A Jump To The Left Not A Step To The Right

Meanwhile in Security

May 20 2021 • 8 mins

Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.



Show Notes:


Links:



Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Jesse: All the rage is DevOps, for good reasons: it works. You can’t do good cloud work without a flexible and functional DevOps operation. Similarly, you can’t do good security in the cloud without DevSecOps. However, [laugh] security people love their cryptic and geeky terms, so you hear, “You should shift left.” This is derived from the left shift bitwise operators that do binary math that moves values to the left. I told you it’s geeky.

This moving left translates to moving security integration into a project farther left in the development process when you start on the left and move to production on the right. Ultimately, this means you bring security into the very beginning of your conceptual designs, and write your first lines of code with security processes and methods in mind from the very start. Use more security tools, authentication and authorization hooks, and more granular encryption methods in your underlying services structures through your more complex processing. More work on literally coding security in at the start could save you several orders of magnitude of direct and indirect costs in the future. Don’t get owned, don’t get ransomed.

Meanwhile, in the news, Report finds old misconfiguration woes continue to hammer corporate clouds. If you haven’t heard me and countless others rant about going back to basics of cloud security, you haven’t been listening. This article should scare you into finally checking your basic permissions on things like storage and services so you don’t get pwned by being stupid.

Pentagon Weighs Ending JEDI Cloud Project Amid Amazon Court Fight. When a nearly $2 trillion company drags anyone into court, things will change. The largest move to cloud services by the US Department of Defense might not happen because Amazon got pissed and sent lawyers. Watch how this unfolds to learn both how Amazon the company operates and how the market moves toward or away from cloud in general and either Azure or AWS specifically as a result of this legal challenge.

Netflix Exec Explains Where Infosec Pros are Going Wrong. Most of us who work in cybersecurity will read this piece and have one of two strong reactions. People like me and everyone who isn’t a security professional will nod and smile and agree that times are changing and security needs to get with the times. Everyone else in security will scowl, and pout, and
get mad.

Firms Struggle to Secure Multicloud Misconfigurations. We all struggle to secure all the things, but this report shows that most of us struggle to secure any of the things. Back to basics; I keep hammering on this because things like shutting down or securing ports and services and locking up cloud storage objects get you the biggest improvement in security posture out of almost anything else you do.

<...

You Might Like

Darknet Diaries
Darknet Diaries
Jack Rhysider
Acquired
Acquired
Ben Gilbert and David Rosenthal
Hard Fork
Hard Fork
The New York Times
Marketplace Tech
Marketplace Tech
Marketplace
WSJ’s The Future of Everything
WSJ’s The Future of Everything
The Wall Street Journal
Rich On Tech
Rich On Tech
iHeartPodcasts
TechStuff
TechStuff
iHeartPodcasts
The Vergecast
The Vergecast
The Verge
Waveform: The MKBHD Podcast
Waveform: The MKBHD Podcast
Vox Media Podcast Network