Configuration Management

Why Current Security Products Have Limited Success in Identifying Misconfigurations

Since 2019, it has been clear that security misconfigurations create major issues for modern workloads deployed in cloud architectures. To solve this problem, Capitis developed our C2VS solution, which we have been implementing at major financial and governmental agencies for the past three years. Based on this work, we have identified the most common challenges in identifying misconfigurations using a combination of out-of-the-box and client specific security control tests.

Continue reading

How Holistic Security Configuration Management Could Have Prevented the Capital One Data Loss

The news of the data loss at Capital One, a major financial services firm, is very unfortunate. A hacker exfiltrated roughly 100 million credit card applications, 140,000 Social Security numbers, and 80,000 bank account numbers. The bank expects the cost of this breach to exceed $100 million in the near term. The news of this attack comes days after Equifax reached a $700 million settlement with federal regulators over the 2017 cyberattack, which exposed the personal information of 147 million people.

Continue reading

Economics of Application Security Configuration Management

Why Application Security Configuration Management is Essential and Economical Expanded Cyber Kill Chain Model Analysis Traditionally, cyber security programs are more focused on boundary defense controls. In this approach, IT organizations fail to take a holistic view of the most essential controls required to prevent an adversary from achieving his goal. A holistic analysis using an Expanded Cyber Kill Chain Model can achieve essential and economical application security configuration management.

Continue reading

Automated App Security Configuration Audits

Application Security Configuration Audits – Why Automated Validation is a Must In one of my previous blogs, I discussed the challenges for securing modern applications. The takeaway from the discussion was that modern applications change more frequently than traditional applications. And the blast radius for any security misconfigurations is high because of the large number of services pushing data over the wire to complete a single task. In this blog, I will be discussing the shortfalls associated with manual verifications.

Continue reading

Security Configuration Challenge in Modern Architectures

Modern Application Architecture and Why Security Configuration Compliance is a Challenge It is an exciting time to be an IT professional because innovation in the industry is driving the economies of nations. Even traditional industries like hospitality and transportation are being radically transformed with business models that leverage cloud-based software platforms and architectures. Microservice adoption and external solutions provided as services have been key to this transformation. Microservices, by breaking applications into many smaller re-usable services, enable much faster – even daily – product release cycles.

Continue reading

The Role of configuration management in security

What is the Role of Configuration Management in Defense in Depth Strategy? A defense in depth strategy for implementing security controls recommended by NIST 800-53 or other frameworks requires comprehensive security controls throughout the data, application, network and infrastructure layers. I would like to capture some of my thoughts on prioritizing the tasks related to defense in depth strategy at government agencies and other highly regulated industries such as financial institutions.

Continue reading