New laws such as the California Consumer Privacy Act (CCPA) and the European Union's General Data Privacy Regulation (GDPR) have put substantial pressure on organizations to bolster their security practices this year. Adding to the urgency were the near-constant reports of data breaches, an ever-evolving threat landscape, and a growing volume of attacks.
Here are TechBeacon's top 12 security stories from 2019, covering a range of topics that remain of vital importance to security and IT leaders across the industry.
These top reports cover trends in the application and information security space and around app development and identity and access management. They identify significant trends, offer actionable advice, and list key takeaways on matters that information security leaders and practitioners deal with on a daily basis.
Application security
Open source and risk: 4 application security action items
A majority of applications used across industries contain open source code. Software development organizations looking to push code out quickly are increasingly using risky open-source components to build applications, without much regard for the security implications. Freelance writer John P. Mello offers four tips for securing open-source software based on conversations with multiple security experts.
What you should know about web application firewall testing
A web application firewall (WAF) blocks attacks at the application layer and is a critical component of the security stack at many organizations. In this report, Franziska Buehler, systems architect at Puzzle ITC, explains why organizations should include WAFs in their UI tests and end-to-end tests early in the development cycle. Such testing can ensure the WAF works effectively without degrading application functionality, Buehler says.
Master your code's open source or it will bite you in the app sec
Organizations that use open-source components to build software need to account for the potential risks and tradeoffs they are assuming. Configuration management and an inventory of open-source components are vital to security, says Stan Wisseman, chief security strategist at Micro Focus. Here he offers two ways organizations can use open source safely.
Information security
The dangers of breach fatigue—and how to take action
Breach fatigue is not something that happens just with consumers—enterprise organizations can have it as well. Incessant data breach reports can cause fatigue for employees and IT leaders alike, and leave organizations vulnerable to insider threats and less-than-optimal security strategies. Jadee Hanson, CISO and vice president of information systems at Code42, draws on her experience building corporate security programs to explain how to recognize breach fatigue and deal with it.
When your own tools attack: The top 5 offenders
Threat actors are increasingly using legitimate administration tools and services in carrying out attacks. Tools such as PowerShell and Windows Management Instrumentation (WMI) are the most commonly abused in attacks, but they are not the only ones. Such living-off-the-land tactics allow attackers to evade detection and maintain persistence on a network for long periods. Freelance writer Robert Lemos lists the top five legitimate tools that attackers tend to use at the moment.
How to marry security and IT operations
IT operations teams and the security group can be at loggerheads with each other because of their differing priorities. Security teams view their mission primarily as securing the confidentiality, integrity, and availability of IT services, while the IT operations team is focused on performance, availability, and efficiency. To address the issue, security teams need to be willing to work with IT operations to enable safe software delivery and breach mitigation, says Travis Greene, a US Naval Academy graduate and current IT evangelist at Micro Focus.
Data security
What your data security team needs to know about the CCPA
The California Consumer Privacy Act (CCPA) has become to businesses in the US what the General Data Protection Regulation (GDPR) is for organizations in the European Union. Like the GDPR, the California law spells out specific measures that organizations must take to protect the security and privacy of consumer data and mandates substantial fines and penalties for non-compliance. Ty Sbano, head of information security at Periscope Data, provides the lowdown on the law and tips about how to comply with it.
GDPR execution will be a major task this year—and reap benefits
Though GDPR went into effect in May 2018, more than a year later a substantial number of organizations are still only working toward compliance with the law. For CISOs, CSOs, and IT security leaders who assumed that the task of complying with the law was complete, 2019 turned out to be the year for its practical execution in the enterprise. David Kemp, business strategist for security risk and governance at Micro Focus, uses his GDPR expertise to explain why compliance remains a major task but why it will be beneficial.
The state of encryption: A call for faster adoption
Encryption technologies and their ability to secure email and other communications on the internet have gradually evolved over the past two decades. Growing attack sophistication and a fast-evolving threat landscape have made it increasingly necessary to implement encryption as a data protection measure. Several statutes—such as HIPAA, PCI DSS, and GDPR—require or encourage its use. Luther Martin, distinguished technologist at Micro Focus, expounds on the current state of encryption.
Identity and access management
Extend your Active Directory security policy to Linux and beyond
Adopting cloud computing and software-as-a-service models has resulted in a growing number of enterprise devices now living outside the reach of traditional identity and access management tools, including Microsoft Active Directory. Teams that want to centralize security and policy management need to find a way to extend Active Directory group policies to Linux, Unix, and cloud virtual machines. Danny Kim, founder and CTO of FullArmor and a professional who has helped dozens of organizations deploy their security policies, offers advice on how to extend AD.
Single sign-on still open to attack: An inside look
Single sign-on (SSO) technologies allow for greater user convenience but remain dangerously susceptible to attack. Two vulnerabilities revealed by researchers at Micro Focus Fortify during Black Hat in Las Vegas served as the most recent examples of the issue. One of the vulnerabilities gave attackers a way to launch a denial-of-service attack, while the other was a privilege escalation issue. Freelance writer Robert Lemos reports on what the bugs were about and the lessons to be learned from them.
How to get single sign-on right in today's hybrid IT environments
Most employees expect a single sign-on experience in the corporate environment, but implementing it can be a challenge. The technology stack has become far more complex than it was even a few years ago. Business apps are scattered across on-premises, public cloud, and hybrid environments, and users access applications from multiple devices and locations. Freelance writer Robert Lemos speaks to analysts from Forrester Research, identity provider OneLogin, and other experts to explain what you need to do to get SSO right in today's hybrid IT setups.
Keep learning
Understand the newest privacy laws with this Webcast: California’s own GDPR? It’s not alone.
Take a deep dive into the new privacy laws with TechBeacon's Guide to GDPR and CCPA.
- Get up to speed on cloud security and privacy and selecting the right encryption and key management with TechBeacon's Guide.
