A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
HP Shared ArcSight Source Code with Russians (Schneier on Security, Oct 04 2017)
Reuters is reporting that HP Enterprise gave the Russians a copy of the ArcSight source code. The article highlights that ArcSight is used by the Pentagon to protect classified networks, but the security risks are much broader. Any weaknesses the Russians discover could be used against any ArcSight customer.
DNSSEC key signing key rollover: Are you ready? (CSO Online, Oct 02 2017)
ICANN has postponed the deadline for updating name servers with the new root zone key signing key to early 2018 because too many ISPs and network operators are not ready, and that would cause DNSSEC validations to fail.
Fear Not: You, Too, Are a Cybercrime Victim! (Krebs on Security, Oct 04 2017)
Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today.
Yahoo! announced that, our bad!: It wasn’t just one billion users who had their account information filched in its record-breaking 2013 data breach. It was more like three billion (read: all) users.
3 billion Yahoo accounts affected by 2013 breach (Naked Security – Sophos, Oct 03 2017)
The 2013 breach is three times worse than we thought.
Cloud security policy: The questions you need to ask (WeLiveSecurity, Sep 29 2017)
Before approaching a vendor, you should be clarifying the answers to a few questions about the needs of your organization.
Gary McGraw on BSIMM8 and Software Security (Threatpost, Oct 02 2017)
Software security pioneer Gary McGraw talks to Mike Mimoso about the latest iteration of the Building Security In Maturity Model (BSIMM) report. BSIMM is a snapshot of how some of the world’s biggest tech companies and enterprises are handling secure development practices.
DevOpsSec: A Big Step in Cloud Application Security (Dark Reading, Oct 03 2017)
Why it’s time for DevOps and security teams to bury the hatchet — and not in each other’s back.
Google makes encryption mandatory for sites on 45 Top-Level Domains (Naked Security – Sophos, Oct 03 2017)
Millions of new sites registered under each TLD will now have HTTPS enforced
Oracle Unveils Autonomous Database Cloud (Oracle Press, Oct 03 2017)
“This is the most important thing we’ve done in a long, long time,” said Ellison. “The automation does everything. We can guarantee availability of 99.995 percent, less than 30 minutes of planned or unplanned downtime.”
New Standards Will Shore up Internet Router Security (Dark Reading, Oct 03 2017)
The BGP Path Validation draft standards were designed to ensure that Internet traffic flows only along digitally signed, authorized paths.
Cloudflare CTO Goes Inside the Cloudbleed Bug (Threatpost, Oct 04 2017)
Cloudflare’s chief technology officer was frank and apologetic about February’s Cloudbleed bug during today’s Virus Bulletin 2017 keynote.
Amazon Cognito User Pools Now Integrates with Amazon Pinpoint to Add Analytics for User Pools (AWS Security Blog, Sep 27 2017)
Amazon Cognito User Pools now integrates with Amazon Pinpoint to provide analytics for user pools and to enrich the user data for Amazon Pinpoint campaigns. Amazon Cognito User Pools provides user directories that make it easy to add sign-up and sign-in to your mobile or web application.
Is AWS Cloud Per-Second Billing Boon or Bane for DevOps Engineers? (Blogs – DevOps.com, Oct 04 2017)
Amazon’s introduction of its AWS services in 2006 with a per-hour billing model for compute resources was a game-changer for the IT world. Since then, AWS has taken over the cloud computing market as a leader, while broadening the range of cloud services offered every year. However, the per-hour billing business model was one of the major issues for many customers—in particular, those who had applications using EC2 for only minutes at a time.
Cloud-native apps push static code analysis tools to the limit (Checkmarx, Oct 02 2017)
An interview with Matt Rose is the global director of application security strategy at Checkmarx. “A lot of times, you may have five harmless things in your application, each of which is agnostic to the other. Individually, they’re not that big a deal,” Rose said. “But when you have them all together, then a formulated attack can happen.”
Introducing nested virtualization for Google Compute Engine (Google Cloud Platform Blog, Sep 28 2017)
Google Compute Engine now supports nested virtualization in beta. This feature allows you to run one or more virtual machines inside a Compute Engine Linux virtual machine — VMs inside of VMs.
Announcing new Azure VM images: SQL Server 2017 on Linux and Windows (Microsoft Azure Blog, Oct 02 2017)
Microsoft announced that SQL Server 2017 images on Linux and Windows are now available in the Azure Marketplace! Deploying SQL Server in Azure VMs combines the industry-leading performance and security, built-in artificial intelligence, and business intelligence of SQL Server, now available on both Linux and Windows, with the flexibility, security, and hybrid connectivity of Azure.
Chef 101: The Road to Best Practices (Chef Blog, Sep 28 2017)
A look at some practices that can help you get a running start with your Chef Automation, but through the eyes of Sam, an IT professional and newcomer to Chef.