Security Identity Management SISE 300-715 – Tech Reviewed!

It’s been a while that I started working on tech editing this manuscript by Aaron Woland and Katherine McNamara. Thanks to Cisco Press for the opportunity, this was quite a feat. Getting into the depths of the modern age identity and access management was a refreshing experience. The book is hot off the press, grab your copy today!

This book is a must for the engineers, consultants, and architects alike tasked with solutioning and configuration of Cisco ISE as well as the professionals in the field of AAA. It’s unmistakably one of the most authentic and elaborate titles on the topic.

I am sure that the readers would enjoy reading it as much as the authors enjoyed writing and I enjoyed editing the book. Happy reading!

 

Container Security Comes to the Party – Tech Edited!

(Once upon a time) I worked with Liz Rice (from Aquasec) for tech editing her latest and greatest title – Container Security published by O’Reilly publications. It was great working on a cutting edge technology title specially when the IT world is moving to micro services based architecture.

Security’s been ever since in my DNA with everything ICT and this was both engaging in the realms of container security as well as putting leading practices from DevOps (more so DevSecOps) into place where readers would benefit from field experiences. Glad to be part of this journey!

Here’s the book overview! Thankful to O’Reilly to include me on the team for this piece of art!

Here’s the link to download the ebook https://bit.ly/2L7lhpu

 

 

Let’s Talk about Shift+Left!

Security in IT and in code has been an afterthought for the longest. Security, has been seen historically as a blocker than an enabler. This was true up until security issues weren’t real. In today’s connected and ‘agile’ world security issues are very real and very threatening. The threat can be related to losses in monetary terms, reputation of the firm, and loss of clientele; amongst many other concerns.

As compliance to local legislative terms and regulations tighten with proliferation of apps, mobile devices, IoT – it becomes more important than ever to have security by design and security by default as part of the development process. Today’s average consumer wouldn’t wait for days for an update to an app; it’s got to be hours. With such rapid pace of development of new features or enhancing user experience; how can an organization inculcate culture of secure development?

“Shift+Left” (or Shift Left) is the new paradigm in DevOps security that leads to inclusion of (secure) software testing earlier in its life cycle to prevent defects early in the software delivery process. Moreover, tools for secure testing are included in the gating process thereby, enabling organizations to deliver apps and software with minimal vulnerabilities. AppSec anyone?

Note: Security is and can never be 100% and while attempts to limit vulnerabilities are important, it is most crucial to accept that any piece of software is vulnerable.

Shift Left approach also embraces automation which is the key tenet knowing that, automation will reduce possibility of errors while testing and deploying code in test environments.

Here are the key characteristics of Shift Left approach to secure DevOps:

1. Secure by design and resilient code that can be grown upon for next releases without going back and fixing the base code
2. Seamlessly integrates into CI/CD pipeline
3. Ability to fix vulnerabilities faster (heard of OWASP!)
4. Increase in offering feature velocity, with secure development and automation
5. Testing code early and testing often leads to lesser surprises in production environment

Concluding this short article, it is key to understand the concerns that any organization would have going live with its app, holding dear customers’ data or it’s own Intellectual Property on the line without right measures to include security testing during the development process. It’s better to focus on where it begins than to fix where it is found, which is ‘Shift+Left’.

 

DevSecOps – Making Sense of it

I’ve been working on multiple CI/CD initiatives with a wide array of customers in my rather new role. While, it is revelation in how industry has changed in less than couple of years, it is also great to see the new and cutting edge technology helping make the Time To Market (TTM) short and products more user focused. As a result of my recent learning in the field and of interactions with customers and their DevOps – I thought I’d put out a short article on these lines.

So, there’s this question almost always wandering in customer meetings on – What is DevSecOps?

There’s one simple way to explain what it is and why the new ways of working (agile) needs it more than ever. In its entirety – DevSecOps is the inclusion of leading practices and tools around secure code development via secure Software Development Life Cycle (SDLC).

A more comprehensive way to portray the concept of DevSecOps is – Following the security leading practices and deliver code which is secure by design. Inclusion of code review tools as well as Static Application Security Testing (SAST), and where applicable/possible Dynamic Application Security Testing (DAST). Lastly, create a cultural change where People Process and Technology (PPT) aren’t disconnected; rather connected and online with whole concept of security being intrinsic part of development process than an afterthought.

Following are some of the key initiatives which facilitate (not just theoretical but practical) DevSecOps adoption and execution.

Secure Coding Practices

Observing secure code development practices which lead to development of software that has a high resilience to exploits and vulnerabilities. This includes (and in no way is limited to) not hard coding credentials or secrets, adhering to coding standards, and keeping an eye on OWASP top 10 vulnerabilities and their origins as well as remediation.

Threat Modeling

While many would not see immediate value in spending cycles in threat modeling and coming up with a threat model around an application going live soon (such is today’s rapid pace); a commitment to have mapped out threat actors, threat surface, threat vectors, and everything that can potentially jeopardize a software or app is worth the while. Yet, many organization don’t go through this exercise and this is not on the development or IT teams – it’s more on management that drives or decides not to push for time and effort in this direction.

Automation in environment provisioning and testing

Testing and automation have a huge bearing on quality of code being produced. Humans can er but automation can reduce errors hence, adopt automation of deploying infrastructure for code testing (or Infrastructure as Code / IaC) as well as automation in testing (using Terraform or Ansible) for code and configuration checks in pre-production environments using regression testing.

