Governance, risk, and compliance (GRC) management presents some unique challenges for organizations that deploy a myriad of cloud resources, services, and accounts. Simple misconfigurations in any of these assets can lead to a serious data breach, and compliance issues become even more prevalent as organizations try to inventory and manage assets across multiple cloud platforms and security and auditing tools.

In the first article in this series we covered the basics. In the second article about the planning process, we covered how developers incorporate security at the beginning of their project. This article explores DevSecOps during the Continuous Integration (CI) phase of the coding process and how to protect the code from supply chain attacks, license issues, and theft. Developers are advised during planning to use secure coding best-practices during the coding process.

The Data Security and Protection Toolkit (DSP Toolkit) is an NHS operated online tool that enables organisations in benchmarking their security against the National Data Guardian’s 10 Data Security Standards (NDG Standards).

According to Gartner, enterprise usage of AIOps is set to surge from a mere 5% in 2018 to a whopping 30% in 2023. To survive in an increasingly competitive market, MSPs must not only respond well to customer expectations but anticipate them. Another Gartner report states that by 2025, over 80% of public cloud managed and professional services deals will require both hybrid and multi-cloud capabilities from the provider, up from below 50% in 2020.

Web applications are continuously evolving due to the hypo-velocity of code changes and stream of new features and functionality leaving businesses exposed to application security risks. A new wave of automated pen testing conducted through a software as a service delivery model can help reduce this risk by providing automated vulnerability findings in real time.

As a former systems and network administrator, I understand the demands that are placed on today’s IT professionals. It’s true that skills gap continues to hamper IT and security personnel, for example. In early 2020, Tripwire revealed the results of a survey in which 83% of security professionals noted that they felt more overworked going into that year than they did at the start of 2019.

Guessing how many marbles are in a jar is either a fun carnival game (pick the average based on the wisdom of the crowd) or a math problem involving orb volume, cylinder volume and the estimated space between marbles. You can also just count the marbles. Unfortunately, when it comes to identifying the number of devices connected to your network, none of these approaches works – although quasi-manual counting remains all too common.

We’ve seen a massive increase in the number of open source packages created and used in the wild during the past few years. These days every ecosystem has its package manager, and almost every package manager has its hidden gems and configurations. That said, as developers continuously install an ever-expanding number of packages, attackers gain interest in the packages’ attack surfaces. Then, the journey to craft the perfectly hidden malicious package begins.

As we witness history in the making, the scale and complexity of the conflict are immeasurable. When focusing on the cyber warfare aspect of the conflict we can see, first time in history, warfare that includes every type of cyber-personal, state-sponsored groups, ransomware groups, hacktivists, DDoS actors, script kitties and even volunteers that want to join the cause.

The cyber risk landscape changes quickly. In the last few years we’ve seen a rise in the number of ransomware attacks, and the end of 2021 was marked by the Log4J vulnerability. As data stacks get bigger and more difficult to defend, you may be wondering what threats are on the horizon in 2022. Based on what we’ve seen so far, the coming year’s risks are likely to be fairly familiar.