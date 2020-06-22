Security: Compliance, CISO, Patches, Principles for Making Your Linux System More Secure and TPM
What enterprise developers need to know about security and compliance
One of the luxuries of my job is that I get to speak to and work with a range of IT people employed by U.S. federal and state government agencies. That range includes DevOps engineers, developers, sysadmins, database administrators, and security professionals. Everyone I talk to, even security professionals, says that IT security and compliance can be imprecise, subjective, overwhelming, and variable—especially in the federal government.
Josh Bressers: The ineffective CISO
I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reporting structure.
The TL;DR of this post is if you have a CISO that claims they can only get their job done if they report to the board or CEO, you have an ineffective CISO.
All change, even change in our organizations tends to obey Newton’s Third Law of motion. For every action there must be an equal and opposite action. Change happens because there is something driving that change. Change doesn’t happen because someone is complaining about it. A CEO demanding action could be your incentive. Maybe you need better security posture to help sales. Maybe you had an incident and making sure it never happens again is a driver.
What’s the inception for security change in your organization? If bad security is holding back sales, that’s easy to understand. But what happens when there isn’t an obvious need for security? All change in an organization, especially security change, will be the result of some other action. In our case we are going to call that action our incentive.
Security updates for Tuesday
Security updates have been issued by CentOS (thunderbird), Debian (wordpress), Fedora (ca-certificates, kernel, libexif, and tomcat), openSUSE (chromium, containerd, docker, docker-runc, golang-github-docker-libnetwork, fwupd, osc, perl, php7, and xmlgraphics-batik), Oracle (unbound), Red Hat (containernetworking-plugins, dpdk, grafana, kernel, kernel-rt, kpatch-patch, libexif, microcode_ctl, ntp, pcs, and skopeo), Scientific Linux (unbound), SUSE (kernel, mariadb, mercurial, and xawtv), and Ubuntu (mutt and nfs-utils).
Principles for Making Your Linux System More Secure
Security by design not only makes for a securer system, it also provides a better understanding of how your Linux system is constructed. Here are 10 of the most common security by design principles.
To many users, security is a matter of using the right tools – a matter, for instance, of setting up a firewall or perhaps an antivirus application. Such tools should be part of any security policy, but they are lacking in two important ways. First, they do not add up to any coherent understanding of security. Users install these tools, but without much understanding of the security principles that lie behind them. Second, many are reactive tools, designed to respond to an intrusion, rather than prevent them in the first place. A more fruitful approach is security by design, which offers basic approaches to writing software or configuring a system.
[...]
Open Design
One major advantage of free software is that development is public. Anyone can access the code, and the engineering standards are freely available, which means that with open design there is a greater chance of improvements or of bugs being detected. This principle was expressed in Eric S. Raymond’s The Cathederal and the Bazaar as “given enough eyeballs, all bugs are shallow.” It is named Linus’s Law in honor of Linus Torvalds.
The opposite of open design is security by obscurity, which is frequently considered a practice of proprietary software development. Instead of reporting a bug as soon as it discovered – the common practice in free software – security by obscurity delays reporting the bug until a patch is released. The problem with this practice is that no one knows if the bug is exploited during the wait for the patch, which can take months. By contrast, open design provides an incentive to write a speedy patch and allows more than one person or team to write a patch. Open design is not foolproof, and it is not always followed, but at the very least, it minimizes security risks.
TCG Pushes for Security in Embedded, Automotive, and IoT Systems with Complete TPM 2.0 Software Stack
The completed TCG TSS Stack standard now supports a wide range of devices making it possible to integrate the TPM 2.0 as a turnkey solution and to achieve interoperability for platform security, network communication, and data exchange.
