#Security Engineer | Explore Tumblr posts and blogs

w2gsolution01 · 4 months ago

Text

Ask a Security Engineer: From DevSecOps to Cloud Security

In today's digital-first world, security is a top priority for businesses and developers alike. With cyber threats evolving rapidly, security engineers play a crucial role in ensuring that applications and infrastructure remain protected. Two major areas of focus in modern security practices are DevSecOps and cloud security. In this blog, we’ll explore the responsibilities of security engineers, the importance of DevSecOps and cloud security, key challenges, best practices, and future trends.

The Role of a Security Engineer in Modern Tech

Security engineers are responsible for designing, implementing, and maintaining security measures to protect an organization’s digital assets. Their role involves threat analysis, risk mitigation, and the integration of security practices throughout the software development lifecycle (SDLC).

Why DevSecOps and Cloud Security Matter

As organizations move toward agile development and cloud-based infrastructures, traditional security approaches no longer suffice. DevSecOps integrates security within the development process, while cloud security ensures that modern cloud environments remain resilient against cyber threats.

Understanding DevSecOps

What is DevSecOps? A Security-First Approach

DevSecOps is an extension of DevOps that integrates security into every phase of the software development lifecycle. By shifting security left, teams identify vulnerabilities early and reduce the risk of breaches.

Key Principles of DevSecOps in Software Development

Automation: Automated security testing and compliance checks.

Continuous Monitoring: Real-time security monitoring to detect threats.

Collaboration: Developers, security teams, and operations working together.

Shift Left: Addressing security issues early in the development cycle.

DevSecOps vs Traditional Security: What’s the Difference?

Traditional security follows a reactive approach, where security testing happens at the end of the development cycle. DevSecOps, on the other hand, integrates security continuously, reducing vulnerabilities and enhancing agility.

Common Challenges in Implementing DevSecOps

Cultural Resistance: Teams may resist changes in workflows.

Tooling Complexity: Choosing and integrating the right security tools.

Lack of Expertise: Security skills gap among developers.

Balancing Speed and Security: Ensuring security without slowing development.

The Evolution of Cloud Security

How Cloud Computing Has Changed Security Practices

Cloud computing has transformed how businesses operate, but it also introduces new security concerns. Traditional perimeter-based security is no longer sufficient, requiring new strategies for cloud-native environments.

The Shared Responsibility Model in Cloud Security

Cloud security follows a shared responsibility model:

Cloud Provider: Responsible for securing infrastructure (e.g., AWS, Azure, GCP).

Customer: Responsible for securing data, applications, and configurations.

Top Cloud Security Threats Organizations Face Today

Misconfigurations: Poor security settings expose cloud environments.

Data Breaches: Unauthorized access to sensitive data.

Account Hijacking: Stolen credentials leading to compromised systems.

Insecure APIs: Vulnerable endpoints exploited by attackers.

Best Practices for Strengthening Cloud Security

Implement Zero Trust: Verify every request, minimize access permissions.

Use Multi-Factor Authentication (MFA): Strengthen identity security.

Encrypt Data: Protect sensitive data at rest and in transit.

Monitor Logs and Alerts: Continuously analyze security logs.

DevSecOps and Cloud Security: Bridging the Gap

How DevSecOps Enhances Cloud Security

By integrating DevSecOps practices in cloud environments, organizations can build secure, resilient applications from the ground up.

CI/CD Security: Integrating DevSecOps into Cloud Pipelines

Continuous integration and deployment (CI/CD) pipelines should include:

Automated security scans before deployment.

Code analysis tools to detect vulnerabilities.

Policy enforcement to ensure compliance.

Automated Security Testing: A Game Changer

Automation helps detect threats early and ensures compliance with security policies. Popular tools include Snyk, SonarQube, and OWASP ZAP.

Security as Code: Embedding Security from the Start

Security as Code (SaC) automates security configurations, reducing human errors and increasing consistency across environments.

Real-World Insights from a Security Engineer

Key Lessons from Securing Cloud Environments

Security should be proactive, not reactive.

Developers must be security-conscious from day one.

Automation and monitoring are essential to stay ahead of threats.

The Most Common Security Mistakes Teams Make

Ignoring security in early development phases.

Relying on default security settings.

Not updating or patching vulnerabilities promptly.

How to Stay Ahead of Emerging Security Threats

Continuous learning and certifications.

Following cybersecurity news and threat intelligence.

Engaging in ethical hacking and penetration testing.

Tools and Technologies for Security Engineers

Essential DevSecOps Tools for Secure Development

SAST (Static Application Security Testing): SonarQube, Checkmarx.

DAST (Dynamic Application Security Testing): OWASP ZAP, Burp Suite.

Container Security: Aqua Security, Twistlock.

Cloud Security Platforms and Solutions

Cloud-Native Security Tools: AWS Security Hub, Azure Security Center.

SIEM Solutions: Splunk, IBM QRadar for threat detection.

The Role of AI and Automation in Cybersecurity

AI-driven Threat Detection: Identifying anomalies in real-time.

Automated Incident Response: Reducing manual intervention.

Future of Security Engineering

Emerging Trends in DevSecOps and Cloud Security

Shift from reactive to proactive security strategies.

Greater integration of security into AI and ML models.

Focus on privacy-enhancing technologies.

The Growing Importance of Zero Trust Architecture

Zero Trust ensures that no entity is trusted by default. Organizations implement:

Micro-segmentation to limit lateral movement.

Identity and access management (IAM) for strict access control.

Predictions for the Next Decade in Cybersecurity

More stringent compliance regulations.

Greater use of blockchain for security verification.

Widespread adoption of security automation.

Conclusion

Final Thoughts from a Security Engineer

Security engineering is an ever-evolving field. Organizations that integrate security early and leverage automation will be better positioned against future threats.

How to Get Started with DevSecOps and Cloud Security

Learn the basics of DevSecOps and cloud security.

Experiment with security tools in cloud environments.

Stay informed through cybersecurity forums and training.

By embracing DevSecOps and cloud security, businesses can build resilient, future-proof systems that withstand evolving threats.

#security engineer #devsecops to cloud security #software development #cloud security

0 notes

selenastaylors · 2 years ago

Text

okay besties everyone put in their tags what theyre majoring or what they majored in im so curious

#im studying cyber security engineering #1k #2k #3k #10k

24K notes · View notes

mostlysignssomeportents · 1 year ago

Text

How I got scammed

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

I wuz robbed.

More specifically, I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened. And then he tried to do it again, a week later!

Here's what happened. Over the Christmas holiday, I traveled to New Orleans. The day we landed, I hit a Chase ATM in the French Quarter for some cash, but the machine declined the transaction. Later in the day, we passed a little credit-union's ATM and I used that one instead (I bank with a one-branch credit union and generally there's no fee to use another CU's ATM).

A couple days later, I got a call from my credit union. It was a weekend, during the holiday, and the guy who called was obviously working for my little CU's after-hours fraud contractor. I'd dealt with these folks before – they service a ton of little credit unions, and generally the call quality isn't great and the staff will often make mistakes like mispronouncing my credit union's name.

That's what happened here – the guy was on a terrible VOIP line and I had to ask him to readjust his mic before I could even understand him. He mispronounced my bank's name and then asked if I'd attempted to spend $1,000 at an Apple Store in NYC that day. No, I said, and groaned inwardly. What a pain in the ass. Obviously, I'd had my ATM card skimmed – either at the Chase ATM (maybe that was why the transaction failed), or at the other credit union's ATM (it had been a very cheap looking system).

I told the guy to block my card and we started going through the tedious business of running through recent transactions, verifying my identity, and so on. It dragged on and on. These were my last hours in New Orleans, and I'd left my family at home and gone out to see some of the pre-Mardi Gras krewe celebrations and get a muffalata, and I could tell that I was going to run out of time before I finished talking to this guy.

"Look," I said, "you've got all my details, you've frozen the card. I gotta go home and meet my family and head to the airport. I'll call you back on the after-hours number once I'm through security, all right?"

He was frustrated, but that was his problem. I hung up, got my sandwich, went to the airport, and we checked in. It was total chaos: an Alaska Air 737 Max had just lost its door-plug in mid-air and every Max in every airline's fleet had been grounded, so the check in was crammed with people trying to rebook. We got through to the gate and I sat down to call the CU's after-hours line. The person on the other end told me that she could only handle lost and stolen cards, not fraud, and given that I'd already frozen the card, I should just drop by the branch on Monday to get a new card.

We flew home, and later the next day, I logged into my account and made a list of all the fraudulent transactions and printed them out, and on Monday morning, I drove to the bank to deal with all the paperwork. The folks at the CU were even more pissed than I was. The fraud that run up to more than $8,000, and if Visa refused to take it out of the merchants where the card had been used, my little credit union would have to eat the loss.

I agreed and commiserated. I also pointed out that their outsource, after-hours fraud center bore some blame here: I'd canceled the card on Saturday but most of the fraud had taken place on Sunday. Something had gone wrong.

One cool thing about banking at a tiny credit-union is that you end up talking to people who have actual authority, responsibility and agency. It turned out the the woman who was processing my fraud paperwork was a VP, and she decided to look into it. A few minutes later she came back and told me that the fraud center had no record of having called me on Saturday.

"That was the fraudster," she said.

Oh, shit. I frantically rewound my conversation, trying to figure out if this could possibly be true. I hadn't given him anything apart from some very anodyne info, like what city I live in (which is in my Wikipedia entry), my date of birth (ditto), and the last four digits of my card.

Wait a sec.

He hadn't asked for the last four digits. He'd asked for the last seven digits. At the time, I'd found that very frustrating, but now – "The first nine digits are the same for every card you issue, right?" I asked the VP.

I'd given him my entire card number.

Goddammit.

The thing is, I know a lot about fraud. I'm writing an entire series of novels about this kind of scam:

https://us.macmillan.com/books/9781250865878/thebezzle

And most summers, I go to Defcon, and I always go to the "social engineering" competitions where an audience listens as a hacker in a soundproof booth cold-calls merchants (with the owner's permission) and tries to con whoever answers the phone into giving up important information.

But I'd been conned.

Now look, I knew I could be conned. I'd been conned before, 13 years ago, by a Twitter worm that successfully phished out of my password via DM:

https://locusmag.com/2010/05/cory-doctorow-persistence-pays-parasites/

That scam had required a miracle of timing. It started the day before, when I'd reset my phone to factory defaults and reinstalled all my apps. That same day, I'd published two big online features that a lot of people were talking about. The next morning, we were late getting out of the house, so by the time my wife and I dropped the kid at daycare and went to the coffee shop, it had a long line. Rather than wait in line with me, my wife sat down to read a newspaper, and so I pulled out my phone and found a Twitter DM from a friend asking "is this you?" with a URL.

Assuming this was something to do with those articles I'd published the day before, I clicked the link and got prompted for my Twitter login again. This had been happening all day because I'd done that mobile reinstall the day before and all my stored passwords had been wiped. I entered it but the page timed out. By that time, the coffees were ready. We sat and chatted for a bit, then went our own ways.

I was on my way to the office when I checked my phone again. I had a whole string of DMs from other friends. Each one read "is this you?" and had a URL.

Oh, shit, I'd been phished.

If I hadn't reinstalled my mobile OS the day before. If I hadn't published a pair of big articles the day before. If we hadn't been late getting out the door. If we had been a little more late getting out the door (so that I'd have seen the multiple DMs, which would have tipped me off).

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if.

The next Friday night, at 5:30PM, the fraudster called me back, pretending to be the bank's after-hours center. He told me my card had been compromised again. But: I hadn't removed my card from my wallet since I'd had it replaced. Also, it was half an hour after the bank closed for the long weekend, a very fraud-friendly time. And when I told him I'd call him back and asked for the after-hours fraud number, he got very threatening and warned me that because I'd now been notified about the fraud that any losses the bank suffered after I hung up the phone without completing the fraud protocol would be billed to me. I hung up on him. He called me back immediately. I hung up on him again and put my phone into do-not-disturb.

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

The risk management person and I talked about how the credit union could mitigate this attack: for example, by better-training the after-hours card-loss staff to be on the alert for calls from people who had been contacted about supposed card fraud. We also went through the confusing phone-menu that had funneled me to the wrong department when I called in, and worked through alternate wording for the menu system that would be clearer (this is the best part about banking with a small CU – you can talk directly to the responsible person and have a productive discussion!). I even convinced her to buy a ticket to next summer's Defcon to attend the social engineering competitions.

There's a leak somewhere in the CU systems' supply chain. Maybe it's Zelle, or the small number of corresponding banks that CUs rely on for SWIFT transaction forwarding. Maybe it's even those after-hours fraud/card-loss centers. But all across the USA, CU customers are getting calls with spoofed caller IDs from fraudsters who know their registered phone numbers and where they bank.

I've been mulling this over for most of a month now, and one thing has really been eating at me: the way that AI is going to make this kind of problem much worse.

Not because AI is going to commit fraud, though.

One of the truest things I know about AI is: "we're nowhere near a place where bots can steal your job, we're certainly at the point where your boss can be suckered into firing you and replacing you with a bot that fails at doing your job":

https://pluralistic.net/2024/01/15/passive-income-brainworms/#four-hour-work-week

I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don't know how to pronounce my bank's name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch - they didn't raise red flags.

As this kind of fraud reporting and fraud contacting is increasingly outsourced to AI, bank customers will be conditioned to dealing with semi-automated systems that make stupid mistakes, force you to repeat yourself, ask you questions they should already know the answers to, and so on. In other words, AI will groom bank customers to be phishing victims.

This is a mistake the finance sector keeps making. 15 years ago, Ben Laurie excoriated the UK banks for their "Verified By Visa" system, which validated credit card transactions by taking users to a third party site and requiring them to re-enter parts of their password there:

https://web.archive.org/web/20090331094020/http://www.links.org/?p=591

This is exactly how a phishing attack works. As Laurie pointed out, this was the banks training their customers to be phished.

I came close to getting phished again today, as it happens. I got back from Berlin on Friday and my suitcase was damaged in transit. I've been dealing with the airline, which means I've really been dealing with their third-party, outsource luggage-damage service. They have a terrible website, their emails are incoherent, and they officiously demand the same information over and over again.

This morning, I got a scam email asking me for more information to complete my damaged luggage claim. It was a terrible email, from a noreply@ email address, and it was vague, officious, and dishearteningly bureaucratic. For just a moment, my finger hovered over the phishing link, and then I looked a little closer.

On any other day, it wouldn't have had a chance. Today – right after I had my luggage wrecked, while I'm still jetlagged, and after days of dealing with my airline's terrible outsource partner – it almost worked.

So much fraud is a Swiss-cheese attack, and while companies can't close all the holes, they can stop creating new ones.

Meanwhile, I'll continue to post about it whenever I get scammed. I find the inner workings of scams to be fascinating, and it's also important to remind people that everyone is vulnerable sometimes, and scammers are willing to try endless variations until an attack lands at just the right place, at just the right time, in just the right way. If you think you can't get scammed, that makes you especially vulnerable:

https://pluralistic.net/2023/02/24/passive-income/#swiss-cheese-security

Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en

#pluralistic #social engineering #phishing #ai #swiss cheese security #infosec #finance #fraud #carding

10K notes · View notes

iridescentalchemyst · 2 years ago

Text

Interested in Cyber Security?

What do you know about ETHICAL hacking? Interested in Cyber Security? Use my Referral Link to earn us both $5 in TryHackMe cash when you sign up on the website!

I found a new website that I am excited to share about! TryHackMe is a web-based learning platform that is dedicated strictly to teaching cyber security and promoting ethical hacking! TryHackMe.com It doesn’t matter if you are a complete newbie (like me) or if you come with experience, the website is very user-friendly! Careers in Cyber Security Cyber Security refers to the people,…

View On WordPress

#Be the Change #cyber security #ethical hacking #Information Technology #internet #internet security #IT tech #learning platform #network #Security Engineer #systems analyst #TryHackMe #United we stand

0 notes

fantastic-nonsense · 11 months ago

Text

however bad of a day you're having, know that it's not nearly as bad as whatever the Crowdstrike security team is going through since waking up this morning

#accidentally bricking millions of computers worldwide because of a faulty security update pushed through on Friday evening #has to be some special circle of hell for software engineers #crowdstrike #current events #technology

2K notes · View notes

bluebellowl · 2 months ago

Text

Aiden is having his first day at Fazbear Entertainment.

