Configuration Management

Economics of Application Security Configuration Management

Why Application Security Configuration Management is Essential and Economical Expanded Cyber Kill Chain Model Analysis Traditionally, cyber security programs are more focused on boundary defense controls. In this approach, IT organizations fail to take a holistic view of the most essential controls required to prevent an adversary from achieving his goal. A holistic analysis using an Expanded Cyber Kill Chain Model can achieve essential and economical application security configuration management.

Continue reading

Automated App Security Configuration Audits

Application Security Configuration Audits – Why Automated Validation is a Must In one of my previous blogs, I discussed the challenges for securing modern applications. The takeaway from the discussion was that modern applications change more frequently than traditional applications. And the blast radius for any security misconfigurations is high because of the large number of services pushing data over the wire to complete a single task. In this blog, I will be discussing the shortfalls associated with manual verifications.

Continue reading

Security Configuration Challenge in Modern Architectures

Modern Application Architecture and Why Security Configuration Compliance is a Challenge It is an exciting time to be an IT professional because innovation in the industry is driving the economies of nations. Even traditional industries like hospitality and transportation are being radically transformed with business models that leverage cloud-based software platforms and architectures. Microservice adoption and external solutions provided as services have been key to this transformation. Microservices, by breaking applications into many smaller re-usable services, enable much faster – even daily – product release cycles.

Continue reading

The Role of configuration management in security

What is the Role of Configuration Management in Defense in Depth Strategy? A defense in depth strategy for implementing security controls recommended by NIST 800-53 or other frameworks requires comprehensive security controls throughout the data, application, network and infrastructure layers. I would like to capture some of my thoughts on prioritizing the tasks related to defense in depth strategy at government agencies and other highly regulated industries such as financial institutions.

Continue reading