There are two bills working their way through Congress that would force companies like Apple to allow competitive app stores. Apple hates this, since it would break its monopoly, and it’s making a variety of security arguments to bolster its argument. I have written a rebuttal:

I would like to address some of the unfounded security concerns raised about these bills. It’s simply not true that this legislation puts user privacy and security at risk. In fact, it’s fairer to say that this legislation puts those companies’ extractive business-models at risk. Their claims about risks to privacy and security are both false and disingenuous, and motivated by their own self-interest and not the public interest. App store monopolies cannot protect users from every risk, and they frequently prevent the distribution of important tools that actually enhance security. Furthermore, the alleged risks of third-party app stores and “side-loading” apps pale in comparison to their benefits. These bills will encourage competition, prevent monopolist extortion, and guarantee users a new right to digital self-determination.

Matt Stoller has also written about this.

Read More

Many vendors and security companies are buying or building Infrastructure as Code (IaC) security into their portfolios, and this trend is only expected to continue. Here’s what you need to know.

Infrastructure as code (IaC) is a relatively new phenomenon that is revolutionizing the way organizations manage their infrastructure.

IaC offers many benefits to security leaders, including speed, consistency, accountability, scalability, reduced costs and more, which is why it is emerging as such an integral part of building on the modern cloud.

It’s important for CISOs and DevOps teams to see IaC as the connected link between cloud computing and DevOps success, as it enables businesses to innovate with confidence and strengthens infrastructure management processes.

Understanding how IaC works, its best practices and benefits are all crucial to leveling up your security programs and boosting agile software development. By leveraging IaC as both a strategy and a solution, CISOs and DevOps teams can align security with business goals.

Investing in an IaC strategy boosts the overall productivity of a business while maintaining security posture. This prevents misconfigurations, non-compliance policy violations and other cloud security risks, giving development teams more time to develop, deploy and scale with greater speed, visibility and flexibility. As a vital DevOps practice, IaC is still emerging and evolving within the cloud security realm.

What is Infrastructure as Code (IaC)?

According to Tech Target, infrastructure as code is “an IT practice that codifies and manages underlying IT infrastructure.”

Infrastructure as code emerged as a strategic approach for development teams looking to manage and maintain their infrastructure without the hassle of manually provisioning.

How does IaC work and what problems does it solve?

Managing IT infrastructure is an arduous process. It requires people to physically put the servers in place, configure them and then deploy the application. This time-consuming manual process often results in numerous discrepancies, impedes agility and, ultimately, proves costly for businesses. Corporations are forced to spend a fortune annually on building and maintaining huge data centers and hiring a plethora of engineers and other employees to manually provision the infrastructure.

To combat this, cloud computing was introduced, providing enterprises with a new approach that offered flexibility and scalability. Today, cloud computing is a booming industry, helping organizations accelerate innovation and scale at large.

Given the shift to remote work in light of the COVID-19 pandemic, more and more businesses have chosen to adopt the cloud. Currently, more than 90% of businesses use cloud computing. As a critical solution, it has rapidly changed the way people do business. Infrastructures can now be managed over networks, offering more flexibility and faster deployment for businesses. Additionally, with cloud systems, development teams can improve security, speed and software testing, increase productivity and efficiency, reduce costs and improve delivery.

Providing a myriad of benefits for businesses and cloud users alike, cloud computing continues to be an essential pillar of digital transformation. However, it does pose some serious security risks.

Cybercriminals looking to steal sensitive data and other pertinent information could potentially breach the cloud server, wreaking havoc on businesses and their customers. In 2021, more than 40 billion records were exposed, as a result of cloud-based data breaches. Just last year, social media giant Facebook had 533 million records exposed from users in 106 countries, according to Business Insider.

Additionally, infrastructure misconfigurations caused by human error can provide pathways for cybercriminals to launch attacks. Misconfigurations can expose networks and cause configuration drifts.

Therefore, a solution is needed which allows developers to manage their infrastructure through automation, while minimizing potential new security risks. This is where infrastructure as code comes in.

IaC involves using software tools to automate specific tasks through a version control system. This means that your infrastructure can be written and described in code, and this code can be executed to make changes to your infrastructure. In IaC, there are two approaches to writing the code:

Declarative approach. This is often the preferred approach of the two because of the flexibility it offers, this approach involves users only defining the end or “desired” state. Meanwhile, the tool or platform being used takes care of the steps needed to achieve the end result.

Imperative approach. This approach involves users specifying the specific commands needed to achieve the end or “desired” state. In this approach, the platform or tools do not deviate from those specific commands.

