Monday, November 23, 2020

Assessing/Threat Modeling No/Low Code Applications

I'll always remember looking at a 4GL (fourth generation language) telecom app in late 2012 at an insurance company.  It was used to route, via prompts, the caller to the right service desk.

So, I embarked on an informal security assessment/threat model by handwriting on my notepad "sources | sinks" then enumerating my perceived/observed of each.  After that we walked through the business logic, error/exception handling & misuse cases.  It was not the most thorough affair, but it was a value-add to the Cyber folks.

As the industry embraces more no/low code solutions (Power Apps, Honeycode, AppSheet) it behooves Cyber professionals to use a methodology to assess these solutions.  Here's a take on such a methodology that I'll pronounce DASL:

D for Data: classification/sensitivity/compliance requirements/retention

A for Application: underlying platform (Cloud Service Provider: CSP) & security/risk/SRE/DR posture

S for Sources/Sinks: ecosystem/supply chain

L for Logic: ruleset, QA testing, misuse cases      

Posted by at No comments:
Labels: , , , , , ,

Wednesday, November 11, 2020

Discipline = Focus on Minimum Viable Product (MVP)

While orgs want to deploy a finished product immediately, that isn't practical.  From a Cyber, as well as Ops perspective, it's better to incrementally develop & deploy a solution.

Edison didn't succeed overnight; so, why should enterprises....

Posted by at No comments:

Separation of Duties for DevOps

Continuous integration / delivery / deployment / verification (CI/CD/CV) all need to be segmented in org's processes.  

While this may be more difficult for on-premise deployments (Jenkins / Bamboo), most cloud PaaS offerings make this easier, especially AWS with their Code* portfolio (CodePipeline / CodeBuild / CodeDeploy).

 

Posted by at No comments:
Labels: , , , , , , , ,

Thursday, November 5, 2020

Cloud-Native Threat Modeling & Alignment with Design Patterns

 https://techbeacon.com/enterprise-it/7-container-design-patterns-you-need-know

When performing a threat model for cloud-native environments I advocate for a comparison to the design patterns articulated above, especially how security-centric services are deployed.  To execute on segregation of duties one must abide by said best practices.

Posted by at No comments:
Labels: , ,

Wednesday, November 4, 2020

Add D(ata) to 4C's of Cloud Native Security for Completeness

https://kubernetes.io/docs/concepts/security/overview/

The 4C's described above do not explicitly include securing the data.  Orgs need to secure their data (crytpo, masking) before it goes to the cloud, onsite, or otherwise...

Posted by at No comments:
Labels: ,

Tuesday, October 27, 2020

Cyber Snake Oil

While some Cyber solutions certainly deliver as promised, there is a multitude of solutions that seem to be wanting.

Namely, cloud security posture management (CSPM) and secure access service edge (SASE) solutions.

Akin to first-generation web application firewalls (WAFs), CSPM and SASE solutions seem to promise a lot while skeptically delivering value.  Like WAFs, I believe organizations will see these as a tool in the Cyber toolbox that can COMPLIMENT solid hygiene versus SUPPLEMENT said governance. 

Posted by at No comments:
Labels: ,

Thursday, October 15, 2020

Control Frameworks - Use a Hybrid

Many orgs use a control framework (NIST 800-53, HITRUST CSF, COBIT, SIG, ISF SoGP, ISO 27002, CSA CCM) that doesnt completely express that orgs security/privacy/risk mgmt posture.

It behooves those orgs to use a hybrid mapped back to those frameworks.    

Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)