Threat Stack Blog and Cloud Security News

Continuous security monitoring for your cloud.

Tom McLaughlin

As the Engineering Advocate at Threat Stack, Tom uses his experience in cloud infrastructure / security to solve problems and provide great insight into solutions. He loves finding new and interesting ways of safely and securely automating infrastructure. When not at work he is a proud cat dad to two calicoes and enjoys spending his time drag racing and sailing. He is also an amateur thinkfluencer on Twitter at @tmclaughbos.

Recent Posts

Resources for DevOps Pros to Learn About Security

by Tom McLaughlin , posted in Cloud Security, DevOps, Professional Development, Security Education

DevOps Pros Security Resources Blog Banner.png

These days, security should be part of everyone’s job. This is especially true for DevOps teams, which are responsible for developing, delivering, and maintaining critical applications for many organizations, and must therefore prioritize security as part of their role. But the world of security can seem like a bit of a mystery until you’ve been exposed to it.

If you or someone on your team is looking to learn more about what it takes to run a secure organization today, we have provided a list of resources below, from conferences to reference books to Twitter handles, that are worth checking out.

Read More [fa icon=long-arrow-right"]

Apr 6, 2017 1:50:14 PM

[fa icon="comment"] 0 Comments

New Playbook: Jump Starting Your Cloud Security Journey

by Tom McLaughlin , posted in Cloud Security, Cloud Security Maturity, Jump Starting Cloud Security Playbook, Implementing Cloud Security

Jump Starting Cloud Security Blog Banner-01.png

Cloud security is a complex subject, and customers sometimes tell us that one of their biggest challenges is simply knowing where to start.

In our latest playbook, Jump Starting Cloud Security: A Guide to Starting Your Cloud Security Journey, we have addressed this problem head on. If your organization is just starting out in cloud security — whether it’s a rapidly growing startup or a more established company — this Playbook is intended for you.

It’s a roadmap full of industry-proven practices that will put you on the fast track to cloud security monitoring, addressing your first round of security concerns, and measurably improving your security stance, all in a reasonable amount of time for a reasonable outlay of money and resources.

The hand-on approach will help you implement important security practices without diverting resources and attention away from your company’s main business goals, and you’ll also end up with a solid platform to build on when you want to move up to the next level of maturity on the cloud security ladder.

Read More [fa icon=long-arrow-right"]

Apr 4, 2017 5:20:49 PM

[fa icon="comment"] 0 Comments

The Three Pillars of Continuous Security Improvement

by Tom McLaughlin , posted in Cloud Security, Cloud Security Strategy, Continuous Security Improvement

Starting Your Cloud Security Journey Part 7 Blog Banner.png

Security should never be a one-and-done proposition: It requires a continuous improvement mindset to keep you on top of security initiatives and to accommodate new issues as you detect them. Once your security program is up and running, you need to measure, evaluate, and modify it on an ongoing basis to maintain or improve your results. This doesn’t necessarily require a ton of time and effort; it simply requires a strategy.

So today, we want to take a look at what it takes to build an effective security program with continuous improvement at its core. In our view, there are three key pillars to continuous security improvement, and if you have been following along with our Starting Your Cloud Security Journey blog post series, then you’ll be well-acquainted with these concepts.

Read More [fa icon=long-arrow-right"]

Mar 24, 2017 11:22:04 AM

[fa icon="comment"] 0 Comments

How to Implement a Security Awareness Program at Your Organization

by Tom McLaughlin , posted in Cloud Security, Security Best Practices, Cloud Security Awareness and Training, Cloud Security Awareness Program

Starting Your Cloud Security Journey Part 6 Blog Banner.png

Security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all people in your organization have an awareness of security. This is why security awareness programs are so important.

The goal of a security awareness program — as you may have guessed — is to increase organizational understanding and practical implementation of security best practices. A program like this should apply to all hires — new and old, across every department — and it should be reinforced on a regular basis.

Here’s what you need to know to create a first-class security awareness program at your organization.

Read More [fa icon=long-arrow-right"]

Mar 21, 2017 4:38:52 PM

[fa icon="comment"] 0 Comments

Incorporating AWS Security Best Practices Into Terraform Design

by Tom McLaughlin , posted in Cloud Security, Terraform, AWS Security Best Practices

Starting Your Cloud Security Journey Part 5.png

Implementing AWS security best practices into your Terraform design is an excellent way of ensuring that you have a streamlined way to achieve your security goals and manage your infrastructure.

