DevToolsDigest: Issue #120
On Thur Nov 14, Heavybit is hosting a
Subscribe to the DevToolsDigest
All you need is 3 minutes a week to stay ahead of the devtools space. Get the most relevant industry updates, insightful discussions, and top-notch resources delivered straight to your inbox.
The Week in Developer Tools
Black Hat 2019 Recap: Strategies for Understanding Your Attacker
Last week the security analyst community descended upon Black Hat for its 22nd consecutive year in Las Vegas. Over the course of this week-long gala, major players in the cybersecurity space showcased their new innovations, unveiled findings, and shared insights with attendees.
Netflix: New HTTP/2 Flaws Expose Unpatched Web Servers to DoS Attacks
Netflix has discovered several resource exhaustion vectors affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch DoS attacks against servers that support HTTP/2 communication. Netflix worked with Google and CERT/CC to coordinate disclosure to the Internet community.
New Envoy Release to Address HTTP/2 Flaws
Check here for a list of how version 1.11.1 of Envoy addresses the recently discovered HTTP/2 flaws.
Cloudflare: On the Recent HTTP/2 DoS Attacks
Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks. As soon as they became aware of these vulnerabilities, Cloudflare’s Protocols team started working on fixing them. They first pushed a patch to detect any attack attempts and to see if any normal traffic would be affected by their mitigations.
Snyk: Staying Ahead of Security Vulnerabilities with Security Patches
Traditionally, as part of the software development workflow, teams typically release new versions of their packages or apps in order to fix security issues as they arise. With open-source projects however, because maintainers are usually volunteers, it may take time before fix releases for packages are published.
Industry Research
What Are the Worst Security Practices You've Ever Witnessed?
Ben Halpern once overheard someone passing along a password belonging to the social media accounts of a multi-billion dollar company. The password was the company brand name, all lowercase, plus a number—about 6-8 characters in total.
CSA Security Update Podcast: TruSTAR CEO Paul Kurtz on the Value of Information Sharing on Threat Intelligence
TruSTAR CEO and co-founder Paul Kurtz recently appeared on Cloud Security Alliance’s podcast to discuss the value that information sharing adds to threat intelligence. Paul and John cover a range of topics about information sharing, discussing how SOCs can proactively defend their organizations by normalizing and sharing suspicious data.
CircleCI: Why We Hired Two DefCon Hackers to Teach Our Team to Think Like Deviants
Secure code training is one of the first things Chief Technology Officer Rob Zuber asked Tad Whitaker to handle when he started as CircleCI’s first security engineer a couple years ago. A few years earlier, Rob had taken part in a security training event at Google. During an exercise at the event, he discovered a vulnerability that was wide open on his service.
Developer Venture News
Cybereason Raises $200M Led By SoftBank, Continuing Cybersecurity’s Boom
The company uses big data analytics to identify and handle cyber attacks. Specifically, CEO Lior Dov says the company’s mission is to help “security teams prevent more attacks, sooner, in ways that enable understanding and taking decisive action faster” with the help of AI.
From The Heavybit Community
Save the Date- DevGuild: Enterprise Security is Happening November 14
In order to sell your developer product to the enterprise, you need to show that your team, code, and processes are secure.
Through a combination of keynote sessions, case studies, and panels, we’ll guide you through the distinct challenges developer companies face as they secure their products and their teams for enterprise deployments. Hear real stories from seasoned enterprise security leaders and developer startup founders, and leave with a clear framework for securing your own product for enterprise success.
Past DevGuild speakers include leaders from PagerDuty, Twilio, MuleSoft, GitLab, HashiCorp, and Auth0. For more information and to snag your Early-Bird Tickets, check out our site.
Tackling Enterprise Security Challenges
As organizations move up market, they often face challenges around building and communicating their security processes. At DevGuild: Enterprise Security, we’ll focus on the security processes, tools, and practices that teams need to expand their business into the enterprise. If you want to get a head start on learning how to tackle enterprise security questions, revisit some of our favorite articles, videos and podcasts from previous Heavybit sessions.