Welcome!

Cloud Security Authors: Pat Romanski, Liz McMillan, Elizabeth White, Zakia Bouachraoui, Yeshim Deniz

Related Topics: Cloud Security, Microservices Expo, @CloudExpo

Cloud Security: Blog Post

The Bigger the Base the Larger the Blast Radius By @LMacVittie

Information security decision making is a constant balancing act of risk versus reward, disruption versus dependability

At the end of the year, WhiteHat Security posted an interesting blog titled, "The Parabola of Reported WebAppSec Vulnerabilities" in which a downward trend in web application vulnerabilities (as collected by the folks at Risk Based Security's VulnDB) was noted beginning in 2008 after having been on an upward trend since 1994 (hence the use of parabola to describe the histogram of reported vulnerabilities. See hastily composed diagram on left. A very angular looking parabola but a parabolic shape nonetheless).

web app sec trend 2014 to 1994

The author further postulates some possible explanations for this trend. including a "more homogeneous Internet", which is explained as:

start_quote_rbIt could be that people are using fewer and fewer new pieces of code. As code matures, people who use it are less likely to switch in favor of something new, which means there are fewer threats to the incumbent code to be replaced, and it’s therefore more likely that new frameworks won’t get adopted. Software like WordPress, Joomla, or Drupal will likely take over more and more consumer publishing needs moving forward. All of the major Content Management Systems (CMS) have been heavily tested, and most have developed formal security response teams to address vulnerabilities. Even as they get tested more in the future, such platforms are likely a much safer alternative than anything else, therefore obviating the need for new players.end_quote_rb

That seems a logical (and likely) explanation. The continued refinement of highly leveraged code ultimately reaps the benefit of being more secure. It's like realizing the benefits of a thousand code reviews instead of the usual three to five colleagues. Certainly the additional scrutiny has rewards in the form of greater stability (fewer kinks need to be worked out because, well, they've already been worked out) and improved security (almost all the holes have been found and patched).

The code base is also likely well-documented and supported by an active community, making it an attractive choice for developers looking for a framework or system with a robust, extensible repository of "extras" and "options".

It's a win-win-win situation.

I know what you're thinking - there's one too many "wins" in that equation. There's the developers of the framework or system and the consumers. It should be win-win, shouldn't it?

Au contraire, mes amis!

The third win is, in fact, for the bad guys. The attackers. The would-be infiltrators and destroyers of your web application.

Consider that two of the most disruptive (and effective) vulnerabilities of 2014 were discovered in just such code bases. Long-lived, well-supported, widely distributed. Perpetrated against platforms that, like application frameworks and platforms, are highly disruptive (and costly) to patch when such vulnerabilities are discovered.

[ Heartbleed and Shellshock were highly disruptive and perpetrated against industry de facto standard technology ]

Attackers, on the other hand, have a field day because the homogenous and entrenched technology means many weeks (perhaps months) of systems ripe for exploit. It's harvest time for the bad guys.

Now, I'm not saying we shouldn't be using well-established, "seasoned" platforms. I am saying that (potentially) diminishing vulnerabilities does not mitigate all the risk associated with a platform or technology. Certainly every year the platform is in use, the risk of vulnerabilities existing decreases. But this also means the damage from the exploitation of a heretofore undiscovered vulnerability increases because continued adoption and use of the technology expands its blast radius.

In other words, there is a converse relationship between the distribution size of an established (and assumed mostly-secure) technology platform and the potential damage incurred by the discovery of a vulnerability in it.

It is important to note the author states, "Even as they get tested more in the future, such platforms are likely a much safer alternative than anything else". Not safest. Not risk-free. Safer.

What that means is you need to consider not only the likelihood of an attack for established platforms and software (which is admittedly growing lower by the day) but the blast radius should a vulnerability be discovered. If all your sites are running on platform X and a vulnerability is discovered, what's the impact to your business?

Conversely, that risk must be weighed against the risk of custom or less well-established platforms being riddled with vulnerabilities and consuming valuable time and effort in constant evaluation and remediation cycles.

Information security decision making is a constant balancing act of risk versus reward, disruption versus dependability. What 2014 taught us is we should expect that a vulnerability will be discovered in even the most well-established platform, and plan accordingly.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

IoT & Smart Cities Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
In an age of borderless networks, security for the cloud and security for the corporate network can no longer be separated. Security teams are now presented with the challenge of monitoring and controlling access to these cloud environments, at the same time that developers quickly spin up new cloud instances and executives push forwards new initiatives. The vulnerabilities created by migration to the cloud, such as misconfigurations and compromised credentials, require that security teams t...
The graph represents a network of 1,329 Twitter users whose recent tweets contained "#DevOps", or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC. The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC. Additional tweets that were mentioned in this...
The term "digital transformation" (DX) is being used by everyone for just about any company initiative that involves technology, the web, ecommerce, software, or even customer experience. While the term has certainly turned into a buzzword with a lot of hype, the transition to a more connected, digital world is real and comes with real challenges. In his opening keynote, Four Essentials To Become DX Hero Status Now, Jonathan Hoppe, Co-Founder and CTO of Total Uptime Technologies, shared that ...
After years of investments and acquisitions, CloudBlue was created with the goal of building the world's only hyperscale digital platform with an increasingly infinite ecosystem and proven go-to-market services. The result? An unmatched platform that helps customers streamline cloud operations, save time and money, and revolutionize their businesses overnight. Today, the platform operates in more than 45 countries and powers more than 200 of the world's largest cloud marketplaces, managing mo...
When Enterprises started adopting Hadoop-based Big Data environments over the last ten years, they were mainly on-premise deployments. Organizations would spin up and manage large Hadoop clusters, where they would funnel exabytes or petabytes of unstructured data.However, over the last few years the economics of maintaining this enormous infrastructure compared with the elastic scalability of viable cloud options has changed this equation. The growth of cloud storage, cloud-managed big data e...
Your applications have evolved, your computing needs are changing, and your servers have become more and more dense. But your data center hasn't changed so you can't get the benefits of cheaper, better, smaller, faster... until now. Colovore is Silicon Valley's premier provider of high-density colocation solutions that are a perfect fit for companies operating modern, high-performance hardware. No other Bay Area colo provider can match our density, operating efficiency, and ease of scalability.