• SecureFlag's contextual security training is now available for Jira!

    How can developers integrate effective, on-the-fly security into their workflow, minimizing time overhead and maximizing productivity?

  • SecureFlag's contextual security training is now available on Github - security knowledge when it's needed most

    How can developers write production-ready code that both performs optimally and securely?

  • Threat Analysis Training With SecureFlag

    Even to the layman, the sheer volume of successful high-profile attacks on public and private entities the world over speaks volumes about the state of defensive security concerning the management and protection of technological infrastructure. From small family-run businesses with 5 employees, to purportedly impenetrable government and defence organisations like the National Security Agency, attackers continue to gain the upper hand in the ongoing fight to extract secrets, and seemingly infinite budgets are evidently ineffective at stemming the low. In short, getting defensive security right is an incredibly difficult job.

  • How QA and Security Testing Training Makes Software More Secure

    “Experience is merely the name men gave to their mistakes.”

    – The Picture of Dorian Gray

  • Why Secure Coding Training is Essential for 100% Compliance with FDA 21 CFR Part 11

    The U.S. Food and Drug Administration (FDA) is a federal agency that’s responsible forprotecting public health, and for regulating and supervising, among other things - food,drugs, medical devices, pharmaceuticals and vaccines.

  • The Strong Relationship between HIPAA Compliance and Secure Coding Training

    In the healthcare sector, user privacy promotes effective communications between patients and healthcare providers, protects individuals’ dignity, and prevents economic harm, embarrassment, and discrimination. Although patient-data protection is a healthcare cornerstone in numerous jurisdictions globally, this article is specifically about the United States Compliance Act.

  • Securing the Docker Ecosystem: Part 3: Strategies to Secure the Container Runtime

    Our previous two articles about securing the Docker ecosystem addressed two specific and critical areas: the Daemon and the container Build Phase. In each article, we shed light on the dark side of various default configurations, presented evidence of the latest attack methods during the build phase, danced with the Daemon and secured its weak underbelly… and less fantastically, we provided expertly-articulated recommendations and best practices to help you in your Docker-securing endeavors. If you haven’t read these articles yet, here are the links to the first and second blog posts.

  • Securing the Docker Ecosystem: Part 2: Strategies to Secure the Container Build

    Welcome back to Securing the Docker Ecosystem - our three-part series on improving the security posture of your Docker ecosystem. In each article, we address one particular aspect of Docker through a security lens.

  • Securing the Docker Ecosystem: Part 1: Strategies to Secure the Docker Daemon

    In recent times, two key advancements, the acceleration of the software development cycle and the increasing complexity of the application stack, have triggered the need for faster and easier ways of pushing code into production. In this context, more lightweight, flexible, and resource-efficient approaches, such as “containers”, have become increasingly popular. To this end, more and more organisations have adopted Docker technology as the de facto standard in their application container space.

  • Adaptive AppSec Learning for Developers: The Advantages that Organisations Just Can't Afford to Ignore

    Ever heard of a pilot who flew a real plane after merely reading about it in a manual?

    Or a chef in a five star restaurant who served real customers after only reviewing a couple of recipe books?

    Or a professional musician who gave a real performance after simply memorizing some musical compositions?

  • Stretching the Elasticsearch

    Breaking: Elasticsearch instance left open wide by SomeCompany exposing millions of records, including passwords and other personal data… now to sports

    Sound familiar? Headlines like this have become increasingly at home as front page news items over the past several years since the adoption of Elasticsearch, a powerful distributed search and analytics engine based on the Lucene indexing library, has exponentially increased. A seamless dovetailing of its rising popularity, and its stark lack of default-enabled security features, has ensured the widespread presence of misconfigured instances in the wild. This article explores the impact of a number of misconfigurations that occur when the best practice guidelines provided by the (excellent) official documentation are neglected.

  • The Key to Achieving PCI DSS Compliance: Effective PCI Training For Developers

    Data is everywhere… but so are data thieves!

    Any organization that collects, processes, analyzes, or stores data needs to be aware of the risks to this data. And this is especially true for organizations that collect, process, analyze, or store financial data.

  • 7 Kubernetes security challenges, and how to steer the container ship

    Kubernetes Container Orchestration!…

    Now that we have your attention, let’s dig a little deeper into Kubernetes, an open-source orchestration layer that manages container-based applications.

    In this article we’ll explore some of the security challenges you’re going to face when administering Kubernetes clusters, and the appropriate preventative measures to batten down the Kubernetes hatches.

  • Why is practical AppSec training for developers vital for your organization?

    All applications risk being hacked without robust, properly configured application security controls in place. Whereas employing a team of ethical hackers may help in providing assurance on the resilience of the system post-deployment, having a secure Software Development Life Cycle (SDLC) better equips organizations in addressing security concerns at the foundational level. Building security early in the SDLC is more cost efficient and scalable, enabling organizations to identify and correct security issues earlier in the development life cycle.