In this article, I will walk through setting up a modern appsec program from scratch. The goal is to help security professionals building a new application security program, but there should be plenty of ideas that can be adapted into existing programs as well.I'll start by looking at the…
I'm a huge privacy advocate, and I use a number of plugins to help protect my privacy from trackers around the web.Some of these plugins come from well known organizations, such as the EFF (their excellent privacy badger plugin). Others are open source and supported by excellent people, such…
A lot of security advice I read tends to fall into two camps: tailored to enterprises with full time security and infrastructure teams, or rapid fire tool installation without context for solo web developers.In this article, we will tread a middle path, and look at some ways to manage…
In the final section of my series on creating a comprehensive security program around Docker, I'll be looking at some ideas and best practices around patching running containers.In the previous articles, I talked about running static analysis on containers and rolling out intrusion prevention and detection. Containers are immutable,…
Continuing the series on creating a comprehensive security program around Docker, today we will look at intrusion detection and prevention with containers.Containers are created to be immutable and ephemeral, so why is this necessary? Just recently, Kubernetes disclosed a vulnerability that would allow remote, unauthenticated attackers to execute arbitrary…
The simplest way to get started with a docker security program is to start with static analysis: Analyzing docker files for insecure software and making sure we have a level of trust in the base images our organization uses.This is part of the series on how to build a…
In the past couple of years, I have worked with teams trying to figure out how to adapt security tools to their Docker deployments, with varying degrees of success. Over the next several articles, I will build up a series of security tools and practices that can help secure your…
I don't think it's quite as hard as most people make it out to be. I keep hearing from colleagues and articles that there is great difficulty in hiring a technical security people to work on application security, network security, or devsecops. If you want to staff and run an…
When I was first asked to build a Secure DevOps program, I was excited about the possibilities for continuous security, and truly making an impact on our applications from the first line of code written.Over the following months, the difficult reality set in for me: Though there is no…
I often come across security tools that look pretty great for DevOps integration, but I may not have a specific need for at the moment. I keep them here so I always have a list I can refer to when something comes up.…