DevToolsDigest: Enterprise Security Edition
On Thur Nov 14, Heavybit is hosting a half-day conference for founders, CISOs, security engineers, and product owners who build, secure, and sell devtools for the enterprise.

This week's special digest includes enterprise security news and resources from Netflix, Cloudflare, Snyk, the Cloud Security Alliance, CircleCI, Cybereason, and more.

Have feedback for us on the DevToolsDigest, or have something to share in the next issue? Email us at [email protected]
The Week in Developer Tools
Last week the security analyst community descended upon Black Hat for its 22nd consecutive year in Las Vegas. Over the course of this week-long gala, major players in the cybersecurity space showcased their new innovations, unveiled findings, and shared insights with attendees. 
Netflix has discovered several resource exhaustion vectors affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch DoS attacks against servers that support HTTP/2 communication. Netflix worked with Google and CERT/CC to coordinate disclosure to the Internet community.
Check here for a list of how version 1.11.1 of Envoy addresses the recently discovered HTTP/2 flaws. 
Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks. As soon as they became aware of these vulnerabilities, Cloudflare’s Protocols team started working on fixing them. They first pushed a patch to detect any attack attempts and to see if any normal traffic would be affected by their mitigations.
Traditionally, as part of the software development workflow, teams typically release new versions of their packages or apps in order to fix security issues as they arise. With open-source projects however, because maintainers are usually volunteers, it may take time before fix releases for packages are published.
Industry Research
Ben Halpern once overheard someone passing along a password belonging to the social media accounts of a multi-billion dollar company. The password was the company brand name, all lowercase, plus a number—about 6-8 characters in total.
TruSTAR CEO and co-founder Paul Kurtz recently appeared on Cloud Security Alliance’s podcast to discuss the value that information sharing adds to threat intelligence. Paul and John cover a range of topics about information sharing, discussing how SOCs can proactively defend their organizations by normalizing and sharing suspicious data.
Secure code training is one of the first things Chief Technology Officer Rob Zuber asked Tad Whitaker to handle when he started as CircleCI’s first security engineer a couple years ago. A few years earlier, Rob had taken part in a security training event at Google. During an exercise at the event, he discovered a vulnerability that was wide open on his service.
Developer Venture News
The company uses big data analytics to identify and handle cyber attacks. Specifically, CEO Lior Dov says the company’s mission is to help “security teams prevent more attacks, sooner, in ways that enable understanding and taking decisive action faster” with the help of AI.
From The Heavybit Community
Save the Date- DevGuild: Enterprise Security is Happening November 14
In order to sell your developer product to the enterprise, you need to show that your team, code, and processes are secure. 

Through a combination of keynote sessions, case studies, and panels, we’ll guide you through the distinct challenges developer companies face as they secure their products and their teams for enterprise deployments. Hear real stories from seasoned enterprise security leaders and developer startup founders, and leave with a clear framework for securing your own product for enterprise success.

Past DevGuild speakers include leaders from PagerDuty, Twilio, MuleSoft, GitLab, HashiCorp, and Auth0. For more information and to snag your Early-Bird Tickets, check out our site
Tackling Enterprise Security Challenges
As organizations move up market, they often face challenges around building and communicating their security processes. At DevGuild: Enterprise Security, we’ll focus on the security processes, tools, and practices that teams need to expand their business into the enterprise. If you want to get a head start on learning how to tackle enterprise security questions, revisit some of our favorite articles, videos and podcasts from previous Heavybit sessions.