In this post, we will talk about the following three areas of AWS security best practices and how to implement them with Terraform:

  • Environment segregation by AWS account
  • CloudTrail logging
  • Traffic and system access controls

Just to be clear, this post is not an introduction to Terraform: It’s an introduction to incorporating AWS security best practices into Terraform code.

Read More [fa icon=long-arrow-right"]

Mar 20, 2017 10:37:32 AM

[fa icon="comment"] 0 Comments

OS Updates and Package Management: Ubuntu Repo Management With Aptly and AWS S3

by Tom McLaughlin , posted in OS Updates, Aptly, Patch Management

Starting Your Cloud Security Journey Part 4.png

Note: In light of the AWS S3 outage in us-east-1 on February 28, 2017, let's discuss a few things. Amazon's S3 has exemplary availability. Compare that with the time and cost of maintaining package distribution yourself. It's easy to look at S3's outage and conclude that it is better to handle the responsibility yourself. In the same way, it's easy to see news of a plane crash and conclude that driving is more reliable. The feeling of control doesn't always lead to the most reliable outcome. Aptly does provide the ability to serve a repository on its own. See how to front Aptly with nginx in an emergency like the one on Tuesday February 28.

It is an unfortunate fact that many organizations do not routinely perform comprehensive software patching. At Threat Stack, we have confirmed this with our own analysis of how frequently systems are updated, and Verizon’s DIBR shows us that the most commonly exploited vulnerabilities are months or years old.

But patching is one area where following the status quo is a very bad idea. As a best practice, your organization needs a patching strategy to make sure it remains secure, and with that in mind, this post explains how you can adopt a patching strategy that suits your organization’s needs and values.

Read More [fa icon=long-arrow-right"]

Feb 28, 2017 8:11:14 PM

[fa icon="comment"] 0 Comments

Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 2

by Tom McLaughlin , posted in Cloud Security Best Practices, Cloud Security Maturity, Managing Secrets

Starting Your Cloud Security Journey Part 3-2.png

In Part 1 of this post we explained how you can find all the secrets in your environment. In Part 2 we will discuss effective ways to store and manage secrets — to keep them from leaking to unauthorized people.

Read More [fa icon=long-arrow-right"]

Feb 26, 2017 10:32:57 AM

[fa icon="comment"] 0 Comments

Chef Habitat For Packaging Python Flask Web Services

by Tom McLaughlin , posted in Cloud Security, Web Services, Python, Chef, Habitat

Python Flask Habitat Blog Banner-2.png

One of the challenges of building open source tools is figuring out how to package and distribute them. This is particularly true with web services. To make building, deploying, and running web services easier, Chef created Habitat.

When building open source web services for Threat Stack, one of our concerns is how to package these Python Flask applications so they run in the widest array of environments with low adoption friction. Using Habitat, the process is quick and easy.

For this post, we’re going to focus on the specifics of packaging a Python Flask application and the particular needs of that stack.

Read More [fa icon=long-arrow-right"]

Feb 22, 2017 1:02:18 PM

[fa icon="comment"] 0 Comments

Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1 — truffleHog & git-secrets

by Tom McLaughlin , posted in Cloud Security Best Practices, Cloud Security Maturity, Managing Secrets

Starting Your Cloud Security Journey Part 3.png

Secrets — passwords, API keys, secure tokens, private keys, and so on — protect access to sensitive resources in your environment. If not properly managed, they can end up in the wrong hands.

In Part 1 of this post, we will show you how to find secrets using truffleHog and git-secrets. In Part 2, we will explain how to manage them using appropriate software tools in order to quickly and cost-effectively achieve a higher level of security.

Read More [fa icon=long-arrow-right"]

Feb 21, 2017 2:23:48 PM

[fa icon="comment"] 0 Comments

Python Flask Exception Handling In A Secure Manner

by Tom McLaughlin , posted in Cloud Security, Exception Handling, Python, Flask, Python Flask Exception Handling

Python Flask Blog Banner2-1.png

In our last Python Flask blog post, we walked through building a simple application to take in a Threat Stack webhook and archive the alert to AWS S3. In this post, we’ll dive into Python exception handling and how to do it in a secure manner.

The code in the last post was written to be as simple and readable as possible. However, what happens if something goes wrong in our application? There’s no error or exception handling. If something goes wrong — for example, we hit a bug or receive bad data — there’s nothing we can do about it in the application. Instead of returning a parseable JSON response, the app will just spit a backtrace embedded in an HTML document back. The entity sending the request to our service is then left trying to figure out what may have gone wrong.

Read More [fa icon=long-arrow-right"]

Feb 9, 2017 2:02:31 PM

[fa icon="comment"] 0 Comments

Subscribe via email:

Posts by Topic

see all