Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
The term 'security posture" is used to describe the state of an organization's overall security and response readiness. Multiple solutions are emerging that aggregate findings to provide a holistic view of enterprise security risks.
Security posture can also be seen as a way to prioritize security efforts, helping you answer the question, "What should we work on next?" based on balancing risks by analyzing in-context data and weighing the remediation efforts required.
No matter what part of the organization you work in, there is one thing everyone wants: a good night's sleep. Everybody, from operations to security to development, wants peace of mind that all the doors are locked, all the networks are protected, and the organization and customers are safe. We also rest easier when we know that if anything does go wrong, there is a process in place that will alert you only in the correct circumstances and make remediation straightforward.
If you have been tackling the realities of secrets sprawl, getting a handle on all the hardcoded credentials in your organization, then we understand the stress and the restless nights that can bring. Even a small team can add hundreds of secrets a year, so when it is time to prioritize and start working to resolve the known incidents, it can seem overwhelming.
The Poconos mountain region is most famous for its skiing and snowboarding. Located west of the hustle and bustle of New York City and north of Philadelphia, the Poconos are a quick drive from the hectic city life to some very peaceful rolling hills, natural beauty, and tourist attractions. While those are great reasons to visit, for a couple of hundred tech enthusiasts, those were all secondary to gathering in early November. They got together to share best practices and discuss how to build and scale applications securely as they got together for TechBash 2023.
One thing that sets TechBash apart is the family-friendly focus. Taking place at Poconos Kalahari Resort, home to one of the largest indoor waterparks in the US, attendees are encouraged to bring their families. The event's final day even had a family-friendly session track, which featured a live reptile encounter this year.
You probably are here because you leaked a secret somewhere and want to get straight to rotating the secret. If you are a solo developer or you know for sure you are the only user of the secret and understand what rotating the secret might disrupt, start here: Rotate the secret and store the new credential safely.
If you work in a team and are not sure who uses this secret, what it gives access to, or what outages might occur from rotating it, then please read on.
When most people think of Santa Clara, they immediately think of the San Francisco 49ers, as that is where their stadium sits. They might also think of California's Great America, an amusement park that has been keeping folks entertained since the 1970s. Given how many tech companies have headquarters there, including Advanced Micro Devices, Intel, and Nvidia, many people think of it as an important part of Silicon Valley. For a few thousand who gathered there in late October, it will always be associated with API and AI advancements, thanks to API World 2023.
This year's event was colocated with AI Dev World, bringing together practitioners from both highly related realms. It makes sense as the largest innovations in the artificial intelligence and large learning model, LLM, space over the last few years have involved API integrations to services like OpenAI's ChatGPT and IBM Watson. It seems that developing any AI means also means building and maintaining an API as well.
Austin, Texas, is the 10th largest city in the US and is constantly growing, both in population and in industry. Every year, dozens of major companies either relocate or expand into the Austin area. It is also home to six universities, like The University of Texas at Austin and Texas State. As the state capitol of Texas, many government agencies have a presence there as well. Folks from all these sectors came together in the last week of September to learn from one another at Texas Cyber Summit 2023.
Here are just a few of the highlights from this security-focused event.
Every company wants to have a good security posture, and most are investing in security tooling. According to Gartner, worldwide spending on security is forecast to grow 11.3% in 2023 to reach more than $188.3 billion.
However, despite all this spending, there are certain areas where problems are only getting worse, such as secrets sprawl. Reports now say over 50% of cyber attackers gained their initial foothold by exploiting compromised credentials. No organization wants to go through an indecent like Samsung or Nvidia or repeat Uber's unfortunate experience.
The world of cyber threats is continually evolving, and the range of targets is constantly expanding. Fortunately, cybersecurity is rapidly progressing as well. In August 2023, two different U.S. government organizations published new reports about what to expect moving ahead, suggesting regulations and standards: CISA's Strategic Plan for FY24- FY26 and NIST SP 800-204D.
While these publications originate from two different U.S. agencies, both point to the same overarching path to securing our vital infrastructure and enterprise applications into the future. CISA lays out a broad vision with measurable goals we should be striving towards, whereas NIST provides actionable, tactical procedures. When read side by side, these publications suggest the next few years will bring a focus on hardening our defenses, improving our tooling for faster detection and remediation of threats, and transparent measurement with attestation.
One theory about the Gateway Arch is that it is a giant staple connecting the Midwest to the Great Plains. Bridging the Mississippi River, it does really connect East to West in the US. It is also home to a vibrant tech community that is working to connect technology and business goals. This community got together to discuss application development, DevOps best practices, and how to stay safe while delivering awesome features and experiences at the St. Charles Convention Center for Dev Up 2023.
Over 75 speakers gave talks on a wide range of subjects across more than ten simultaneous tracks. Topics included development language-focused talks such as "C# Past, Present, and Beyond" from Jim Wooley, DevOps best practices including "ARM, Bicep, knees and toes! Infrastructure as code for beginners" from Samuel Gomez, and even career advice talks like From Curiosity to Career: Becoming an Ethical Hacker from Jason Gillam.
