#security - January 2021 | Slack Archive

lorenabout 5 years ago

https://lifehacker.com/ditch-the-great-suspender-before-it-becomes-a-security-1845989664

Davis Treybigabout 5 years ago

Has anyone had any trouble managing noise in appsec scanners (think Snyk, OWASP ZAP, Bridgecrew, TFSec, Claire, and all the other SAST/DAST/SCA tools) in a modern DevOps environment? E.g. too many alerts, too hard to prioritize alerts, irrelevant alerts to the business, too hard to properly define policies for what scanners run where and when, etc? I’ve gotten the sense that a lot of cloud sec teams feel stuck figuring out how to get developers to actually fix appsec issues, and engineers/DevOps will often ignore the scan results sent over JIRA or in pull requests because there are too many. How do people solve this?

Erik Osterman (Cloud Posse)about 5 years ago

https://summitroute.com/downloads/aws_security_maturity_roadmap-Summit_Route.pdf

Mebabout 5 years ago

https://www.zdnet.com/article/malwarebytes-said-it-was-hacked-by-the-same-group-who-breached-solarwinds/

Steve Wade (swade1987)about 5 years ago

can anyone recommend some good documentation on configuring terraform compliance?

we would like to run it against CI for our terraform modules monorepo as well as when we execute this modules from other repos as part of Atlantis