A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
New MIT Tool Automatically Rewrites Old Code for New Software (Motherboard, Sep 27 2017)
But take heart: It still requires human developers. The tool, dubbed CodeCarbonCopy (CCC), works by comparing the execution of both the new software and the “donor” software, and then updating things like variable names and data representations in the donor code to the new host code. So, if the host program calls some variable x, CodeCarbonCopy will find the matching variable in the new code and rename it.
Introducing SQL Vulnerability Assessment for Azure SQL Database and on-premises SQL Server! (Microsoft Azure Blog, Sep 25 2017)
SQL Vulnerability Assessment (VA) is a new service that provides you with visibility into your security state, and includes actionable steps to investigate, manage, and resolve security issues and enhance your database fortifications. It is designed to be usable for non-security-experts.
Canarytokens’ new member: AWS API key Canarytoken (thinkst Thoughts, Sep 15 2017)
This new Canarytoken allows you to sprinkle AWS API keys around and then notifies you when they are used. (This is the fourth post in a series highlighting bits from a BlackHat USA 2017 talk.)
Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report
Software Assurance: Thinking Back, Looking Forward (Dark Reading, Sep 20 2017)
Ten personal observations that aim to bolster state-of-the-art and state-of-practice in application security.
Cloud services: What to consider when migrating your infrastructure (WeLiveSecurity, Sep 22 2017)
Most companies have switched the majority of their services and information over to the cloud. There are many reasons for this, ranging from cost to practicalities.
Microsoft finds a security flaw in Chrome and gets $7,500 as a prize (Windows Latest, Sep 26 2017)
Microsoft Offensive Security Team has discovered a security flaw in Chrome browser. Google Chrome has been reported to most resilient against attacks whereas Microsoft Edge was the most hacked browser at Pwn2Own 2017.
Why is Serverless Extensibility better than Webhooks? (Auth0 Blog, Sep 11 2017)
Webhooks are a clean and simple way to add extensibility points into your SaaS, but Serverless Extensibility removes several points of friction on your customers.
The Promise and Practice of Cloud (Gartner Blog Network, Sep 26 2017)
CEOs know that it’s not the speed of action that wins if that action itself is poorly judged. Speed will help if your response or action is useful. Today the cloud conversation is fixated on speed and performance.
Greater Transparency into Actions AWS Services Perform on Your Behalf by Using AWS CloudTrail (AWS Security Blog, Sep 20 2017)
To make managing your AWS account easier, some AWS services perform actions on your behalf, including the creation and management of AWS resources. This post shows how to view CloudTrail logs so that you can more easily monitor and audit AWS services performing actions on your behalf.
Why You Need Automated Security in an Agile Software Environment (Checkmarx Blog, Sep 26 2017)
Unfortunately, for all the benefits that agile provides, security has become a major challenge for many organizations as they adopt agile processes. One reason for this is the lack of security processes and checks during agile development processes.
Continuous Deployment and Monitoring of Microservices (Blogs – DevOps.com, Sep 27 2017)
Continuous deployment and continuous monitoring have grown up in DevOps, and microservices have grown up as a delivery platform. While all are relatively stable concepts at this point, there are still a fair number of practitioners that are struggling with the merging of these concepts to create a holistic environment that allows for deep understanding and easy deployments.
Software Security is an Engineering Problem (Blogs – DevOps.com, Sep 21 2017)
Shifting security to an all-around engineering responsibility requires the elimination of traditional work silos. Geared-for-speed developers must receive precise information early, allowing them to correct security problems during the initial coding process.
Announcing Azure Log Analytics Relay for Chef Automate (Chef Blog, Sep 21 2017)
Chef announces availability of Azure Log Analytics Relay for Chef Automate – this integration allows all notifications from Chef Automate to be sent to Azure Log Analytics (a component of Azure’s Insights & Analytics platform).
DevOps and Security: Fighting Factions or Fabulous Friends? (DZone DevOps Zone, Sep 23 2017)
The general view is that DevOps is a rapid approach to development and implementation, quickly enabling companies to introduce new code and programs to an entire company. While security is seen as careful in its approach, ensuring every angle of protection has been considered.
Extending per second billing in Google Cloud (Google Cloud Platform Blog, Sep 26 2017)
GCP extends per-second billing, with a one minute minimum, to Compute Engine, Container Engine, Cloud Dataproc, and App Engine flexible environment VMs.
Azure DDoS Protection Service preview (Microsoft Azure Blog, Sep 25 2017)
Microsoft announces the preview of Azure DDoS Protection Standard. This service is integrated with Virtual Networks and provides protection for Azure applications from the impacts of DDoS attacks. It enables additional application specific tuning, alerting and telemetry features beyond the basic DDoS Protection which is included automatically in the Azure platform.
Built-in security and operations management for Azure and hybrid environments (Microsoft Azure Blog, Sep 25 2017)
Customers are looking for technologies to help with cloud security and cloud management. More customers are asking for management that is rooted in the cloud and really designed for the new cloud paradigm. Here are some related Azure services and features.
Ixia Delivers End-to-End Visibility for All Leading Public Cloud Platforms (Ixia Press Release, Sep 27 2017)
Ixia further extended the CloudLens™ Visibility Platform to include support for Microsoft Azure, Google Cloud Platform, IBM Bluemix, and Alibaba Cloud, in addition to the existing support for Amazon Web Services (AWS), and for both Windows and Linux.