General | Security Analyst - Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

Docker Registries Expose Hundreds of Orgs to Malware, Data Theft | Threatpost

February 10, 2020 jeff2343 Leave a comment

If you were wondering how an attacker can gain access to your organization when you were so careful to validate your software and your laptops and your employees, what out for how they run your software.

Docker base images have long been the target of the more sophisticated attacker now. Let’s face it, creating and setting up tomcat to run your platform isn’t really something that any development team can do so why not use a prebuilt image? It can be so easy to setup a repository and start with a known good base image but watch out for the wolf in sheep’s clothing.

https://threatpost.com/docker-registries-malware-data-theft/152734/

Categories: General

Certificate Expiry – Doh

February 8, 2020 jeff2343 Leave a comment

Don’t you just hate when that happens – you have a nice, professional website that is generating revenue for your company and someone forgets to renew the TLS certificate!

Packt Publishing sure does today when it seems clear that almost all of its visitors will not be able to connect to their website.

It happens to many of us and it is due to poor certificate management. Microsoft Teams announced that they had surpassed Slack as the number one platform for messaging and collaboration but recently experienced an outage due to an expired certificate. Imagine how that affected their reputation and think of the brand impact that could have resulted in incalculable loss!

Whether you have 1 SSL/TLS Certificate protecting your website or you have setup an extensive server farm both inside and outside your organization, managing certificate renewal can bite you in the A$$.

Think strongly about a certificate management program that can alert you to thinks like certificate expiry for items like websites, Internet of Things and even network devices. With the push to ensure that we adopt https everywhere, you will need to manage certificates for almost every endpoint we use for mail, for file and print services and of course for all of the applications that use web based browsers. Even some of the desktop application are just shells that use a custom shell to deliver http based content so you may also have outage associated with certificates for some of the popular applications like Slack and Teams on your desktop.

Prevent outage by discovering and being aware of all of your certificates before someone else tells you!

Categories: General Tags: hacking, https

Are you a Secure Programmer?

December 27, 2019 jeff2343 Leave a comment

Happy New Year to those of you who read this blog, and to those folks who remember my predictions about going over 20,000 unique CVEs in 2019, I trust you may agree that 2019 was a banner year for vulnerabilities. Lucent/Alcatel are among the vendors who have CVEs that have taken us over 20,000 this year (CVE-2019-20047, 20048).

It’s time to ask yourself, are the hackers getting better at ‘hacking’ or are coders just getting worse? If we are going to examine how the last half of a decade has had more than 10,000 unique vulnerabilities each year and that number keeps increasing, we will all need to come to the conclusion that programmers just don’t know how to create programs that are secure by default!

Here is a chance for some of the best and brightest programmers to change course and learn how to avoid these vulnerabilities once and for all.

A California University (UCDavis) has created an online course that can help teach the Principles of Secure Coding. In a series of four courses, developers can learn about the fundamentals, identify vulnerabilities and walk on the wildside as they learn how to hack just like the a blackhat!

Take one, two or the set of four courses and really understand how pentesters can exploit how code works so you can learn how to avoid many of the common pitfalls. https://www.coursera.org/specializations/secure-coding-practices

Categories: General Tags: hacking, secure coding, security

Snyk Found Over Four Times More Vulnerabilities in RHEL, Debian, and Ubuntu – DZone Security

November 17, 2019 jeff2343 Leave a comment

Impressive list of vulnerabilities this year and even the purchase of Redhat by IBM isn’t making the paid OS immune. Check out the docker images that are floating around and be careful when trusting someone else’s container build.

https://dzone.com/articles/snyk-found-over-four-times-more-vulnerabilities-la?fromrel=true

Categories: General

What’s in a container image: Meeting the legal challenges | Opensource.com

November 8, 2019 jeff2343 Leave a comment

Do you remember when you bought a license and installed your copy of windows X on a VM and didn’t think twice about it. You loaded your software and maybe setup a reoccurring backup for it and you were done right?

Nowadays, there are risks at even using that Windows license on a cloud provider other than Azure (but that is another story)

Today, running containers is the new thing and that software is open source right? Not always!

You could have more than just Vulnerability risk to worry about. Some container images can also have License risk and you could have legal troubles too!

https://opensource.com/article/18/7/whats-container-image-meeting-legal-challenges

Categories: General

Scotiabank does it again

October 12, 2019 jeff2343 Leave a comment

Beginning Jan. 1, 2020, the bank’s Canadian workforce will have a
total of five personal days and the flexibility to take them as needed,
in addition to existing sick and vacation days.

“Our people are our most important asset and their well-being is a
top priority for Scotiabank,” said Barbara Mason, chief human resources
officer, in a press release. “We strongly believe that by offering
employees greater flexibility to take time off to achieve greater
work-life balance, our employee population will be healthier and
happier, and therefore enabled to perform at their very best.”

Categories: General