Daily Archives: June 19, 2019

Live From Gartner Security & Risk Mgmt Summit: How to Approach Container Security

Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast.

That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in National Harbor, MD. Anna provided a great framework for thinking about container security that I would like to share with you.

Divide and Conquer: Images, Orchestration, Runtime

After introducing the audience to all of the security challenges and attack vectors for containers, she broke down a container security program into three sections:

  • Securing container images
  • Securing the orchestration plane 
  • Securing containers at runtime 

Today, there’s no security vendor that helps with all three of these areas. Because Veracode focuses on application development security, we focus on securing container images, not the operational parts.

Inside the Sausage Factory: How the Docker Image is Made

A Docker container image is a lightweight, standalone, executable package of software that includes everything you need to run an application: code, runtime, system tools, system libraries and settings. Docker’s run utility is the command that actually launches a container. Each container is an instance of an image, and multiple container instances of the same image can be run simultaneously. Docker images are ephemeral: Container deployments are in constant flux. The average lifetime of a container is 30 minutes. 

The Docker Hub registry is a repository for sharing container images from open source projects and from software vendors. These images are leveraged by developers – often introducing additional risk to the organization.

In her talk, Anna referenced a study of 3,802 official images on the Docker Hub that found a median of 127 vulnerabilities per image. Even more shocking: There were zero images that did not have any vulnerabilities.

Gartner’s Top Recommendations on Container Security

The talk closed with three recommendations:

  • Secure containers holistically through integrating controls at key steps in the CI/CD pipeline. Focusing solely on runtime controls – as you would for software installed VMs – will leave you vulnerable at many ends.
  • Use secrets management and software component analysis as primary container protection strategies. Add Layer 7 network segmentation for operational containers that require defense in depth.
  • Select vendors that can integrate with the container offerings of leading cloud service providers, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Veracode can help you with the first recommendation: Veracode Software Composition Analysis scans container images for vulnerabilities as part of your CI/CD pipeline to help you find vulnerabilities in the production image. If you’re interested in more information, read our blog post How Veracode Scans Docker Containers for Open Source Vulnerabilities

Embracing the “Sec” in DevSecOps: How Veracode and AWS Work Together to Help You Build Secure Apps

Developers, like most builders, are creative critical thinkers who take pride in their work. Let’s focus on the word “builder” for a moment. During the industrial revolution, we saw a shift in manufacturing where time-consuming processes were made more efficient through automation. With that, we also saw the concept of an assembly line and interchangeable parts transform businesses. The idea was to build as quickly as possible for less cost. Transpose this to software engineering and we see a similar trend: Building software as quickly as possible, using components, and decreasing costs. Implicit in this is the direct correlation between quality of the components and the quality of the final product. This begs the question: Why then are developers selecting poor or insecure components to build their applications? I would argue that the intention to build stable and secure software has always existed, but there is a general lack of awareness and overall confusion on the best approach. We need only look at the latest headlines and read about Fortune 500 companies that have been victims of vulnerabilities despite their best efforts to ship software they thought to be secure. So, how does intent go beyond a mere idea and put into design and practice to mitigate these concerns in the most comprehensive and reliable way possible?

Before we are able to answer that, it is important that we consider a few facts:

  1. Modern applications are complex and made up of various components.
  2. Open source has grown and has found its way into millions of applications across various industries spanning private, public, and even government sectors.
  3. Application security has traditionally been reactive and found later in the development life cycle.

Cloud adoption has made it easier for developers to be empowered to not only build their application, but also provision its supporting infrastructure. Take for example a fully-managed CI/CD pipeline on AWS comprised of AWS CodeCommit, AWS CodePipeline, and AWS CodeBuild with container deployments to AWS Fargate. If you find yourself in a similar scenario or aspire to migrate to AWS to use these services, then which tools do you use, and how do you leverage those correctly to ensure that you are building secure applications? If you are using open source components, then how do you ensure that you are using the right versions of components, or find out where those are being downloaded from? These questions extend to your container images as well. Container images are often opaque in that they typically contain various layers, but it is not immediately clear what security vulnerabilities may be contained within each of those respectively. Are you including inspection of these into your automated workflows?

