Sign in Subscribe

DevSecOps

Security should be simple and accessible to all teams. Automation can take us a long way there.

Secrets Management for Developers

One thing that comes up frequently in security is how to deal with application secrets. There are many methods for managing secrets, from hard coding into source code to using a credential manager to environment variables. In this post, I'll go through some Do's and Don&

Centralized Security Logging in AWS

When securing an AWS environment, one of the first tasks is configuring CloudTrail [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html] and ensuring that logs from various accounts within an organization are shipped to a centralized AWS security account. Frequently, however, there are other log sources that I

A Better Way to SSH in AWS (With RDS tunneling and security automation)

When I first started using AWS environments, the Bastion architecture was prevalent as the way to setup SSH connections. A dedicated "bastion" server is provisioned with SSH ports exposed to an internal network, or in some cases the internet, so that other servers do not have to expose

Advanced AWS Security Architecture

Most articles on AWS security rightfully spend a lot of time talking about the basics, such as setting up minimized IAM roles, encrypting data, and basic monitoring. It is more difficult to find guidance and specific implementation recommendations on advanced, automated security configurations. In this series of articles, I will

Deploying Docker Securely

Docker is a fantastic piece of technology for teams. Some time ago, I published a series of articles on building a docker security program [https://nullsweep.com/building-a-docker-security-program/], which covers doing a threat assessment, image static and runtime analysis, and overall container patching and maintenance. I was asked recently about

HTTP Security Headers - A Complete Guide

Companies selling "security scorecards" are on the rise, and have started to become a factor in enterprise sales. I have heard from customers who were concerned about purchasing from suppliers who had been given poor ratings, and in at least one case changed a purchasing decision based initially

Dynamic Security Scanning in a CI: ZAP Scanning with Jenkins.

Today, I will walk through configuring a daily DAST scan against an application, using Jenkins and ZAP. The process can be used similarly with any DAST scanner, depending on how the specific scanner is setup. This is the second part of a series. In part one [https://nullsweep.com/creating-a-secure-pipeline-jenkins-with-sonarqube-and-dependencycheck/

Creating a Secure Pipeline: Jenkins with SonarQube and DependencyCheck

In my last post, I talked about integrating security tools with an agile process [https://nullsweep.com/integrating-security-with-agile-development/], and mentioned some ways to automate security checks during development. In this article, I'll walk through a basic Jenkins setup for CI/CD, and integrate SonarQube and DependencyCheck for security

Integrating Security With Agile Development

> "We're practicing agile, so that means we don't do any architecture or security planning" - A Project Manager I spoke with Agile is sometimes used as an excuse to bypass controls in large organizations. Fortunately, agile methodologies and security methodologies work really well

Building a World Class Application Security Program

In this article, I will walk through setting up a modern appsec program from scratch. The goal is to help security professionals building a new application security program, but there should be plenty of ideas that can be adapted into existing programs as well. I'll start by looking