By adopting an IaC approach, organizations can accelerate innovation and build products that efficiently meet their customers’ needs in a timely and seamless manner. However, the speed at which development teams are rapidly pushing out new products and features is outpacing security. Therefore, it is critical that the security pace keeps up. More specifically, CISOs, who are responsible for the security of an enterprise, need a security solution that enables DevOps teams to continue production while applying security practices to reduce cyber risks and misconfigurations. And IaC provides the mechanism to do it.

Five benefits of IaC

Leveraging IaC as both a strategy and solution can help you achieve your security goals, as it provides several benefits for your business, including speed, scalability, consistency, accountability and reduced costs.

Speed. The most important benefit of IaC is speed. One of the CISO’s primary responsibilities is to protect the enterprise while simultaneously driving growth. By adopting an IaC security solution, productivity can get a boost, allowing for quick turnarounds, enabling businesses to meet customer’s requests and needs. Instead of spending time manually provisioning and increasing the likelihood of misconfigurations due to human error, development teams can quickly provision and configure infrastructure, speeding up the entire software development lifecycle, all while minimizing security risks by adopting IaC security.
Scalability. When demand for products or services increases, businesses need to be able to scale quickly and efficiently. The same applies to security. As businesses continue to grow and evolve, so, too, must their security processes evolve. New security tools and technologies will be used to accelerate innovation and CISOs are responsible for evaluating and consolidating these tools. By employing IaC tools, development teams can build environments to test new applications and get products or new features to the market faster with security embedded throughout the entire process.
Consistency. Generally, CISOs are responsible for ensuring security policies are being met. Therefore, they must ensure that documentation is up to date as outlined in the policies. By adopting IaC, CISOs can eliminate the documentation process because all the infrastructure is defined as code. IaC increases consistency and significantly reduces errors that often happen because of manual misconfigurations. It minimizes the potential for configuration drift and reduces the risk of cyberattacks that might occur because of manual provisioning.
Accountability. IaC enables CISOs to track any changes that have been made to any source code file. You no longer have to guess which person made a change and when they made that change throughout the software development lifecycle. Thus, making it easier for CISOs and security leaders to hold DevOps teams accountable for changes.
Reduced costs. IaC significantly reduces the cost of infrastructure management. Businesses can save money on hardware and equipment and the costs of hiring people to operate the hardware and equipment and building or renting the physical space to store it. Additionally, by employing cloud computing with IaC, businesses can reduce security risks, which, in turn, can save a fortune on “recovery costs” from a data breach or other form of cyberattack.

Conclusion

At Tenable, we recognize the value of embracing IaC as a way for organizations to innovate in the cloud with confidence. We deliver an integrated, end-to-end security solution to help organizations better protect their cloud environments. It provides a complete picture of cyber risks across the modern attack surface, with unified visibility into code, configurations, assets and workloads. Learn more about Tenable.cs and how our platform enables DevSecOps with integrated controls for development and runtime workflows, focused on IaC.

Learn More

Read the blog: Introducing Tenable.cs: Full Lifecycle, Cloud Native Security

Download the whitepaper: Using Auto Remediation to Achieve DevSecOps

Read More

This blog was written by an independent guest blogger.

Although commercial quantum computing may still be decades away, government agencies and industry experts agree that now is the time to prepare your cybersecurity landscape for the future. The power of quantum computing brings security complexities that we are only beginning to understand.

Even now, our cybersecurity climate is getting hotter. The average cost of a data breach reached an all-time high in 2021, and the attack vector grows larger by the minute. There has been a significant increase in the number of connected devices used to access business email and intranet since more organizations have transitioned to remote and hybrid work models.

With quantum computing looming in the not-so-distant future, the way that we think about encryption will need to evolve. Most of our current online privacy protocols utilize cryptography to maintain privacy and data integrity. However, the complex math behind creating encryption keys is no match for the power of quantum computers.

Although IBM hopes to make a 1,000-qubit machine by 2023, widespread adoption of quantum computing is still decades away. Take advantage of this time to develop the cybersecurity infrastructure that your organization needs to prepare for the future of quantum computing.

What is quantum computing?

Quantum computing focuses on developing computer technology based on principles that describe how particles and energy react at the atomic and subatomic levels. Today’s computers encode information in 1’s and 0’s. Quantum computing says that information can be encoded simultaneously in more than one place.

While the science is a bit muddy for those who are not quantum theory experts, we can all agree that quantum computing is faster than any other computing technology. In fact, the quantum computer that is in development at Google is 158 million times faster than the world’s fastest computer today.