One of the more prominent blockers to applying security is the perception that doing so will undoubtedly negatively impact time to market. Developers are often under time constraints and are focused on building applications and releasing features as expeditiously as possible. This coupled with the complexity of modern architectures, use of external components and lack of prescriptive guidance on leveraging the right tools at the appropriate stage of the development life cycle leads to exacerbating frustration and the expected reaction is one of avoidance. In other words, we acknowledge the problem, vaguely understand there may be a way or ways to resolve it, but are not clear on how to accomplish that and determine it’s not worth the effort today, after all, there’s always tomorrow.

The truth is that this need not be as daunting as it may seem on the surface. The journey begins with understanding your process and gaining insights into your environment. If you don’t know where your vulnerabilities exist today, then how can you effectively solve them? Second, it’s about applying security at every stage of the process. There are several tools that address specific concerns and were built for specific audiences: Security teams, AppSec teams, Dev teams. Use them accordingly. For example, there is a place for static analysis (SAST), software composition analysis (SCA), dynamic analysis (DAST) testing and monitoring tools designed for finding security defects and completing the feedback loop. It’s critical to understand that you may build a secure application today, but can you quickly iterate and resolve for those vulnerabilities that have yet to be discovered before they negatively impact your business or your customers? These are considerations that are necessary for any business to survive in today’s competitive landscape. Sure, you need to ship features as quickly as possible, but you need to do so without compromising security.

This is where solutions such as those available today from Veracode are integral for any business. Veracode is a full spectrum application security testing solution that begins with Veracode Greenlight in the developers’ IDE and spans across the devevlopment lifecycle with Veracode Manual Penetration Testing. Along the way, you are covered throughout the entire software development life cycle. From the moment developers begin writing code and pushing commits, Veracode Software Composition Analysis (SCA) identifies any open source vulnerability and provides crisp remediation guidance. Integrate Veracode Static Analysis (SAST) into your build and test tools and processes to quickly identify security flaws in your code. Lastly, Veracode Dynamic Analysis (DAST) in your release, deployment and operations process reduces your risk of a breach once your application goes live. These are easily integrated with AWS CodePipeline and CodeBuild to secure your fully managed CI/CD pipelines running in the AWS cloud.

As the complexity of modern applications continues to increase over the years, so too does introducing security into every stage of your development life cycle become a necessity. We live in a highly competitive world with a voracious appetite for innovation. It is critical for businesses to deliver quickly and satisfy customer demand, but equally critical to ensure and preserve customer trust. It is possible to do both without compromising one for the other, and the solutions exist today.

Learn more at AWS re:Inforce this month in Boston – Veracode will be at Booth 813, and speaking on Wednesday the 26th on “Integrating AppSec Into Your DevSecOps on AWS.”

Expanding Our Vision to Expand the Cybersecurity Workforce

I recently had the opportunity to testify before Congress on how the United States can grow and diversify the cyber talent pipeline. It’s great that members of Congress have this issue on their radar, but at the same time, it’s concerning that we’re still having these discussions. A recent (ISC) Study puts the global cybersecurity workforce shortage at 2.93 million. Solving this problem is challenging, but I offered some recommendations to the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection and Innovation.

Increase the NSF CyberCorps Scholarships for Service Program

The National Science Foundation (NSF) together with the Department of Homeland Security (DHS) designed a program to attract more college students to cybersecurity, and it’s working. Ten to 12 juniors and seniors at each of the approximately 70 participating institutions across the country receive free tuition for up to two years plus annual stipends. Once they’ve completed their cybersecurity coursework and an internship, they go to work for the federal government for the same amount of time they’ve been in the program. Afterwards, they’re free to remain federal employees or move elsewhere, yet fortunately, a good number of them choose to stay.

Congress needs to increase the funding for this program (which has been flat since 2017) from $55 million to at least $200 million. Today the scholarships are available at 70 land grant colleges. The program needs to be opened up to more universities and colleges across the country.

Expand CyberCorps Scholarships to Community Colleges

Community colleges attract a wide array of students – a fact that is good for the cybersecurity profession. Some community college attendees are recent high school graduates, but many are more mature, working adults or returning students looking for a career change or skills training. A strong security operation requires differing levels of skills, so having a flexible scholarship program at a community college could not only benefit graduates but also provide the profession with necessary skills.