DevNetwork is a brand you might already recognize, as they put on the DeveloperWeek expo in the spring and API world in the fall. This year, they introduced a new event focused on cloud technology, including accessibility and security, DeveloperWeek CloudX. With a mission to bring together cloud developers, architects, IT and infrastructure professionals, and executives building the cloud ecosystem, the event took place in person from August 15-16, with a chance to participate online from August 22-23. If you missed it, the online portions will be available on demand in the near future.
This first edition of CloudX featured over 100 speakers across multiple stages. Professionals from around the world gathered to share their experiences and best practices about building in the cloud. Here are just a few highlights from the first-ever CloudX.
Describing DEF CON is akin to the ancient tale of a group of blind elders describing an elephant. One felt the trunk and said it was like a snake, one felt a leg and said it was like a tree trunk, and one felt the head and said it was like a wall. Everyone who traveled to Las Vegas in the summer heat to experience DEF CON 31 will have their own experiences and describe the event in a unique way.
What follows is just a small sliver of what the GitGuardian team experienced at this legendary event.
Las Vegas is famous for many reasons: gambling, bright lights, extravagant entertainment, and Elvis. It is also home to two of the largest security events on Earth: DEFCON and BlackHat. But before those massive events kick off, another slightly smaller event brings security practitioners and developers together: BSides Las Vegas 2023.
BSidesLV, as it is also known, is also special as it is the original and largest BSides event. Started in 2009 as a response to DEFCON becoming a bit too large in some people's opinion, the organizers planned a much more intimate conference earlier in the same week. That gathering has inspired BSides regional events worldwide, spanning 220 cities across 62 countries. If you can't make it to Las Vegas for this particular event, there is likely a BSides in your local area we encourage you to find and attend.
If there is one thing you might already know about Nebraska, it is that it is Cornhusker country. It is also home to many prominent companies like Union Pacific, Berkshire Hathaway, and Mutual of Omaha. It is also home to an outstanding developer-focused event in the Great Plains, bringing together developers, subject matter experts, and DevOps leads; Nebraska.Code() 2023.
Here are just a few highlights from the event.
Chicago is famous for many reasons, including the Bears, a specific style of hot dogs, and, of course, for giving the world skyscrapers. PHP is also known for legendary architecture, being the underlying language for 77.5% of the web via frameworks like Laravel, Drupal, and WordPress. Community members from all over the world, representing all those frameworks and more, got together for php[tek] 2023.
This was the 15th annual convention of PHP, where users shared knowledge and best practices for leveraging the language that came to define the internet over the last 28 years. There was a real sense of community at the event, summarized very succinctly in the day one keynote, "Let Go of Ownership," from Tim Lytle. He encouraged us to think about our code and the community as not things we own but instead, as things we are entrusted to take care of over time. He said we should think in terms of stewardship, which is a word that sums the subject up nicely.
If you have ever heard of Wilmington, North Carolina, it might be because the WW2 battleship North Carolina is moored there, or that it is a historically significant shipping town, or because of its role in the US-British Revolutionary War. But starting in 2023, it is also known as the East Coast home for the Techno Security and Digital Forensics Conference, which was previously held in Myrtle Beach. 2023 also marked the 23rd year of the conference and community, this year bringing together just over 1,000 total participants.
Many of the sessions were directed at law enforcement officers, leaning into the digital forensics side of the conference, and a lot of the attendees worked with various government agencies. There were also plenty of sessions for the general security community as well. Here are just a few of the highlights from this enlightening cybersecurity event.
On the west coast of Canada, you will find Vancouver, British Columbia, home to the Canucks, breathtaking scenery, and the Granville Walk of Fame. You will also find the Vancouver Convention Center, which hosts some of the best views from any event space in the world. It was in this picturesque setting that the CD Foundation and OpenGitOps communities came together for a co-located event, cdCon + GitOpsCon 2023.
These two communities are distinct but have aligned goals and visions for how DevOps needs to evolve. The CD Foundation acts as a host and incubator for open-source projects like Spinnaker and Jenkins, the newly graduated project Tekton, and the completely new cdEvents. They have a mission of defining continuous delivery best practices. OpenGitOps was started as a Cloud Native Computing Foundation working group with the goal of clearly defining a vendor-neutral, principle-led meaning of GitOps.
Austin, Texas, is a city filled with music, vibrant nightlife, and some legendary BBQ. It is also one of the great tech hubs of the southern United States, home to a wide variety of tech innovators like Indeed, SolarWinds, and Amazon's Whole Foods. It is simultaneously home to one of the largest tech events in the world, SXSW, as well as many smaller tech events, including BSides Austin 2023.
Like other BSides, Austin had informative sessions, a number of training opportunities, and several villages, including capture the flag, lockpicking, and more. Here are just a few of the highlights from this year's excellent event.
In August, Dell disclosed vulnerability CVE-2023-39250 where "A local low-privileged malicious user could potentially exploit this vulnerability to retrieve an encryption key that could aid in further attacks." This actively affects Dell Storage Integration Tools for VMware (DSITV) customers. Learn how to protect yourself from this vulnerability and some tips on preventing similar mishaps in your codebases.
Before diving into what happened, if you think you might be affected, we encourage you to start the investigation and mitigation process as soon as possible. According to the report released by Dell, all users of DSITV should follow these workaround and mitigation steps: