Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Are You Protecting Your DevOps Software 'Factory'?
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/2/2018 | 4:03:31 PM
Alarming
Its alarming to see that externally facing infrastructure is not even being password protected (a very weak form of protection). What is even more alarming is that these devops tools are utilizing company data instead of test data.
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
5/2/2018 | 11:40:15 AM
Do You Believe in Magic
With Continuous Integration, DevOps says that you can install modified software as soon as it passes the test suite.  Even if you could have a test suite that would test every required function for the application, how can a test suite insure that you haven't added vulnerabilities.  Remember that many people think that Agile means no documentation (rather than don't write more documentation than you need) so you don't know what to test for.

There was a song entitled "Do You Believe in Magic".  I get the feeling that a lot of IT management feels that Agile, Scrum, DevOps, SecOps are magic wands and everything will go perfectly so long as you recite the proper incantations at your stand-up meetings.  They don't think that you need to think about anything else.  (And the product looks like they didn't think about anything.)  Before you expect them to understand the need for security, you need to get them to understand how to write software that works.


Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28722
PUBLISHED: 2021-05-12
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
CVE-2020-18165
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
CVE-2020-19275
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
CVE-2021-29511
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
CVE-2020-19274
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.