Security Stack Sheet #110


 Word of the Week

“Cyber Security Macro Themes for the 2020’s”

There will be 6 major themes that differentiate great security programs, products, features and processes. These are different from overall risk and control trends, rather, they are more about the way to develop and deploy controls – and represent a unified theme of folding cybersecurity into systems delivery.

Control trends all center on continuity: continuous access assurance and least privilege, continuous software assurance and developer centric tooling, continuous and adaptive micro-segmentation / meshing, continuous control conformance monitoring, continuous anomaly detection and relentless processes to adapt control frameworks according to threat intelligence (macro and micro). But, it is becoming more important to consider how we deploy these, more than just doing so and walking away


Timeline  Description automatically generated



“WAAP in WAF clothing”

the WAF in WAAP Clothing

Magic Quadrant for Web Application Firewalls

The WAF market remains dynamic, with many providers claiming strong, two-digit growth. Gartner observed a short period of slowdown during the early days of the pandemic, followed by a quick return to normal with 20 % growth in end-user WAF inquiries for the first half of 2020.

WAF Appliance Is the Silent Majority: Most Gartner client inquiries involve selecting a WAAP product. However, Gartner estimates that most existing WAF deployments are in the form of physical or virtual appliances. This is especially true outside North America, and among the more traditional web applications, even when deployed on IaaS. What is changing is that, despite the existing market share, most providers now prioritize the development of their WAAP products. When planning their roadmap, providers favor features that can be delivered in both deployment form factors.


A picture containing graphical user interface  Description automatically generated

WAAP Is the Primary Solution for New Applications: Gartner has observed the growing importance of WAAP architecture. There is a split between WAAP over IaaS infrastructure (“cloud-rented”), which sometimes looks like a forklift of WAF appliance products, and distributed WAAP built on proprietary infrastructure (“cloud-owned”). The latter architecture style tends to move faster when adding new features and leveraging large-scale data to feed learning algorithms. The single-site (or regional) approach often comes with centralized management expanding beyond WAAP. Customers with hybrid WAF deployments often favour this option. Customers with a larger number of cloud-hosted web applications and API to protect tend to favour the distributed WAAP, which more often comes bundled with a CDN and favourable DDoS protection add-ons.

Links HERE and HERE and HERE


Word of the Week Special

“Eradicating Vulnerability Classes”

How? By shelving SAST & Embracing Secure Defaults & Invariants

Links HERE



No alternative text description for this image


Bird tracked without consent 😊




No link

Text  Description automatically generated

Link HERE and about the issue HERE

A screen shot of a computer  Description automatically generated

Link HERE – thanks to TK

Text  Description automatically generated


a close up of text over a white background


Graphical user interface, text  Description automatically generated

AND answers

Graphical user interface, text, application, email  Description automatically generated


Graphical user interface, text, application  Description automatically generated


Text  Description automatically generated


graphical user interface, text, application, chat or text message



Crypto challenge of the week


Fall down the rabbit hole and enter wonderland


Hack this repository: The EkoParty 2020 GitHub CTF challenges




  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

Rumour vs reality


  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit (properly) Finalised?

Old one to make you giggle (again)


  • 1st of July 20201 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

Massive US Voters and Consumers Databases Circulate Among Hackers


  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1


Book of the month

Code of Practice: Cyber Security and Safety

This Code of Practice is written for engineers and engineering management to support their understanding of the issues involved in ensuring that the safety responsibilities of an organization are addressed, in the presence of a threat of cyber attack. “If it’s not secure, you can’t be confident it’s safe”.



Chaos Engineering



Comic of the week

Code Reuse - Dilbert by Scott Adams


##Some OWASP stuff first

Leave a Reply

Your email address will not be published.