Monday, February 8, 2021

Third-party Governance for DevSecOps

For orgs that rely heavily upon outsourced development/technical resources (IT Outsourcing: ITO), it's important to ensure that contracts include covenants for the vendor to provide cyber (security) education, training & awareness (SETA).

Furthermore, a right to audit clause should be included as well that allows for the client to review SETA content, as well as attendance & scoring.    

Monday, January 11, 2021

Why are big data tools so darn expensive...?

 As we build out our web endpoint security scorecard (WESSy) I am in awe of the price points I see for data tools.

I get that these are enterprise-level tools; however, for smaller shops (like mine) that need this functionality it comes off as cost prohibitive.  

Wednesday, December 30, 2020

Crypto(graphy) will Change - Drastically, I dont know...

With the SolarWinds Cyber event, Quantum Computing, & advances in Artificial Intelligence (AI) all in mind, cryptography will evolve in the 2020's.  To what degree, I don't know.

Geopolitical events & circumstances, IMHO, will be a key factor.

As events unfold, the international community will have to determine, with the private sector contributing, where we go from here.

Wednesday, December 23, 2020

You need a Cyber strategy

 https://devops.com/the-best-iam-practices-for-devops/

Most orgs fail to have an internal IAM policy, a partner IAM strategy (B2B), as well as a customer (B2C) strategy.  Due to that, the orgs is all over the place.

Furthermore, the article discusses unstructured data (cloud storage) that is often an issue for orgs as the lack of a strategy leads to a lack of data governance (classification, access controls, etc).  

SolarWinds breach will drive enhanced transparency & tracking mechanisms

https://threatpost.com/cloud-king-software-security-trends-2021/162442/

This article touches upon the need to have better tracking mechanisms between product teams, divisions, lines of business, & supply chains.  Couple this need with the Cybersecurity Maturity Model Certification (CMMC), & a dip in the US economy, & executives will want better tracking mechanisms to identify return on investment (ROI).

We're working on an AppSec/DevSecOps answer to this equation. 

https://www.csoonline.com/article/3535797/the-cybersecurity-maturity-model-certification-explained-what-defense-contractors-need-to-know.html

Tuesday, November 24, 2020

Securing Event-Driven Architecture (EDA)

 While reading this enumeration of EDA software patterns I had to think of the need for available Cyber reference architectures (RAs) and minimum security baselines (MSBs) to complement misuse test cases, especially for logic.

With cloud-native and FaaS gaining ground, as well as no/low code, Cyber will need to collaborate even closer with QA to determine any confidentiality, integrity &/or availability (CIA) issues. 

Monday, November 23, 2020

Assessing/Threat Modeling No/Low Code Applications

I'll always remember looking at a 4GL (fourth generation language) telecom app in late 2012 at an insurance company.  It was used to route, via prompts, the caller to the right service desk.

So, I embarked on an informal security assessment/threat model by handwriting on my notepad "sources | sinks" then enumerating my perceived/observed of each.  After that we walked through the business logic, error/exception handling & misuse cases.  It was not the most thorough affair, but it was a value-add to the Cyber folks.

As the industry embraces more no/low code solutions (Power Apps, Honeycode, AppSheet) it behooves Cyber professionals to use a methodology to assess these solutions.  Here's a take on such a methodology that I'll pronounce DASL:

D for Data: classification/sensitivity/compliance requirements/retention

A for Application: underlying platform (Cloud Service Provider: CSP) & security/risk/SRE/DR posture

S for Sources/Sinks: ecosystem/supply chain

L for Logic: ruleset, QA testing, misuse cases