Recently, ThreatQuotient hosted an interactive discussion regarding security orchestration and cyber security automation adoption – what it is, what it’s meant to do, and why it can present a challenge for security teams to set up and maintain. What we heard from attendees was that the most common issues preventing them from integrating some form of security automation into their internal processes are the necessary time and resources.

The OWASP API Security Top 10 list highlights the most critical API security risks to web applications. Shifting security left means that API security can’t be left only to security teams. Developers need to be on top of potential vulnerabilities and remediate them as they develop. Building security into DevOps means we need to be thinking about how to deliver secure, high-quality code at velocity. Having some basic API security info under your belt will help.

You might think that your metrics are harmless from a security point of view. Well, that’s not true, and in this talk at KubeCon Valencia 2022, we share the risk of exposed Prometheus server and how attackers use this information to successfully access a Kubernetes cluster. The slides are available here, and we also collected some mentions in social media and blogs and the feedback was very positive: It was our first time as speakers at KubeCon and expectations were really high.

Digital-first businesses are striving for service assurance, which has become the lifeblood for their businesses processes. But they are increasingly getting complex across legacy and cloud-native applications, multi-cloud distributed services, with the rise of edge and when leveraged with Kubernetes and microservices architectures. Service assurance needs full-stack observability; however, customers need an approach to tame the data deluge while enabling actionable insights.

Typically, when a web app needs something from an external server, the client sends a request to that server, the server responds, and the connection is subsequently closed. Consider a web app that shows stock prices. The client must repeatedly request updated prices from the server to provide the latest prices.

Today, WatchGuard announced that Vector Capital, a leading private equity firm specializing in transformational investments in established technology businesses, closed the deal to acquire interests previously owned by other co-investors, and become the company’s majority shareholder.

There have been many articles about the cost of a security breach. With the emergence of privacy regulations that assign penalties based on a business’ profit, or those that calculate a value for each compromised record, it is possible to calculate the cost of a breach based on those metrics. However, it would seem that these hard numbers are not detailed enough to placate many security professionals.

In 2018, as followers of Formula One (F1) will know, the fastest racing cars in the world got a controversial redesign. A new device was added to the cars; a curved bar or Halo, which was designed to protect the drivers’ heads in the event of a crash.

Zenity research team has recently discovered a potential customer data leakage in Storage by Zapier, a service used for simple environment and state storage for Zap workflows. With only a few simple steps and no authentication, we were able to access sensitive customer data. Given the nature of this flaw, it would be easy for bad actors to recreate our approach and access the same sensitive data without significant expertise.

More organizations than ever run on Infrastructure-as-Code cloud environments. While migration brings unparalleled scale and flexibility advantages, there are also unique security and ops issues many don’t foresee. So what are the major IaC ops and security vulnerabilities? Configuration drift. Cloud config drift isn’t a niche concern. Both global blue-chips and local SMEs have harnessed Coded Infrastructure.