Furthermore, not everyone in cybersecurity needs a four-year degree. In fact, they don’t need to have a traditional degree at all. Certificate programs provide valuable training, and as employers, we should change our hiring requirements to reflect that reality.

Foster Diversity of Thinking, Recruiting and Hiring

Cybersecurity is one of the greatest technical challenges of our time, and we need to be as creative as possible to meet it. In addition to continually advancing technology, we need to identify people from diverse backgrounds – and not just in the standard sense of the term. We need to diversify the talent pool in terms of race, ethnicity, gender and age, all of which lead to creating an inclusive team that will deliver better results. However, we also should seek out gamers, veterans, people working on technical certificates, and retirees from computing and other fields such as psychology, liberal arts as well as engineering. There is no one background required to be a cybersecurity professional. We absolutely need people with deep technical skills, but we also need teams with diverse perspectives, capabilities and levels of professional maturity.

Public-Private Sector Cross Pollination

We also must develop creative approaches to enabling the public and private sectors to share talent, particularly during significant cybersecurity events. We should design a mechanism for cyber professionals – particularly analysts or those who are training to become analysts – to move back and forth between the public and private sector so that government organizations would have a continual refresh of expertise. This type of cross-pollination would help everyone share best practices on technology, business processes and people management.

One way to accomplish this would be for DHS to partner with companies and other organizations such as universities to staff a cadre of cybersecurity professionals – operators, analysts and researchers – who are credentialed to move freely between public and private sector service. These professionals, particularly those in the private sector, could be on call to help an impacted entity and the government respond to a major attack in a timely way. Much like the National Guard, a flexible staffing approach to closing the skills gap could become a model of excellence.

We’re Walking the Talk

McAfee is proud to support the community to establish programs that provide skills to help build the STEM pipeline, fill related job openings, and close gender and diversity gaps. These programs include an Online Safety Program, onsite training programs and internships for high school students. Our employees also volunteer in schools help educate students on both cybersecurity risks and opportunities. Through volunteer-run programs across the globe, McAfee has educated more than 500,000 children to date.

As part of the McAfee’s new pilot Achievement & Excellence in STEM Scholarship program, we’ll make three awards of $10,000 for the 2019-2020 school year. Twelve students from each of the three partner schools will be invited to apply, in coordination with each partner institution’s respective college advisor. Target students are college-bound, high school seniors with demonstrated passion for STEM fields, who are seeking a future in a STEM-related path. This type of a program can easily be replicated by other companies and used to support the growth and expansion of the workforce.

We’re Supporting Diversity

While we recognize there is still more to do in fostering diversity, we’re proud to describe the strides we’re making at McAfee. We believe we have a responsibility to our employees, customers and communities to ensure our workplace reflects the world in which we live. Having a diverse, inclusive workforce is the right thing to do, and after we became an independent, standalone cybersecurity company in 2017, we made and have kept this a priority.

 The steps we’re taking include:

  • Achieving pay parity between women and men employees in April 2019, making us the first pureplay cybersecurity company to do so.
  • In 2018, 27.1% of all global hires were female and 13% of all U.S. hires were underrepresented minorities.
  • In June 2018, we launched our “Return to Workplace” program for men and women who have paused their career to raise children, care for loved ones or serve their country. The 12-week program offers the opportunity to reenter the tech space with the support and resources needed to successfully relaunch careers.
  • Last year, we established the Diversity & Culture Council, a volunteer-led global initiative focused on creating an infrastructure for the development and maintenance of an integrated strategy for diversity and workplace culture.
  • McAfee CEO Chris Young joined CEO Action for Diversity Inclusion, the largest group of CEOs and presidents committed to act on driving an inclusive workforce. By taking part in CEO Action, Young personally commits to advancing diversity and inclusion with the coalition’s three-pronged approach of fostering safe workplaces.

Looking to the Future

While I’d love to see a future where fewer cybersecurity professionals were needed, I know that for the foreseeable future, we’ll not only need great technology but also talented people. With that reality, we in the industry need to expand our vision and definition of what constitutes cybersecurity talent. The workforce shortage is such that we have to do expand our concepts and hiring requirements. In addition, the discipline itself will benefit from a population that brings more experiences, skills and diversity to bear on a field that is constantly changing.

