In case you haven’t heard, Microsoft loves Linux. Recent news around Redmond’s new modular Linux-based operating system for datacenter networking have been making the rounds, but for those in the know—the announcement is hardly a surprise. With the open source operating system’s happy feet casting huge footprints in the enterprise cloud—coupled with the rise of SDN—it’s clear that embracing Linux is a key strategic imperative for Microsoft. But its recently publicized love affair with Linux is hardly a new one.
Users of the highly popular Windows-based compression/decompression utility WinRAR be warned: a newly-discovered vulnerability could allow remote attackers to compromise Windows systems by exploiting a remote code execution (RCE) flaw. Despite this, RARLab has not issued a patch yet and doesn't plan on doing so. Is this a case of vendor negligience or an overhyped security alert?
Ruby-on-Rails—it’s modular, expressive, and broadly supported by legions of loyal developers. From Twitter to GroupOn, many of the world’s most trafficked websites have relied on Rails to deliver scalable and highly available web services. But as GitHub discovered a few years back, the language/framework is not without its security flaws—65 to date, per the CVE database. Here are the top 15 and how to remediate and/or prevent them from being exploited.
Java—love it or hate it, it isn’t going anywhere. Despite being hailed as “the biggest vulnerability for US computers” by CSO magazine, it’s currently back in pole position as the most popular developer language on the market. Of course, this has mostly to do with the rise of Android, as traditional Java web apps have been steadily losing market share to newer languages and stacks over the years. However, Java is still popular with developers and cyber attackers alike: it’s well understood, extensively documented, and unfortunately highly exploitable.
Microsoft Internet Information Server (IIS) is widely used in the enterprise, despite a less-than-stellar reputation for security. In fact, for many “IIS security” is a contradiction of terms—though in all fairness, Microsoft's web server solution has improved significantly over the years. IIS 8.5 for server 2012 R2 and IIS 10 for 2016 have been hardened and no longer present the dangerous default configurations of older IIS iterations, but can still be further tightened. By following these 10 steps, you can greatly increase security for your IIS web apps and servers.
Docker may not be the solution to ending world hunger, but the recent myriad of strange and remarkable use cases for it might have you thinking otherwise. From managing Rasberry Pi clusters to facilitiating genome sequencing and cancer research, these top 11 weird and wonderful uses for Docker illustrate the technology's amazing versatility across a variety of innovative and irreverant applications.
According to Netcraft’s 2015 web server statistics, 47.7% of all websites are using Apache—making it the most popular web server in the world. Ubiquity has its price, however: the open source project is under the constant scrutiny of both malicious actors and security professionals alike.
The Open Web Application Security Project (OWASP) is a well-established organization dedicated to improving web application security through the creation of tools, documentation, and information—that latter of which includes a yearly top 10 of web application vulnerabilities. The following is a compilation of the most recent critical vulnerabilities to surface on its lists, as well as information on how to remediate each of them.
A typical organization’s environment consists of a myriad of applications and services, each with its own unique set of ongoing vulnerabilities and flaws that could ultimately lead to a data breach. This can make IT security and operations’ job difficult, as different departments and groups within a company may utilize specific software offerings to accomplish their job functions. Fortunately, a consolidated database of vendor-specific software vulnerabilities exists—the Common Vulnerabilities and Exposures (CVE) repository: a public information security resource developed and maintained by Mitre Corporation.
Java consistently gets a bad rap when it comes to security—but considering half of enterprise applications in the last 15 years were written with the language, its pervasiveness (and commonly-known attack vectors) may be more to blame than Java’s inherent security weaknesses alone. That said, new approaches are being developed (e.g., Rask, Waratek) to improve Java web application security at the Java Virtual Machine (JVM) level, but for most organizations—instituting traditional security defenses for Java applications can help protect against the majority of Java-related exploits.
This is a clash of virtualization titans: one virtual machine, the other a containerization technology. In reality, both are complementary technologies—as hardware virtualization and containerization each have their distinct qualities and can be used in tandem for combinatorial benefits. Let’s take a look at each to find out how they stack up against each other, as well as how the two can be used in tandem for achieving maximum agility.
Genuine Windows 7 or Windows 8/8.1 owners are in for a pre-holiday treat from Microsoft: a free upgrade to Windows 10, no strings attached. Security-conscious users will appreciate some new features that enable better security—namely Windows Device Guard, Hello, and Passport. Despite these nifty additions for bolstering one’s desktop security posture, Windows 10 certainly hasn’t been without its own critical security flaws.
Windows 10 made its debut back in July and has since garnered some generally positive reviews, though the release hasn’t been without its share of vulnerabilities. For IT and operations, this means (begrudgingly) supporting/hardening another variant of the Windows OS on an ongoing basis. Even in homogeneous Windows-only environments, managing vulnerabilities and patches across different OS versions can be a daunting affair. The following can serve as a practical starting point for protecting today’s Windows-based infrastructures against cyber attacks.
When we speak of the DevOps and continuous delivery/integration (CI/CD) toolchain, we’re referring to a superset of tools—many with overlapping capabilities—for helping organizations achieve faster and safer deployment velocity. This encompasses a broad range of solutions: provisioning tools, orchestration tools, testing frameworks, configuration management (CM) and automation platforms, and more. Comparisons between CM products usually steal the show (e.g., Puppet vs. Chef), but in this case we’ll compare two orchestration and management tools for provisioning infrastructures: Terraform and CloudFormation.
Popular high-level Python framework Django is widely lauded for its ease-of-use and pragmatic design, but like all software it is susceptible to its own share of critical vulnerabilities. Built completely with Python, the MVC framework has a sizable community and can be extended with app plugins for additional functionality. Ubiquity has its price, however—in this case, Django's open source popularity means that default attack vectors are also widely known.
So you’ve done your research and settled on Puppet as your configuration management (CM) and automation tool of choice. But it comes in 2 flavors: a commercial enterprise product and a free open-source version. Can free beat fee in this case? Let’s dig into the details to help inform your decision.
Part One of Getting Started with Docker introduced some features of the Docker solution that make it unique from VMs and other comparable technologies. In this follow-up article, we’ll take a look at how UpGuard works with Docker containers—both in how we deliver our product to customers, as well as in its built-in integration capabilities for simplifying tasks like creating Dockerfiles, among others.
Heavy hitters FireEye and Tripwire are unique contenders in the security offering lineup– both were the first to develop novel approaches to IT security that have since been emulated industry-wide: FireEye was an early innovator of virtualization and sandboxing technologies as applied to security, while Tripwire was the first to bring a commercial host-based intrusion detection system to market. We’ll take a closer look at the two and compare/contrast each respective solution’s strengths and weaknesses.
Many enterprise software hopefuls tackle the final stretch to becoming a mature offering through the development of an easy-to-use management GUI. This is especially true of DevOps and automation tools, as quite a few solutions have recently rounded out their platforms with web-based UI consoles for easier, visual management of resources and services.
Despite seeming like somewhat of a no-brainer, using the power of the cloud to combat cloud-based security threats has really only come into vogue recently. As organizations continue to move their infrastructures out of physical data centers into the cloud, traditional methods for securing IT resources are becoming increasingly ineffective. Using cloud-based collective intelligence and virtualization to inform threat detection methods is fast becoming a standard practice, and for many security products—a central ingredient to an effective multi-pronged approach to combating cyber attacks.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.