Securing the Enterprise Software Supply Chain Using Docker

At Docker we have spent a lot of time discussing runtime security and isolation as a core part of the container architecture. However that is just one aspect of the total software pipeline. Instead of a one time flag or setting, we need to approach security as something that occurs at every stage of the application lifecycle. Organizations must apply security as a core part of the software supply chain where people, code and infrastructure are constantly moving, changing and interacting with each other.

If you consider a physical product like a phone, it’s not enough to think about the security of the end product. Beyond the decision of what kind of theft resistant packaging to use, you might want to know  where the materials are sourced from and how they are assembled, packaged, transported. Additionally it is important to ensure that  the phone is not tampered with or stolen along the way.

Software Supply Chain

The software supply chain maps almost identically to the supply chain for a physical product. You have to be able to identify and trust the raw materials (code, dependencies, packages), assemble them together, ship them by sea, land, or air (network) to a store (repository) so the item Continue reading

How Virtualization Will Transform Security Architectures: Spotlight at #VMworld U.S. 2016

It’s clear today that security is at a crossroads, and we are losing the cybersecurity war. VMware’s SVP of Security Products Tom Corn explained to me recently, “There are no objective measures we can credibly point to which suggest we are – in any way – succeeding as we battle to protect systems and data.”

Register for this VMworld 2016 session to learn about the transformation of security architecture

One of the biggest problems, he points out, is that Cyberwarfare is an asymmetric battle: an attacker fires a thousand bullets and only one needs to get thru. Defenders need to stop all 1,000. So what are we doing to address this challenge?

We don’t appear to have an issue with how much we spend, or that there is a lack of security innovation. We are spending at record levels, and security innovation is at an all time high.

At the heart of the issue is an architectural gap – between the applications and data we are trying to protect, and the infrastructure from which we are trying to protect them. Virtualization could be the key to solving this problem — enabling security to be architected-in, rather than bolted on.  Continue reading

Your Software is Safer in Docker Containers

The Docker security philosophy is Secure by Default. Meaning security should be inherent in the platform for all applications and not a separate solution that needs to be deployed, configured and integrated.

Today, Docker Engine supports all of the isolation features available in the Linux kernel. Not only that, but we’ve supported a simple user experience by implementing default configurations that provide greater protection for applications running within the Docker Engine, making strong security default for all containerized applications while still leaving the controls with the admin to change configurations and policies as needed.

But don’t take our word for it.  Two independent groups have evaluated Docker Engine for you and recently released statements about the inherent security value of Docker.

Gartner analyst Joerg Fritsch recently published a new paper titled How to Secure Docker Containers in Operation on this blog post.  In it Fritsch states the following:

“Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS” because even if a container is cracked “they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS”.

Additionally, NCC Group contrasted the security Continue reading

Where the monsters live

The monsters read your full network traffic flow if they have your keys or you used weak ones.The monsters are in the hidden partitions of USB flash drives left in parking lots and technical conferences.The monsters are in the weakened smartphone OS that most of your users own.The monsters are in the containers you used from that interesting GitHub pull.The monsters are in the Cisco router where the Zero Day lives waiting for the NSA.The monsters are in the fake certificates your user swallowed in their browsers.The monsters are 10,000 CVEs that you never, ever checked.The monsters live inside your kernel, watching for the network traffic that brings them alive from their zombie state.To read this article in full or to leave a comment, please click here

Where the monsters live

The monsters read your full network traffic flow if they have your keys or you used weak ones.The monsters are in the hidden partitions of USB flash drives left in parking lots and technical conferences.The monsters are in the weakened smartphone OS that most of your users own.The monsters are in the containers you used from that interesting GitHub pull.The monsters are in the Cisco router where the Zero Day lives waiting for the NSA.The monsters are in the fake certificates your user swallowed in their browsers.The monsters are 10,000 CVEs that you never, ever checked.The monsters live inside your kernel, watching for the network traffic that brings them alive from their zombie state.To read this article in full or to leave a comment, please click here

Epic Games forum hack underscores the need to install security patches

A recent data breach at Epic Games may have been avoided if the company had simply installed a security patch.On Monday, Epic Games reported that its internet forums had been compromised. The leaked data includes email addresses and hashed passwords taken from legacy forums at Infinity Blade, previous Unreal Tournament games, and an archived Gears of War forum.Epic Games declined to explain how the leak occurred, but a website that stores information on data breaches said hackers were responsible and that 808,000 users are affected.The anonymous attackers targeted the vBulletin forum software on Aug. 11, according to the website Leaked Source, which has been in contact with the hackers.  To read this article in full or to leave a comment, please click here

Epic Games forum hack underscores the need to install security patches

A recent data breach at Epic Games may have been avoided if the company had simply installed a security patch.On Monday, Epic Games reported that its internet forums had been compromised. The leaked data includes email addresses and hashed passwords taken from legacy forums at Infinity Blade, previous Unreal Tournament games, and an archived Gears of War forum.Epic Games declined to explain how the leak occurred, but a website that stores information on data breaches said hackers were responsible and that 808,000 users are affected.The anonymous attackers targeted the vBulletin forum software on Aug. 11, according to the website Leaked Source, which has been in contact with the hackers.  To read this article in full or to leave a comment, please click here

Do what you love?

How many times have you heard this? Or this?