The post Expanding Our Vision to Expand the Cybersecurity Workforce appeared first on McAfee Blogs.

Helping organizations do more without collecting more data

We continually invest in new research to advance innovations that preserve individual privacy while enabling valuable insights from data. Earlier this year, we launched Password Checkup, a Chrome extension that helps users detect if a username and password they enter on a website has been compromised. It relies on a cryptographic protocol known as private set intersection (PSI) to match your login’s credentials against an encrypted database of over 4 billion credentials Google knows to be unsafe. At the same time, it ensures that no one – including Google – ever learns your actual credentials.

Today, we’re rolling out the open-source availability of Private Join and Compute, a new type of secure multi-party computation (MPC) that augments the core PSI protocol to help organizations work together with confidential data sets while raising the bar for privacy.

Collaborating with data in privacy-safe ways

Many important research, business, and social questions can be answered by combining data sets from independent parties where each party holds their own information about a set of shared identifiers (e.g. email addresses), some of which are common. But when you’re working with sensitive data, how can one party gain aggregated insights about the other party’s data without either of them learning any information about individuals in the datasets? That’s the exact challenge that Private Join and Compute helps solve.

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data, and then join them. They can then do certain types of calculations on the overlapping set of data to draw useful information from both datasets in aggregate. All inputs (identifiers and their associated data) remain fully encrypted and unreadable throughout the process. Neither party ever reveals their raw data, but they can still answer the questions at hand using the output of the computation. This end result is the only thing that’s decrypted and shared in the form of aggregated statistics. For example, this could be a count, sum, or average of the data in both sets.

A deeper look at the technology 

Private Join and Compute combines two fundamental cryptographic techniques to protect individual data:

  • Private set intersection allows two parties to privately join their sets and discover the identifiers they have in common. We use an oblivious variant which only marks encrypted identifiers without learning any of the identifiers.
  • Homomorphic encryption allows certain types of computation to be performed directly on encrypted data without having to decrypt it first, which preserves the privacy of raw data. Throughout the process, individual identifiers and values remain concealed. For example, you can count how many identifiers are in the common set or compute the sum of values associated with marked encrypted identifiers – without learning anything about individuals. 

This combination of techniques ensures that nothing but the size of the joined set and the statistics (e.g. sum) of its associated values is revealed. Individual items are strongly encrypted with random keys throughout and are not available in raw form to the other party or anyone else.

Watch this video or click to view the full infographic below on how Private Join and Compute works:

Private Join and Compute

Using multi-party computation to solve real-world problems

Multi-party computation (MPC) is a field with a long history, but it has typically faced many hurdles to widespread adoption beyond academic communities. Common challenges include finding effective and efficient ways to tailor encryption techniques and tools to solve practical problems.

We’re committed to applying MPC and encryption technologies to more concrete, real-world issues at Google and beyond by making privacy technology more widely available. We are exploring a number of potential use cases at Google across collaborative machine learning, user security, and aggregated ads measurement.

And this is just the beginning of what’s possible. This technology can help advance valuable research in a wide array of fields that require organizations to work together without revealing anything about individuals represented in the data. For example:

  • Public policy - if a government implements new wellness initiatives in public schools (e.g. better lunch options and physical education curriculums), what are the long-term health outcomes for impacted students?
  • Diversity and inclusion - when industries create new programs to close gender and racial pay gaps, how does this impact compensation across companies by demographic?
  • Healthcare - when a new preventative drug is prescribed to patients across the country, does it reduce the incidence of disease? 
  • Car safety standards - when auto manufacturers add more advanced safety features to vehicles, does it coincide with a decrease in reported car accidents?

Private Join and Compute keeps individual information safe while allowing organizations to accurately compute and draw useful insights from aggregate statistics. By sharing the technology more widely, we hope this expands the use cases for secure computing. To learn more about the research and methodology behind Private Join and Compute, read the full paper and access the open source code and documentation. We’re excited to see how other organizations will advance MPC and cryptography to answer important questions while upholding individual privacy.


Product Manager - Nirdhar Khazanie
Software Engineers - Mihaela Ion, Benjamin Kreuter, Erhan Nergiz, Quan Nguyen, and Karn Seth
Research Scientist - Mariana Raykova