Leverage extended security capabilities

It is in interest of any DevOps team to leverage the extended reach of InfoSec or IT Security team’s expertise to enable the code to be resilient to cyber attacks. The findings from the deep dark web as well as security research groups are very helpful in creating defenses against the known and being unyielding to unknown threats.

DevSecOps helps revolutionize the way organizations handle security while developing apps or software. While there can be deprivation from budget or manpower (or even security expertise) perspective, the benefits of subscribing to DevSecOps are far greater than the risk of not adhering to ‘secure’ new ways of working.

 

Speaking at Write The Docs

Presenting on one of my life defining topics @ Write The Docs Australia. What else and better than writing!!

It is ironic that I’ve lived in India, US, Singapore, and visited many places where I’ve had a chance to present on technology and other aspects. However, it’s only in Australia that I got my first ever opportunity to present on how I wrote my first book and the journey from there on.

Again, it’s not about me – it’s about everyone else who’s had a dream to write their first ever book. And for sure, Your First Book – It doesn’t have to be Rocket Science!

Thank you Brett Bartow, Chris Cleveland, Mary Beth Ray, Marianne Bartow, Jamie Shoup, Vanessa Evans, James Manly, Virginia Wilson, Troy Mott for your leadership and giving me a chance to write all the books I’ve written and contribute to reviews across Pearson, O’Reilly, and Backstop Media publications.

Thank you and love you my dear family and friends for your ever going support without which this wasn’t possible.

If you’re in or around Sydney give me a shoutout.

https://www.writethedocs.org/conf/australia/2019/schedule/

 

Trying to get back on track – outside of 9-5!

And it’s been a while that I published anything on the blog. The major reason – I was shifting between continents from Asia to Australia. Well that’s one and other is I was also changing jobs as moving to a new country and settling in with family is never as easy when moving with kids and mrs.

All said and done, I’m trying to get back on track with works and blog posts. Things will become more seamless as months progress.

Moving forward my posts won’t just be around security however, more around holistic with virtualization, automation, orchestration included.

More to come in this space. Keep an eye out.

 

 

Network Programmability and Automation – Reviewing was Fun and Learning!

In my last post on tech editing of Network Defense and Countermeasures , I shared that it was a refreshing experience tech editing a pure play security book.

I tech reviewed / edited a new cadre of book – Network programmability and automation late last year. This is the book by O’Reilly. I’ve reviewed a few reports earlier by O’Reilly however, this was first manuscript that I got to review so it was beyond just a few pages.

So, what’s different from other titles I reviewed? Simple, this book is all about automation and programmability of Networks to automate mundane tasks and let scripts do things for us. Yes, it is very different and while I have decent experience in using scripts with cloud platforms, it was also a learning opportunity with various languages and frameworks explained in the book. This is s good read for those trying to build up on automation and scripting side of things.

Here’s few glances of the book.

Look forward to do more automation with SDN platforms, public cloud and otherwise in upcoming months; of course alongside securing the unsecured.

Happy reading.

 

Network Defense and Countermeasures – Tech Edited!

The third edition of Network Defense and Countermeasures is out on shelf. And it was really fun tech editing it. The book is really comprehensive from basics to advance topics. It’s available on Amazon https://www.amazon.com/Network-Defense-Countermeasures-Principles-Cybersecurity/dp/0789759969/ref=sr_1_1?ie=UTF8&qid=1524856270&sr=8-1&keywords=network+defense+and+countermeasures

I just got my copy in mail and it was exciting to see something printed (yes on real paper; not Kindle) with my name to it.

Yes, it’s a very refreshing change from looking at ebooks and such.

More to come in following months 🙂

Happy reading!

 

My CCIE 10th Year Anniversary Plaque

Today’s a special day. Just got my CCIE 10th Year Anniversary Plaque. In all it’s glory – shining like nothing has ever shined! 7th Dec 2007 was the day when I achieved my first CCIE and then in Feb 2009 the second one. Been a decade and still the memories of that era never fade; and for good.

This plaque is something that reminds me of the grits and guts I put in 10 years ago. A sweet memoir of days when I used to slog day in and day out in preparation of my greatest personal battle – that of achieving the highly coveted CCIE title. It was my love, my life and I adored it not just once but twice – doing my Double CCIE.

“Nostalgia at its best!”

Proud and humble to be one of a few thousand CCIEs across the globe. Good to remember what I stood for and feels even better to keep doing what I love – my passion for technology and zest to learn has only grown with time.

Thank you dear god, my parents, my family and my friends for your love, support, and blessings.

 

 

2017 – Year in Review and Looking Ahead from Cyber Security Standpoint

It’s been a while that I’ve posted however, it is because my new job and regional profile. I’ve been traveling a fair bit and being kept on the toes  🙂

Not keeping away from facts, 2017 was a year of (cyber)security incidents. From ransom ware for example  Petya to breaches at Equifax and Uber (and so many more), the year was pretty eventful from security perspective. Not just we witnessed big names getting breached and user data ex-filtrated, there was a mass momentum from bad guys to target and bring down key industry players in no time.

In response, security vendors were swift and came out with workarounds and fixes. Moreover, industry became aware of the fact (yet again) that humans are the weakest link in the scheme of cyber security. Vulnerabilities and exploits were introduced by virtue of weak security construct, policies, and configuration.

To sum it up – 2017 was an eventful year and a handful for security analysts and advisers alike. Looking forward – 2018 has had a big bang start with Meltdown and Spectre exploits. We’ll see how 2018 turns out from cyber security perspective however, I have a strong feeling it will be a step up as dark net continues to grow and flourish and the bad guys continue exploiting the connected systems.

Happy New Year to everyone!