Digital transformation has already spurred an increase in demand for web designers and developers, and web development is one of the fastest-growing career fields in the United States right now. In the future, quantum computing has the potential to contribute to finance, military intelligence, pharmaceutical development, aerospace engineering, nuclear power, 3D printing, and so much more.

What are the security risks?

The most significant impending security risks associated with switching over to quantum computers are related to cryptographic encryption. The global internet economy relies on cryptography as the foundation for a secure network. The complex algorithms used to create public and private keys to decrypt encrypted data do not hold up in a quantum environment.

The basic idea behind cryptographic encryption is that anyone who wishes to read an encrypted file must have the key, or code, to unlock it. The longer the key, the longer it takes for a computer to crack, and the more secure your files are.

To put this in perspective, it took a group of 300,000 people and four years of work to crack a 64-bit key in 2002. With 128-bit key encryption, it could take trillions of years to find a matching key.

Recently, the NIST raised the industry standard for key length protocol from 128 bits to 256 bits to increase security and prepare users for the future of quantum computing.

But cryptography is only one piece of the puzzle. Even if you implement the most secure encryption and signing practices, it won’t stop someone from opening a malicious file attachment or clicking on a misleading link. Software flaws, misuse of access, and other human-related problems could cost companies an unfathomable fortune in the quantum age.

How to protect yourself

Several technologies such as 5G, machine learning AI, and quantum computing have made huge advancements toward digitization. But, often, new technology rolls out before all of the kinks have been discovered and resolved. You could say that we are experiencing this problem with legacy cybersecurity systems.

Since the theory behind quantum computing will make our current encryption protocols obsolete, organizations should focus on creating a unified cybersecurity ecosystem to monitor the network, discover vulnerabilities, and mitigate security issues.

Here are a few things companies can do to protect themselves from future risks:

Adopt industry security standards

COVID-19 forced the world to find new ways to communicate, work, and conduct business, with most people finding their “new normal” by using digital online tools and connected devices. This influx of new internet users increased digital deployments, and the advent of the remote work movement caused security vulnerabilities for businesses and consumers to rise significantly. 

The NIST’s new industry standards say that the encryption strength of your keys should be at least 128 bits for low-impact data, 192 bits for moderate-impact data, and 256 bits for high-impact information.

In addition, achieving ISO compliance also helps protect your organization by requiring cybersecurity tools for asset discovery, vulnerability assessment, continuous security monitoring, and event reporting.

Implement Zero Trust

Meeting industry security standards, mandated or not, will help you with the technical side of cybersecurity, but implementing zero-trust authentication protocols can help to reduce risks associated with human error.

Scammers are clever, and they tend to use social engineering tactics to build trust with their intended victims so that it is easier to exploit them for their credentials, money, or data. Phishing and spoofing attacks are popular forms of social engineering where an attacker pretends to be a trusted user to infect a network with malware or get their hands on high-level login information.

Phishing and spoofing attacks can be highly covert. In fact, a whopping 30% of phishing emails and SMS messages get opened by targeted users. Another 12% of those users click on the malicious attachment or link.

Zero-trust protocols help reduce the impact of phishing and other social engineering attacks by delegating privileges based on necessity instead of position in a company. This protects crucial data from leaking out in case credentials are breached since no one individual is trusted with “the keys to the kingdom,” so to speak.

Deploy automated tools

Many cybersecurity protection procedures are meant to diffuse the impact that human error can have on an organization. Manually scanning your network, mitigating vulnerabilities, and responding to data breaches opens the door to more mistakes as well as putting a limit on productivity.

That’s why organizations at the cutting edge of security choose to deploy automated tools to help them maintain the integrity of their network. Not only do automated tools work at higher speeds, but they can also analyze data with incredible detail within a timeframe that humans can’t match.

A recent study about cybersecurity adoption reported that 95% of businesses have already automated some cybersecurity processes. The report also highlighted that 98% plan to automate even more of their manual security processes in the upcoming year. This also implies that businesses that don’t automate their security protocols could lag behind.

Implement managed threat detection

Transitioning to a quantum-resistant cybersecurity plan sounds intimidating, which is why it can be helpful to have skilled experts on your side. The best way to ensure that your cybersecurity ecosystem remains intact is to implement managed threat detection through a trusted company. A managed threat detection and response service can help you arm your business with high-quality security tools and provide continuous monitoring and response support when you need it the most.

Wrapping up

Quantum computing will change everything from apps to internet search, web development, cybersecurity, and beyond. It’s wise to stay one step ahead of current technology trends so that when new features are released, your organization is already equipped with the knowledge and tools it needs to weather the dawning of a new age.

Read More