VSHN.timer #32: Security, Privacy, and Incident Management

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

In an increasingly volatile and uncertain world, it seems to us appropriate to spend some time talking about security and incident management this week.

1. Last month was full of news about web browser security. First let’s talk about Safari; Apple has decided to consider invalid all security certificates older than 13 months. This is a strong move, geared “to improve website security by making sure developers use certificates with the latest cryptographic standards.” There is a possibility that other browsers might do the same in the near future. As for Firefox, in the meantime they decided to enable DNS over HTTPS, for US users at least.

https://www.schneier.com/blog/archives/2020/02/firefox_enables.html

2. Always remember to update your browsers to the latest versions. Last week Google released a new version of Chrome with three security fixes, one of which (CVE-2020-6418) has already been exploited. In any case, Brave has been found to be the most private browser, so you might want to switch if you have any concerns.

https://www.ghacks.net/2020/02/25/study-finds-brave-to-be-the-most-private-browser/

3. Speaking about vulnerabilities, CVE-2020-0688 was published last week and describes a “Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys,” due to a bug in the installation process of Exchange, leading to non-unique keys being generated. But the problem is deeper than that; e-mail is unsafe, and cannot be made safer, not even through encryption.

https://latacora.micro.blog/2020/02/19/stop-using-encrypted.html

4. One of the biggest issues in software engineering, and decidedly an endless source of security issues, is requirements volatility. Charles R. Martin wrote about this problem in the Stack Overflow blog, highlighting the role of incremental development processes to help developers manage this volatility. The article mentions a few historically relevant papers; if you are into reading them, you will enjoy the latest one by Bertrand Meyer and others, about, precisely, the anatomy of requirements.

https://stackoverflow.blog/2020/02/20/requirements-volatility-is-the-core-problem-of-software-engineering/

5. The tool of the week is Dispatch, a system created by Netflix to help them handle security incidents and streamline crisis management throughout their organization.

https://github.com/Netflix/dispatch

What tools do you use to manage security incidents? What best practices do you consistently apply in your organization? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.