Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

Tom McLaughlin

As the Engineering Advocate at Threat Stack, Tom uses his experience in cloud infrastructure / security to solve problems and provide great insight into solutions. He loves finding new and interesting ways of safely and securely automating infrastructure. When not at work he is a proud cat dad to two calicoes and enjoys spending his time drag racing and sailing. He is also an amateur thinkfluencer on Twitter at @tmclaughbos.

Recent Posts

The Three Pillars of Continuous Security Improvement

by Tom McLaughlin , posted in Cloud Security, Cloud Security Strategy, Continuous Security Improvement

Starting Your Cloud Security Journey Part 7 Blog Banner.png

Security should never be a one-and-done proposition: It requires a continuous improvement mindset to keep you on top of security initiatives and to accommodate new issues as you detect them. Once your security program is up and running, you need to measure, evaluate, and modify it on an ongoing basis to maintain or improve your results. This doesn’t necessarily require a ton of time and effort; it simply requires a strategy.

So today, we want to take a look at what it takes to build an effective security program with continuous improvement at its core. In our view, there are three key pillars to continuous security improvement, and if you have been following along with our Starting Your Cloud Security Journey blog post series, then you’ll be well-acquainted with these concepts.

Read More [fa icon=long-arrow-right"]

Mar 24, 2017 11:22:04 AM

[fa icon="comment"] 0 Comments

How to Implement a Security Awareness Program at Your Organization

by Tom McLaughlin , posted in Cloud Security, Security Best Practices, Cloud Security Awareness and Training, Cloud Security Awareness Program

Starting Your Cloud Security Journey Part 6 Blog Banner.png

Security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all people in your organization have an awareness of security. This is why security awareness programs are so important.

The goal of a security awareness program — as you may have guessed — is to increase organizational understanding and practical implementation of security best practices. A program like this should apply to all hires — new and old, across every department — and it should be reinforced on a regular basis.

Here’s what you need to know to create a first-class security awareness program at your organization.

Read More [fa icon=long-arrow-right"]

Mar 21, 2017 4:38:52 PM

[fa icon="comment"] 0 Comments

Incorporating AWS Security Best Practices Into Terraform Design

by Tom McLaughlin , posted in Cloud Security, Terraform, AWS Security Best Practices

Starting Your Cloud Security Journey Part 5.png

Implementing AWS security best practices into your Terraform design is an excellent way of ensuring that you have a streamlined way to achieve your security goals and manage your infrastructure.

In this post, we will talk about the following three areas of AWS security best practices and how to implement them with Terraform:

  • Environment segregation by AWS account
  • CloudTrail logging
  • Traffic and system access controls

Just to be clear, this post is not an introduction to Terraform: It’s an introduction to incorporating AWS security best practices into Terraform code.

Read More [fa icon=long-arrow-right"]

Mar 20, 2017 10:37:32 AM

[fa icon="comment"] 0 Comments

OS Updates and Package Management: Ubuntu Repo Management With Aptly and AWS S3

by Tom McLaughlin , posted in OS Updates, Aptly, Patch Management

Starting Your Cloud Security Journey Part 4.png

Note: In light of the AWS S3 outage in us-east-1 on February 28, 2017, let's discuss a few things. Amazon's S3 has exemplary availability. Compare that with the time and cost of maintaining package distribution yourself. It's easy to look at S3's outage and conclude that it is better to handle the responsibility yourself. In the same way, it's easy to see news of a plane crash and conclude that driving is more reliable. The feeling of control doesn't always lead to the most reliable outcome. Aptly does provide the ability to serve a repository on its own. See how to front Aptly with nginx in an emergency like the one on Tuesday February 28.

It is an unfortunate fact that many organizations do not routinely perform comprehensive software patching. At Threat Stack, we have confirmed this with our own analysis of how frequently systems are updated, and Verizon’s DIBR shows us that the most commonly exploited vulnerabilities are months or years old.

But patching is one area where following the status quo is a very bad idea. As a best practice, your organization needs a patching strategy to make sure it remains secure, and with that in mind, this post explains how you can adopt a patching strategy that suits your organization’s needs and values.

Read More [fa icon=long-arrow-right"]

Feb 28, 2017 8:11:14 PM

[fa icon="comment"] 0 Comments

Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 2

by Tom McLaughlin , posted in Cloud Security Best Practices, Cloud Security Maturity, Managing Secrets

Starting Your Cloud Security Journey Part 3-2.png

In Part 1 of this post we explained how you can find all the secrets in your environment. In Part 2 we will discuss effective ways to store and manage secrets — to keep them from leaking to unauthorized people.