His department: taking care of the Subway Bosses' mechanic wellbeing together with Elesa and Vincent.

Aiden can barely believe his luck...

The twins just had a rough month and need complete repair.

Aiden is an OC by the wonderful @toriblayde

Part 1/5

--- Part 2

#submas #pokemon #art #fanart #subway boss ingo #nobori #kudari #comic #fnaf au #animatronics #Aiden Wayfare #vincent black #gym leader elesa #except she's now mechanics master Elesa #machinist? engineer? what do you call that?#five nights at freddy's security breach #since i've started playing hollow knight i keep typing “five knights at freddy's”#imagine ogrim and dryya and the gang at a freddy's

595 notes · View notes

foone · 1 year ago

Text

Have you heard about the Polish Train company, Newag, and the bullshit it turns out they got up to?

So, the regional rail operator Koleje Dolnośląskie bought some Newag Impuls back in 2016 . In late 2021, some of them need to have major maintenance done, as they've been in service a while. So the company SPS (Serwis Pojazdów Szynowych) gets the contract to fix them. They basically take the train apart, replace a bunch of it, following all the rules in the documentation Newag gave them, and... it won't move. The train says everything is fine, the brakes are off, there's plenty of power, but you push the throttle up and it won't move.

SPS spends a while trying to figure out what the fuck is wrong, with no luck. So they hire some hackers from the Polish security group Dragon Sector. Dragon Sector figures out how to get into the code of the computer system that runs the train, and OH MY GOD.

So it turns out there's a secret train-lock system. If it's on, the train won't move. This will be triggered in some situations you might think are normal: the clocks are wrong, the serial numbers of the various parts have changed, and a firmware mismatch between the main computer and the power system. Now, the fact that it makes sense to not run the train in these situations until someone can check it? that doesn't extend to the fact the train uses a SECRET lock system, rather than just popping up an error message telling you what's wrong. There's also the problem that while these are all potential error problems, they can't be cleared by anyone with the technical manuals, which are supposed to cover everything about how to run these trains. Only Newag themselves can reset this system.

Which, you know, keeps SPS from properly fixing them. Only Newag can fix them now, but not because SPS lacks any technical ability, but because Newag sabotaged their own trains. But don't worry: it gets worse.

So now that Dragon Sector knows what's happening, they get to look at other trains. It turns out the trains aren't all running the same software, and there are other tricks in there.

One of them is a "how long has the train been stopped?" check. If the train hasn't hit 60 km/h in 10 days, the train locks itself and won't move until Newag can clear it. So, like, if a train is ever out of service, like it's going to a repair place... it'll break itself. Unless the repair place is owned by Newag.

But two of the trains go further: See, these trains have GPS built in, right? You may be able to guess where this is going...

THEY JUST MAKE THE TRAIN CHECK IF IT IS PARKED AT THEIR COMPETITORS' REPAIR YARD AND BREAK ITSELF IF IT WAS.

The sheer audacity of this move. This is frighteningly bullshit anti-competition self-sabotage.

This has, obviously, made some parts of the Polish government to start investigating this. Newag may be (and hopefully will be) in a lot of trouble.

For more info, there's a great video of a presentation by the three people from Dragon Sector who did the hacking, which was presented at the 37th Chaos Communication Congress in Germany.

Ars Technica also has an article on it, but it predates the presentation so it doesn't have some of the later details.

Anyway, the good news is that in the end the hackers at Dragon Sector were able to unlock most of the trains: A few had additional trickery that they didn't want to hack around, because it might break the train's certification. For the others, they discovered undocumented "cheat codes" in the software that they could use to bypass the secret lockouts... presumably the same ones that Newag would have used when they "repaired" trains.

#trains are blameless holy creatures #computer security #reverse engineering

5K notes · View notes