You are here

Best of TechBeacon 2019: Security is in the hot seat with privacy laws

public://pictures/Jaikumar-Vijayan-Freelance-Writer.png
Jaikumar Vijayan, Freelance writer

New laws such as the California Consumer Privacy Act (CCPA) and the European Union's General Data Privacy Regulation (GDPR) have put substantial pressure on organizations to bolster their security practices this year. Adding to the urgency were the near-constant reports of data breaches, an ever-evolving threat landscape, and a growing volume of attacks.

Here are TechBeacon's top 12 security stories from 2019, covering a range of topics that remain of vital importance to security and IT leaders across the industry.

These top reports cover trends in the application and information security space and around app development and identity and access management. They identify significant trends, offer actionable advice, and list key takeaways on matters that information security leaders and practitioners deal with on a daily basis.

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

Application security

Open source and risk: 4 application security action items

A majority of applications used across industries contain open source code. Software development organizations looking to push code out quickly are increasingly using risky open-source components to build applications, without much regard for the security implications. Freelance writer John P. Mello offers four tips for securing open-source software based on conversations with multiple security experts.

What you should know about web application firewall testing

A web application firewall (WAF) blocks attacks at the application layer and is a critical component of the security stack at many organizations. In this report, Franziska Buehler, systems architect at Puzzle ITC, explains why organizations should include WAFs in their UI tests and end-to-end tests early in the development cycle. Such testing can ensure the WAF works effectively without degrading application functionality, Buehler says.

Master your code's open source or it will bite you in the app sec

Organizations that use open-source components to build software need to account for the potential risks and tradeoffs they are assuming. Configuration management and an inventory of open-source components are vital to security, says Stan Wisseman, chief security strategist at Micro Focus. Here he offers two ways organizations can use open source safely.

Information security

The dangers of breach fatigue—and how to take action

Breach fatigue is not something that happens just with consumers—enterprise organizations can have it as well. Incessant data breach reports can cause fatigue for employees and IT leaders alike, and leave organizations vulnerable to insider threats and less-than-optimal security strategies. Jadee Hanson, CISO and vice president of information systems at Code42, draws on her experience building corporate security programs to explain how to recognize breach fatigue and deal with it.

When your own tools attack: The top 5 offenders

Threat actors are increasingly using legitimate administration tools and services in carrying out attacks. Tools such as PowerShell and Windows Management Instrumentation (WMI) are the most commonly abused in attacks, but they are not the only ones. Such living-off-the-land tactics allow attackers to evade detection and maintain persistence on a network for long periods. Freelance writer Robert Lemos lists the top five legitimate tools that attackers tend to use at the moment.

How to marry security and IT operations

IT operations teams and the security group can be at loggerheads with each other because of their differing priorities. Security teams view their mission primarily as securing the confidentiality, integrity, and availability of IT services, while the IT operations team is focused on performance, availability, and efficiency. To address the issue, security teams need to be willing to work with IT operations to enable safe software delivery and breach mitigation, says Travis Greene, a US Naval Academy graduate and current IT evangelist at Micro Focus.  

[ With GDPR and CCPA, big data analytics, and cloud migration, many are turning to data-centric protection. Get up to speed fast with TechBeacon's guide. Plus: See Gartner’s Data Masking Market Guide. ]

Data security

What your data security team needs to know about the CCPA

The California Consumer Privacy Act (CCPA) has become to businesses in the US what the General Data Protection Regulation (GDPR) is for organizations in the European Union. Like the GDPR, the California law spells out specific measures that organizations must take to protect the security and privacy of consumer data and mandates substantial fines and penalties for non-compliance. Ty Sbano, head of information security at Periscope Data, provides the lowdown on the law and tips about how to comply with it.

GDPR execution will be a major task this year—and reap benefits

Though GDPR went into effect in May 2018, more than a year later a substantial number of organizations are still only working toward compliance with the law. For CISOs, CSOs, and IT security leaders who assumed that the task of complying with the law was complete, 2019 turned out to be the year for its practical execution in the enterprise. David Kemp, business strategist for security risk and governance at Micro Focus, uses his GDPR expertise to explain why compliance remains a major task but why it will be beneficial.

The state of encryption: A call for faster adoption

Encryption technologies and their ability to secure email and other communications on the internet have gradually evolved over the past two decades. Growing attack sophistication and a fast-evolving threat landscape have made it increasingly necessary to implement encryption as a data protection measure. Several statutes—​such as HIPAA, PCI DSS, and GDPR—​require or encourage its use. Luther Martin, distinguished technologist at Micro Focus, expounds on the current state of encryption.

Identity and access management

Extend your Active Directory security policy to Linux and beyond

Adopting cloud computing and software-as-a-service models has resulted in a growing number of enterprise devices now living outside the reach of traditional identity and access management tools, including Microsoft Active Directory. Teams that want to centralize security and policy management need to find a way to extend Active Directory group policies to Linux, Unix, and cloud virtual machines. Danny Kim, founder and CTO of FullArmor and a professional who has helped dozens of organizations deploy their security policies, offers advice on how to extend AD.

Single sign-on still open to attack: An inside look

Single sign-on (SSO) technologies allow for greater user convenience but remain dangerously susceptible to attack. Two vulnerabilities revealed by researchers at Micro Focus Fortify during Black Hat in Las Vegas served as the most recent examples of the issue. One of the vulnerabilities gave attackers a way to launch a denial-of-service attack, while the other was a privilege escalation issue. Freelance writer Robert Lemos reports on what the bugs were about and the lessons to be learned from them.

How to get single sign-on right in today's hybrid IT environments

Most employees expect a single sign-on experience in the corporate environment, but implementing it can be a challenge. The technology stack has become far more complex than it was even a few years ago. Business apps are scattered across on-premises, public cloud, and hybrid environments, and users access applications from multiple devices and locations. Freelance writer Robert Lemos speaks to analysts from Forrester Research, identity provider OneLogin, and other experts to explain what you need to do to get SSO right in today's hybrid IT setups.

[ Get on top of access with TechBeacon's guide to identity governance, and see the IGA leaders. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]