Read More [fa icon=long-arrow-right"]

Feb 26, 2017 10:32:57 AM

[fa icon="comment"] 0 Comments

Chef Habitat For Packaging Python Flask Web Services

by Tom McLaughlin , posted in Cloud Security, Web Services, Python, Chef, Habitat

Python Flask Habitat Blog Banner-2.png

One of the challenges of building open source tools is figuring out how to package and distribute them. This is particularly true with web services. To make building, deploying, and running web services easier, Chef created Habitat.

When building open source web services for Threat Stack, one of our concerns is how to package these Python Flask applications so they run in the widest array of environments with low adoption friction. Using Habitat, the process is quick and easy.

For this post, we’re going to focus on the specifics of packaging a Python Flask application and the particular needs of that stack.

Read More [fa icon=long-arrow-right"]

Feb 22, 2017 1:02:18 PM

[fa icon="comment"] 0 Comments

Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1 — truffleHog & git-secrets

by Tom McLaughlin , posted in Cloud Security Best Practices, Cloud Security Maturity, Managing Secrets

Starting Your Cloud Security Journey Part 3.png

Secrets — passwords, API keys, secure tokens, private keys, and so on — protect access to sensitive resources in your environment. If not properly managed, they can end up in the wrong hands.

In Part 1 of this post, we will show you how to find secrets using truffleHog and git-secrets. In Part 2, we will explain how to manage them using appropriate software tools in order to quickly and cost-effectively achieve a higher level of security.

Read More [fa icon=long-arrow-right"]

Feb 21, 2017 2:23:48 PM

[fa icon="comment"] 0 Comments

Python Flask Exception Handling In A Secure Manner

by Tom McLaughlin , posted in Cloud Security, Exception Handling, Python, Flask, Python Flask Exception Handling

Python Flask Blog Banner2-1.png

In our last Python Flask blog post, we walked through building a simple application to take in a Threat Stack webhook and archive the alert to AWS S3. In this post, we’ll dive into Python exception handling and how to do it in a secure manner.

The code in the last post was written to be as simple and readable as possible. However, what happens if something goes wrong in our application? There’s no error or exception handling. If something goes wrong — for example, we hit a bug or receive bad data — there’s nothing we can do about it in the application. Instead of returning a parseable JSON response, the app will just spit a backtrace embedded in an HTML document back. The entity sending the request to our service is then left trying to figure out what may have gone wrong.

Read More [fa icon=long-arrow-right"]

Feb 9, 2017 2:02:31 PM

[fa icon="comment"] 0 Comments

Planning Your Cloud Security Program

by Tom McLaughlin , posted in Cloud Security Strategy, Security Awareness Program, Industry Best Practices, Cloud Security Maturity, Security Baseline

Starting Your Cloud Security Journey Part 1.png

As we stated in the introduction to this blog post series, our purpose is to give you insight into the issues you should address when you are at the early stages of establishing a cloud security program.

If your organization is just starting out on its cloud security journey — whether it’s a rapidly growing startup or a more established company — it’s important to develop a strategic security roadmap that’s suited to its early-stage maturity level. You should not reasonably expect to go from no security or rudimentary security to a full-blown, encompassing program in one step. It’s far better to take a graduated approach by defining objectives that will give you reasonable protection now, that won’t drain your budget and resources (and possibly divert critical resources and attention away from your company’s primary business goals) — and that will also serve as a rock solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder.

What you need is an end-to-end roadmap that will get you started in cloud security monitoring, address your first round of security concerns, and noticeably and measurably improve your security stance, all in a reasonable amount of time and for a reasonable expenditure of money and resources.  

And that’s exactly what we’ll do in this post: walk through five steps that will help you develop a strategic action plan that includes defined goals and is targeted at your organization’s specific maturity level, needs, and resources.

Read More [fa icon=long-arrow-right"]

Feb 7, 2017 10:11:51 AM

[fa icon="comment"] 0 Comments

Threat Stack Blog Series: Starting Your Cloud Security Journey

by Tom McLaughlin , posted in Cloud Security, Cloud Security Maturity Strategy, Blog Post Series, Cloud Security Maturity

Cloud Security Journey Series Announcement Blog Banner.png

More and more companies are migrating to the cloud — and for good reason considering the many benefits such as speed, flexibility, and reduced costs.

One of the key questions that always comes up in this transition centers on cloud security. Not so much in the form of “Is the cloud secure?” but more in terms of “What is your company doing to make sure its infrastructure is secure?”

In the best scenario, companies include a cloud security service in their business plan on day one. In the worst case, they limp along for years without a strategically planned, comprehensive security roadmap that will provide real protection for their IP, data, systems, customers, and reputation.

In both cases, these organizations have one thing in common: Regardless of how long they’ve been in business, they are at an early stage of cloud security maturity. They are just starting out on their cloud security journey.

And that’s where we can help.

Read More [fa icon=long-arrow-right"]

Feb 3, 2017 1:04:22 PM

[fa icon="comment"] 0 Comments

Subscribe via email:

Posts by Topic

see all