Love-Quote-Do-what-you-love-and-you'll-never-work-a-day-in-your-life 92bce9fa2b136aa1c3ca5839e4aafad9

Two of the most oft repeated, and driven home, ideas in modern times are be true to yourself and do what you love. But just because they’re oft repeated and driven home doesn’t mean they are actually true. The problem with both statements is they have just enough truth to sound really plausible—and yet they are both simplistic enough to be dangerous when taken raw.

Or maybe it’s just that I’m a grumpy old man who’s been in a bad mood for the last couple of weeks, and misery likes company. ?

Let’s try to put some reality into the do what you love statement.

Sometimes you’re just not very good at what you love to do. When I was a kid, I wanted to be an artist. And then a musician. Apparently there are no real jobs for artists or musicians with my somewhat mediocre skills in these two areas. I just have to face it—I’m never going to be a professional basketball player, either. Sometimes it doesn’t matter how much you love something, you just don’t have the skills to master it.

Sometimes there’s just no market for what you Continue reading

MIT researchers discover method to triple wireless speeds

MIT researchers have found a way to transfer wireless data using a smartphone at a speed about three times faster and twice as far as existing technology.The researchers developed a technique to coordinate multiple wireless transmitters by synchronizing their wave phases, according to a statement from MIT on Tuesday. Multiple independent transmitters will be able to send data over the same wireless channel to multiple independent receivers without interfering with each other.Since wireless spectrum is scarce, and network congestion is only expected to grow, the technology could have important implications.ALSO ON NETWORK WORLD 9 tips for speeding up your business Wi-Fi The researchers called the approach MegaMIMO 2.0 (Multiple Input, Multiple Output) .To read this article in full or to leave a comment, please click here

For Your Ears: Citizens of Tech Podcast 40

In this show, we get into what expiration dates on packaged food and drugs really mean. How should you react when the date expires? If you assume, “Throw it out to be safe,” you’d be wrong.

We also chat about dealing with password expiration policies. They must be super complex and changed frequently, right? Maybe not. Super complex and frequently changed means hard to remember, which studies show can lead to less security, not more.

IBM has manufactured an artificial neuron, which isn’t so interesting by itself. We’ve been here before. The interesting bit is the material used to behave like a neuronal membrane. A genuine advance.

Microsoft has announced a smaller XBoxOne S, now with 4K capabilities. Just not gaming 4K capabilities.

Blackberry is on permanent deathwatch now, as they have begun the, “All else has failed, so let’s litigate,” phase of operations.

All that, plus our regular “Content I Like” and “Today I Learned” features.

Expiring Stochastic Passwords – Citizens of Tech 040

ARM Puts Some Muscle Into Vector Number Crunching

If the ARM processor in its many incarnations is to take on the reigning Xeon champ in the datacenter and the born again Power processor that is also trying to knock Xeons from the throne, it is going to need some bigger vector math capabilities. This is why, as we have previously reported, supercomputer maker Fujitsu has teamed up with ARM holdings to add better vector processing to the ARM architecture.

Details of that new vector format, known as Scalable Vector Extension (SVE), were revealed by ARM at the Hot Chips 28 conference in Silicon Valley, and any licensee

ARM Puts Some Muscle Into Vector Number Crunching was written by Timothy Prickett Morgan at The Next Platform.

IDG Contributor Network: Is the IT services industry at a crossroads?

Much ink has been spilled over the changing IT services industry. Indeed, it is an industry well acquainted with—and perhaps even born out of—change. But the velocity of technological advancement happening today is unprecedented.Is the industry truly at a crossroads?The established industry players are dealing with two distinct macro shifts. IT outsourcing provider Infosys calls them “Renew” and “New.” Allow me to explain.+ Also on Network World: $1 trillion in IT spending to be ‘affected’ by the cloud +To read this article in full or to leave a comment, please click here

OIG finds security flaws in wireless networks at federal health service data centers

Security holes which could lead to “unauthorized access” to personally identifiable information is not something you want to hear in regards to the wireless networks of a federal agency tasked with collecting and storing financial and health care information. Yet a recent Office of Inspector General report did say it found vulnerabilities in the wireless networks of Centers for Medicare & Medicaid Services (CMS); if exploited, it could lead to unauthorized access and even “disruption of critical operations.”The OIG at the Department of Health and Human Services (HHS) conducted a wireless penetration test on 13 CMS data centers and facilities; CMS, an agency within HHS, administers federal healthcare programs such as Medicare, Medicaid and the Children’s Health Insurance Program. The agency “collects, generates and stores financial and health care information.”To read this article in full or to leave a comment, please click here

OIG finds security flaws in wireless networks at federal health service data centers

Security holes which could lead to “unauthorized access” to personally identifiable information is not something you want to hear in regards to the wireless networks of a federal agency tasked with collecting and storing financial and health care information. Yet a recent Office of Inspector General report did say it found vulnerabilities in the wireless networks of Centers for Medicare & Medicaid Services (CMS); if exploited, it could lead to unauthorized access and even “disruption of critical operations.”The OIG at the Department of Health and Human Services (HHS) conducted a wireless penetration test on 13 CMS data centers and facilities; CMS, an agency within HHS, administers federal healthcare programs such as Medicare, Medicaid and the Children’s Health Insurance Program. The agency “collects, generates and stores financial and health care information.”To read this article in full or to leave a comment, please click here