Posts under Application Security
Over the next week or so, I’ll be sharing some insights and observations from last week’s Gartner security summit conference. We’ll explore key conference themes around how DevOps and Security can work better together, the role of ML and automation, and the major challenges still confronting security practitioners. The infinite loop pictured here was a theme throughout many presentations. All visual models like this quickly become a little too complicated, but this vision of continuous security and a constant feedback loop between the build/deploy phase and the runtime phase really hits a chord with us here at StackRox.
This is a guest blog by Rob Fry, an accomplished architect, inventor and public speaker with 20 years’ experience primarily in large-scale Internet companies and the utility industry. At Netflix he invented FIDO, a patented open source security orchestration platform, and while at Yahoo created the DUBS configuration and automation framework for production servers. Over the past two decades, we’ve seen adoption of new technologies reshaping the landscape of how we operate and secure our businesses.
“Keep Cloud Native Weird.” That was the motto of KubeCon + CloudNativeCon 2017, which I had the opportunity to attend last week in Austin. With the conference attracting more than 4,100 participants, hundreds of technical sessions, new project announcements, and key updates on existing initiatives, it is clear that the cloud native computing revolution continues to accelerate. Here are some of the highlights I found most interesting. KubeCon welcome mural
Last week marked another milestone for the public cloud. I had the opportunity to attend Amazon Web Services (AWS) re:Invent, along with more than 43,000 other attendees who descended on Las Vegas to hear how organizations are using the cloud, learn from more than 1,300 technical sessions, and catch a highly anticipated lineup of product announcements from AWS (an exhaustive list can be found here). AWS re:Invent registration area AWS re:Invent record attendance
Machine learning (ML) can be a powerful tool for augmenting the detection efficacy of a cybersecurity solution. Using it effectively means first cutting through the hype and understanding the tangible steps needed to build models with it. The vast majority of enterprise security solutions – from antivirus applications to firewalls to intrusion detection and prevention systems – use (or at least claim to use) ML to detect threats that traditional approaches can’t, in many cases because such threats unfold faster or on a much larger scale than a traditional security solution can process.
The Red Hat OpenShift platform is enabling enterprise organizations to use container technologies such as Docker and Kubernetes to build, deploy, and run applications with unprecedented agility, scale, and speed. In this blog post, I’ll walk through how we’ve integrated StackRox with OpenShift to help our joint customers ensure comprehensive security across their container lifecycle. You can also visit the OpenShift Commons to view a recording of my briefing on this topic from last week, which goes into more details, and provides a live demo of StackRox running with OpenShift.
DockerCon EU 2017 Recap: Security, Kubernetes, and MTA Hej from Copenhagen! I’ve had the privilege of spending the last few days here at an incredible DockerCon EU. With thousands of attendees from hundreds of companies converging on the City of Spires, it’s clear that the Docker community is thriving across the world. Here are some of the highlights we saw this week. Docker Continues to Grow by Leaps & Bounds At his morning keynote, Steve Singh, CEO of Docker, highlighted the state of the Docker ecosystem, with 21 million hosts running Docker and more than 24 billion (!
In this new blog post by Crate.io, read about how they are using StackRox to secure CrateDB Clusters on Docker. StackRox complements the authentication, access controls, and encryption added in Crate 2.0 Enterprise Edition with comprehensive threat coverage for well-known attack vectors on containerized database applications. The post discusses why security is important for a database like CrateDB, and how to use StackRox to protect your data – walking you through the deployment process.
On Tuesday, I had the honor of speaking about “Bringing the fight back to your security team,” at Structure Security 2017. My panel was comprised of former U.S. Government cybersecurity leaders who are now in the private sector, helping defend enterprises against attacks. Acknowledging that we’re flooded with breaches – with a record-breaking 4 billion personal records stolen by hackers in 2016 – we discussed strategies to turn the tide.
At StackRox, we’re thrilled to have the support of Ron Gula, an industry luminary and invaluable mentor to me for the past decade. Ron is a longtime leader in the security community, having started his career at the National Security Agency (NSA) conducting penetration tests of government networks and performing advanced vulnerability research. Ron is also an experienced entrepreneur, CTO, and CEO, as the original author of the Dragon Intrusion Detection System, CTO of Network Security Wizards (acquired by Enterasys Networks), and cofounder of Tenable Network Security, where he served as CEO from 2002-2016.
The last few decades have seen tremendous progress in machine learning (ML) algorithms and techniques. This progress, combined with various open-source efforts to curate implementations of a large number of ML algorithms has lead to the true democratization of ML. It has become possible for practitioners with and without a background in statistical inference or optimization – the theoretical underpinnings of ML — to apply ML to problems in their domain.
Forensics in the age of containers You’ve seen it countless times in television’s most popular dramas: professional investigators descend on the scene of a crime to meticulously record and analyze every detail and clue before anyone else can disrupt the scene. If the crime appears to be related to other ongoing cases, clues are tacked to the peg board back at headquarters. Only once all the pieces have been assembled do patterns emerge.
Why everyone from investors to the C-suite should consider container security Over the past few years, virtually all of the most innovative enterprise firms — from multinational banks like Goldman Sachs, to cutting-edge technology companies like Google — have set out to modernize the way they deliver software applications through containers and microservices architectures. By breaking down large applications into smaller, composable pieces, software developers and those in charge of managing applications have discovered that containers — and the microservices approach they enable — allow for software development that is far more agile, resilient, and efficient than traditional monolithic approaches.
Introduction Container technology has radically changed the way that applications are being developed and deployed. Notably, containers dramatically ease dependency management, so shipping new features or code is faster than ever before. While Docker containers and Kubernetes are great for DevOps, they also present new security challenges that both security practitioners and developers must understand and address with diligence. Docker’s team of security experts has built some valuable security features into the Docker platform over the last several years.
Shortly following our launch, I was a guest on Paul Asadoorian’s Startup Security Weekly show. In this episode, hear about how Sameer and I conceived the idea for the company, how we talked to investors about our ideas, and why our platform uniquely addresses the challenges of enterprises who are embracing containerization and microservices. We also discuss how enterprises are using StackRox to build security into the fabric of their infrastructures as they operationalize their use of containers and microservices.
On our launch day, Ali and I were guests on Derrick Harris’ ARCHITECHT Show. Check out this podcast to hear about the origin of StackRox, why CISOs personally invested in our company, what we think about microservices, and how we work with Docker. Episode 29: StackRox founders on making microservices secure ARCHITECHT Show, StackRox co-founders Sameer Bhalotra and Ali Golshan break down the state of container security and the new technology they have built to solve it.