Best of TechBeacon 2017: The state of security

Richi Jennings' Security Blogwatch, which delivers curated commentary from around the Web on hot security stories each week, tracked some of the biggest trends of 2017, including the highly read Deloitte 4+ months late on breach: New poster child for bad security practices?

Other top security stories for 2017 covered everything from application security to information security/cybersecurity. TechBeacon security stories that hit a nerve with readers spanned a wide range of topics, including best practices for microservices security, ways to combat fileless malware, threat modeling, the security impact of serverless computing models, and the importance of choosing the right metrics to measure security effectiveness.

Here's our top 10 list of stories that defined the state of security in 2017.

The State of Security Operations

8 best practices for microservices app sec

No software architecture is entirely free from security considerations, including microservices. While a few microservices features help bolster security, others  accentuate security problems. For example access control is problematic in monolithic environments, and even more so in a microservices setting. ServisBOT senior software engineer Marco Troisi highlights eight best practices for securing your microservices apps.

5 application security metrics that should matter to your team

If you want to improve application security you need to know how well your current practices are working. You must measure progress to know if you are making any. How many of your applications are covered by secured development practices? How long does it take for you to address vulnerabilities? Do you have a handle on your flaw-creation rates? Independent technology journalist Robert Lemos reviews the five most important metrics for application security.

How your security team can combat new fileless malware

Fileless malware can create big headaches for security teams because it's so hard to detect. Unlike conventional malware tools, fileless malware resides entirely in memory and runs its payload there. Often this malware is designed to erase all traces of how it was delivered to a system, making it all but invisible to security tools. John P. Mello has the lowdown on measures that enterprises can take to mitigate the threat posed by this new breed of malware.

Why OWASP's Threat Dragon will change the game on threat modeling

Identifying and eliminating potential security vulnerabilities in a business process or design before you begin writing code for a new app is a great way to minimize vulnerabilities in software. Any enterprise that embeds such threat modeling within its development process is laying the foundation for creating more secure software, but it needs the right tools for the job. Security Journey CEO Chris Romeo explains why OWASP's Threat Dragon is the best tool for driving enterprise adoption of threat modeling.

Securing serverless apps: What IT Ops needs to know

Serverless apps are not a new concept, but adoption of the model is growing among enterprises. Among those pushing greater use of serverless apps are major cloud vendors Amazon, Microsoft, and Google. Trend Micro vice president Mark Nunnikhoven explains what you need to know about the security implications of serverless applications. He reviews the most secure designs, how to implement security, and what IT Ops need to understand about the trend.

Security liability is coming for software: Is your engineering team ready?

The era when software developers could get away relatively unscathed with serious security vulnerabilities in their products is quickly coming to an end. With a constantly increasing range of products and services being digitized, the consequences of failure associated with security vulnerabilities has become greater, and in some cases could potentially cause death or bodily harm. Robert Lemos explains why standard EULAs will soon no longer be enough to stave off liability for failures arising from software vulnerabilities.

How to keep your container secrets secure

Passwords, API keys, and access tokens help keep your source code secure, so it's vital to ensure that they do not fall into the wrong hands. But do you know how to keep these secrets safe in a container environment? What are the measures you need to take to secure keys, passwords, and tokens and ensure that only people with the right to access your source code can do so? Learn about the four actions you can take today from Liz Rice, technology evangelist at Aqua Security.

How to build the best cyber-threat hunting team

A growing number of organizations have begun using threat-hunting practices to proactively investigate and chase down security threats on their networks. However, there are few overarching standards or processes around threat hunting, and many organizations do it only when necessary rather, than on an ongoing basis. Robert Lemos examines current approaches to threat hunting and discovers four tips on how to do it right.

The 3 most crucial security behaviors in DevSecOps

Modifying security behaviors can help transform your DevOps team into an army of security practitioners. By instilling in them the importance of following threat modeling, red teaming, and code review practices, the security team can get DevOps to embrace security more readily, says Security Journey's Chris Romeo. He drills down into the three behaviors, and explains how they can help transform DevOps security.

Beyond two-factor: How to use U2F to improve app security

Just because two-factor authentication is better than using only a username and password doesn't mean it is infallible. 2FA has its own set of problems, which hackers have in recent times exploited successfully. Johanna Curiel, co-founder of Ossecsoft, takes a look at the open-source Universal 2nd Factor (U2FA) technology, reviews what it is, and explains why it offers application developers a better alternative to regular 2FA.

The State of Security Operations
Topics: Security