Immutable Infrastructure and Security, Part 2

There are many security benefits of immutable infrastructure. In the previous article, we took a high-level look at some of the potential advantages for software development organizations that implement II. Immutability is an important element in improving scalability, business outcomes, and, most importantly, security posture. Now in part 2, we’ll explore some practical aspects of […]

Immutable Infrastructure and Security, Part 1

Immutable infrastructure is a concept that, despite its many benefits, is often a lofty goal rather than an implemented practice. Many organizations have considered adopting it, but often it gets de-prioritized in the pursuit of faster time-to-market and shipping new features. However, immutable infrastructure is a critical practice for safely deploying application infrastructure at scale. […]

Azure WAF: A Deep Dive, Part 2

In today’s threat environment, a WAF (Web Application Firewall) must be able to protect against a wide variety of threats. A well-known list of these is maintained by the Open Web Application Security Project, known as the OWASP Top 10.  This list is not comprehensive, nor is it meant to be. (OWASP says it is […]

New Attack Method for Bypassing WAFs (Yours Might Be Vulnerable)

A “generic WAF bypass” technique has been discovered. It uses JSON to conceal an SQLi (SQL injection) attack, thus allowing the attacker to exfiltrate data or do other malicious activities. Reblaze has always blocked this attack method. However, many other industry-leading WAFs had this vulnerability until a few days ago.  This implies that others might […]

Google Cloud Armor: A Deep Dive, Part 2

As the main web security tool for GCP, Cloud Armor needs to provide a lot of functionality. In Google Cloud Armor: A Deep Dive, Part 1, we described the basic features of Google’s cloud web application firewall (WAF). We discussed its defenses against standard web attacks (such as SQL injection, cross-site scripting, etc.), along with […]

Google Cloud Armor: A Deep Dive, Part 1

In the modern threat environment, robust protection for web applications is a necessity. If your application is hosted in a cloud (IaaS) environment such as Google Cloud Platform (GCP), your first choice would probably be to consider a built-in security service such as Cloud Armor. But is that the best choice for your product and […]

Secure Your Cloud Software Supply Chain

In recent years, there has been a dramatic increase in the number of high-profile software supply chain attacks. Vulnerabilities like Log4Shell left engineering teams across the tech industry scrambling to patch millions of vulnerable nodes. The Orion NMS (Network Management System) suffered a serious supply-chain attack that compromised its systems and those of its customers, […]

Infrastructure-as-Code Security

In the cloud-first world, infrastructure as code (IaC) has become a key part of software development and deployment. IaC allows engineering teams to manage their cloud infrastructure in a repeatable, consistent way. Unfortunately, when it comes to security, too often the focus stays on the application itself, with little attention paid to IaC code. Organizations […]

Azure WAF, A Deep Dive: Part 1

A web application firewall (WAF) is a crucial part of a robust security posture. A WAF detects and blocks a wide variety of threats within incoming traffic: cross-site scripting (XSS), code and SQL injection, protocol exploits, and others. The top-tier cloud providers (AWS, GCP, and Azure) all offer web security tools, including WAFs. We’ve previously […]

Securing CI/CD Pipelines in the Cloud

As cloud-based CI/CD pipelines become more popular, organizations are increasingly looking for ways to secure these critical systems. Often the central pillar of automation for DevOps and agile development teams, CI/CD infrastructure can be a very inviting target for attackers. As a result, organizations that depend on cloud-based CI/CD need to be even more diligent […]