A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
How to Automatically Revert and Receive Notifications About Changes to Your Amazon VPC Security Groups (AWS Security Blog, Oct 11 2017)
An AWS example of a responsive control, which you can use to automatically respond to a detected security event by applying a chosen security mitigation.
Part 2: NetDevOps Goes Beyond Infrastructure as Code (Cisco Blog, Oct 11 2017)
“In Part 1: Embrace NetDevOps, Say Goodbye to a “Culture of Fear”, I introduced my definition of NetDevOps and talked about how we need to dispel the “Culture of Fear” as we move to NetDevOps. We also considered the two stakeholders of NetDevOps, the builders and consumers of the network. In this post I’ll be picking up where I left off discussing the core principals of NetDevOps.”
Automating TLS Configuration Verification (Security Innovation Blog, Sep 22 2017)
In the past 4 years, the adoption rate of HTTPS (between web browsers and web applications) has steadily increased as reported by the Google Transparency Report. In addition, a large number of tools like testssl.sh, O-Saft, and Qualys SSL Labs have emerged to help test and ensure proper TLS configuration across common web servers. This makes it easier for administrators to configure web application front-ends with strong cryptography…
More Businesses Accidentally Exposing Cloud Services (Dark Reading, Oct 09 2017)
More than half of organizations using cloud services like Amazon Simple Storage Service (S3) have inadvertently exposed at least one of these services to the public, up from 40% earlier this year.
SQL server security (CQURE Academy, Oct 05 2017)
SQL Server networking security – two deadly mistakes that are made by people who configure SQL Server in their enterprises.
S3 Antivirus Scanning with Lambda and ClamAV (Blue Sentry, Oct 04 2017)
There have been many stories over the past months about S3 buckets being left unsecured. Terabytes of sensitive data available for the whole world to download. CyberSecurity 101 teaches, “Don’t leave private data open to the public.”, but somehow many major companies have let this one slip through the cracks.
Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI (AWS Blog, Oct 10 2017)
Amazon now provides support for multiple TLS/SSL certificates on Application Load Balancers (ALB) using Server Name Indication (SNI). You can now host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer.
3 Ways to Prevent Cross-Site Scripting (Blog – Checkmarx, Oct 09 2017)
XSS has been a mainstay on the OWASP Top 10 list since its inception…here’s some best known practices in preventing them in the first place.
Building Security into Code and Culture (Blogs – DevOps.com, Oct 11 2017)
Baking security measures into design and development is likewise a better approach when it comes to code, but it presents a problem: Developers, by nature, don’t want to take the time to build safety nets.
Shadow cloud apps pose unseen risks (CSO Online, Oct 10 2017)
When individuals and departments bypass IT to acquire cloud services and apps, IT and security teams are blind to the security vulnerabilities and compliance issues they present.
Is ‘secure open source component use’ an oxymoron? (CSO Online, Oct 05 2017)
Asking developers to stop using components would be like asking writers to stop using word processing and go back to typewriters. But with these benefits comes some risk. They can, and often do, contain vulnerabilities. And the nature of their use – the functionality in one component is used again in multiple other components – means they spread risk like wildfire.
3 Principles of Securing DevOps (DZone DevOps Zone, Oct 06 2017)
Step 1: Start in Design, Step 2: Automate All. The. Things., and Step 3: Develop “Good Citizens” Not “Good Builds”
How the Cloud & Data Analytics Can Help Protect Against Ransomware Attacks (Citrix Blogs, Oct 11 2017)
The time has come to stop focusing on fear and doubt, and to move forward with conviction. Allocate resources where they will be the most effective at protecting sensitive company apps and data.
How is a Stateful Firewall like a Vintage Porsche? (Cisco Blog, Oct 11 2017)
“I can’t tell you how many IT managers I’ve run into lately who say: “Why should I replace my firewall, it still works?” My neighbor’s beautiful old Porsche and the IT manager’s aging stateful firewall still perform to what was the state of the art at the time they were introduced, in the case of firewalls, 20+ years ago.”