). So, it’s entirely possible to create a log of all activities you do online. Facebook and Google already have a log, a thing you call your “timeline.” Now, the timeline is a simple representation of your activities online, attached to a social media profile, but with a trace on your computer’s web access, the data generated is pretty much your life’s log. Then it becomes sort of scary.You are under trace not only while you are in front of your computer but also when you move around with your smartphone. The phone can virtually be tapped to get every bit of your conversations, and its hardware components–camera, GPS, and microphone–can be used to trace your every movement.When it comes to online security, the choice is between your privacy and better services. If you divulge your information, companies will be able to provide you with some useful ads of the products that you may really like (and act God on your life!). On the other hand, there is always an inner fear that you are being watched–your every movement. To avoid it, you may have to do things you want to keep secret offline, not nearby any connected digital device–in essence, any device that has a power source attached.In an article that I happened to read some time back, it was mentioned that the only way to bypass security surveillance is removing a battery from your smartphone.The question remains, how you can trust any technology. I mean, there are a huge number of surveillance technologies and projects that people don’t know about even now. With PRISM, we came to know about NSA’s tactics, although most of them are an open secret. Which other countries engage in such tactics is still unknown.

Aziro Marketing

big data security

How do I Ensure a Robust IoT Security?

Previously, we touched upon what the internet of things is and how it revamps the whole world. Its key advantages may change everything as you know it today. The major aspect of IoT is the billions of new devices or “things” that will become part of our worldwide wireless network, and the relentless stream of data that these devices bring to the storage infrastructure extant today. Along with this transformation, a critical question arises: “How can you ensure the security in this IoT world?” Security risks come in all forms. For instance, in 2011, independent security analyst blog Krebs on Security spoke about a new type of data hijacking coming to prevalence, known as juice-jacking. This attack targets your smartphone’s data if you hook your device into one of those public charging stations in airports and metro stations. You have probably seen plenty of examples of software-run cars being hijacked by hackers and viruses and used to put the owners in danger. We have seen similar terror in Hollywood techno-thrillers, such as The Net, Eagle Eye, Antitrust, Firewall, etc. Weak IoT security can make the world seem like it’s under alien attack. This is because IoT connects everything, from your microwave and coffee machine to your garage door to a network, and allows you to remotely operate these devices. You don’t want someone else remotely operating your lights, thermostat, or your car, do you? That will surely be pretty weird. However strong a security system is, it has been proven time and again that it can be broken if a persistent hacker is able to find its Achilles’ heel. As the security systems became more and more advanced, so did the hacking techniques. This is why Edward Snowden used a relatively unknown high-security operating system called Tails, and terrorists like Bin Laden still trusted offline messaging to communicate. With botnets consisting of millions of computers and cloud systems with unlimited processing power, it is easy to hack into any network, even government ones. In the case of IoT, so many statistics exist. Several prognosticators in the IT domain have estimated the size of IoT-connected devices to be in the range of 20-50 billion devices. Hacking figures are not very promising, either. It seems in 2014, almost half of the population of the United States using computers have been hacked in one way or other. If the number of devices goes on increasing, the hacking attempts will also rise relentlessly. Remote network management of huge number of devices is already a challenging area. With the advent of IoT, several industries will have to be network-connected, from retail, manufacturing, to healthcare. Security Preparation As a new wave of network-aware, smart devices are coming into the world, it is high time for security organizations to revamp their security systems. As we are already struggling with high volume of devices connected to far-reaching networks, a lot of research and development is necessary for securing IoT in a big way. In view of this, here is 5 security steps procedure from Aziro (formerly MSys Technologies) – A leading IoT solutions and services provider that a consumer should ensure. Learn about the device sensors you have. For instance, if you have an advanced smartphone, it has a camera, GPS system, accelerometer, compass, barometer, temperature sensor, and many other such advanced features. You should be aware of these advanced features at the time of getting your device. This will give you an idea of what should be allowed to an application and what should not. Both iOS and Android let you decide which features of your device can be accessed by an app. Learn about the data access and communication capabilities of your devices. How are they communicating, and what speed is achievable by the device at any point of time. This will let you identify if the device is operating normally or if it’s transmitting any unnecessary amount of data. Take advantage of all security features available in your devices. Every smartphone comes with built-in security features, such as the thumb-print access in the iPhone. Learn about and make use of all these security features to be extra-safe. Take advantage of all network security features given by your network. Most of the routers available today let you have advanced security features such as WPA2 encryption and MAC address filtering. Take advantage of these features to be sure that your connection is always secure. A major part of the security, and one that can actually weaken your entire security if you are not careful enough is the password. A strong password is like an impossible barrier for hackers. A weak password, such as “password1” can easily open your doorway to hackers at any time. Make your passwords long and riddled with special characters. Conclusion IoT, while it makes the world a better place, comes with a lot of concerns. Securing IoT devices will become a huge industry in itself tomorrow. Only proper consumer awareness can help fight hackers in such a massively interconnected world. There are numerous IoT development services and IoT services provider that can help navigate the security risks.

Aziro Marketing

data-security iot security

EXPLORE ALL TAGS

Ansible Test Automation

application containerization

applications

Application Security

application testing

artificial intelligence

asynchronous replication

business intelligence

Cloud Cost Optimization

cloud devops

Cloud Infrastructure

Cloud Interoperability

Cloud Native Solution

Cloud Storage Security

Codeless Automation

Cognitive analytics

Configuration Management

container world conference

continuous-delivery

continuous deployment

continuous integration

data backup and recovery

Descriptive analytics

Descriptive analytics tools

Digital Transformation

dockercon 2019 san francisco

end-to-end-test-automation

High Performance Computing

icinga for monitoring

Image Recognition 2024

kubernetesday bangalore

Low-Code No-Code Platforms

mobile-application-testing

mobile-automation-testing

Predictive analytics tools

prescriptive analysis

Rapid Application Development

raspberry pi

RDMA

real time analytics

realtime analytics platforms

Real-time data analytics

Recovery

Recovery as a service

recovery as service

rsa

rsa 2019

rsa 2019 san francisco

Selenium Test Automation

selenium testng

serverless

Serverless Computing

Site Reliability Engineering

software defined storage

software-testing

software testing trends

software testing trends 2019

storage virtualization

support

Synchronous Replication

testing automation tools

thought leadership articles

trends

tutorials

ui automation testing

ui testing

ui testing automation

vCenter Operations Manager

vmworld 2019 san francisco

VMworld 2019 US

vROM

Web Automation Testing

web test automation

WFH

LET'S ENGINEER

Your Next Product Breakthrough

Book a Free 30-minute Meeting with our technology experts.

Aziro has been a true engineering partner in our digital transformation journey. Their AI-native approach and deep technical expertise helped us modernize our infrastructure and accelerate product delivery without compromising quality. The collaboration has been seamless, efficient, and outcome-driven.

CTO

Fortune 500 company