Category Archives: Security

Information Security Posts

No, not everybody should be a security expert

https://www.websec.be/blog/securityexpert/?utm_source=twitterfeed&utm_medium=linkedin

Advertisements

Automated Security Testing Using CI Tools

With evolution of DevOps and CI/CD tools, security testing does not need special treatment. Using tools like Jenkins Security testing can be automated. Many security open source tools can be integrated as plug-in into CI tools to perform code scans and scan target URL’s.

OWASP ZAP proxy is an open source web application security testing tool that can used to identify the know OWASP to 10 security issues.

Reference: https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin

Ideally automated security scans must be automated into the software development lifecycle process. Every time the code is checked into the source code repository the CI tools must invoke the scan on the source code and if any issues are identified the developers and security team must be notified about the issues. This creates and quick feedback loop which would eventually create security awareness amount the development teams. Also, give the security team to verify and work with the developers proactively rather than in the final stages of the project lifecycle.

One scan per day is a good baseline and the developers would get feedback in early hours of the day where they could fix the issues and check-in the code.

Automated Security Testing into the Development Life-cycle is not hard when planned and implemented correctly.

Study Shows Few Organizations Achieving “Full DevOps” Maturity

Excerpt: “According to the results of a new global study, commissioned by CA Technologies (NASDAQ:CA), only 20 percent of organizations that have attempted to implement DevOps have fully deployed it. The research also found that these “advanced” DevOps adopters were more likely to report that their digital initiatives contributed to competitiveness, customer retention and top- and bottom-line results”

http://www.infosecisland.com/blogview/24692–Study-Shows-Few-Organizations-Achieving-Full-DevOps-Maturity.html

Log into most any Linux system by hitting backspace 28 times

picture

Security researchers have discovered a ludicrously simple way to hack into a number of Linux distributions: Just tap the backspace key 28 times in a row. A team from the Cybersecurity Group at Polytechnic University of Valencia (UPV) in Spain found that doing so for builds utilizing the ubiquitous Grub2 bootloader — that’s to say just about all of them — immediately bypasses the lock screen, initiates the “Grub rescue shell” and grants the user access to the system for whatever nefarious things they have in mind.

The team found that the backspace trick triggers a memory error, which in turn launches the rescue shell. The bug isn’t a huge threat — I mean, a hacker would need physical access to your machine in order to exploit it — especially now that Ubuntu, Red Hat, and Debian all have released patches.

Via: Motherboard

Source: Hector Marco, Engadget