A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
What You Should Know About the ‘KRACK’ WiFi Security Weakness (Krebs on Security, Oct 16 2017)
Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.
Microsoft responded quietly after detecting secret database hack in 2013 (Reuters, Oct 18 2017)
Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.
Google’s strongest security, for those who need it most (Google Blog, Oct 18 2017)
Advanced Protection is designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts.
Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report
What’s the fuzz about? Microsoft unveils its latest security tool (Naked Security – Sophos, Oct 11 2017)
Microsoft’s got a new fuzzer… but what is fuzzing and what’s behind the recent enthusiasm for it?
6 Steps to Finding Honey in the OWASP (Dark Reading, Oct 12 2017)
The most famous project of the Open Web Application Security Project is getting an update. Here’s what you need to know, and how you can get involved.
10 Major Cloud Storage Security Slip-Ups (So Far) this Year (Dark Reading, Oct 13 2017)
Accenture is the latest in a string of major companies to expose sensitive cloud data this year, following Verizon, Deloitte, and Dow Jones.
Easily create securely configured virtual machines (Microsoft Secure, Oct 12 2017)
You can now purchase hardened virtual machine images within Azure, based on the partnership between Microsoft and the Center for Internet Security (CIS).
Crypto Anchors’ Might Stop the Next Equifax-Style Megabreach (Wired, Oct 16 2017)
There’s no foolproof system to keep hackers out. Instead, this increasingly popular security design keeps them in.
Creating a secure development culture (CSO Online, Oct 16 2017)
Focusing on culture might be the most important thing an organization can do when developing secure software.
Pandora’s Box: Auditing for DDoS Vulnerabilities, Part II (Radware Blog, Oct 17 2017)
Many organizations are asking themselves if they have adequate visibility into the vulnerabilities they have to hacktivists (ideologically motivated) and availability-based (competitively motivated) attacks.
VirusTotal, Equifax, and Antimalware Products (Security Through Absurdity, Oct 14 2017)
There is a subtle precision in the statement “VirusTotal only showed three antimalware scanners detecting malware.” If you think that means only three scanners on VirusTotal detected the malware, then read it again more carefully; that is not what it says and that is not what it means.
It Takes Just $1000 to Track Someone’s Location With Mobile Ads (Wired, Oct 18 2017)
University of Washington researchers have shown just how cheaply spies can exploit ad networks for fine-grained, individualized surveillance.
Why the Krack Wi-Fi Mess Will Take Decades to Clean Up (Wired, Oct 17 2017)
The Krack Wi-Fi vulnerability exposes just how deeply broken IoT security really is—and just how limited the options are to repair it.
Introducing Grafeas: An open-source API to audit and govern your software supply chain (Google Blog, Oct 18 2017)
Building software at scale requires strong governance of the software supply chain, and strong governance requires good data. Google, along with JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS, announced Grafeas, an open source initiative to define a uniform way for auditing and governing the modern software supply chain.
It’s Time to Break Up with Your WAF (Devops.com, Oct 12 2017)
If the only reason you have a web application firewall (WAF) is for compliance, you deserve better. It’s time to replace it with something that provides not only compliance, but real security value as well. In the land of web application security, there are a few not-so-well-kept secrets, arguably none bigger than this: The WAF…
App Engine firewall now generally available (Google Cloud Platform Blog, Oct 13 2017)
The App Engine firewall lets you control access to your App Engine app through a set of rules, and is now generally available, ready to secure access to your production applications. Simply set up an application, provide a list of IP ranges to deny or allow, and App Engine does the rest.
Cloud Service Map for AWS and Azure Available Now (Microsoft Azure Blog, Oct 16 2017)
Microsoft introduced a new cloud service map to help you quickly compare the cloud capabilities of Azure and AWS services in all categories. Whether you are planning a multi-cloud solution with Azure and AWS, or simply migrating to Azure, you will be able to use this service map to quickly orient yourself with the services required for a successful migration.
Hardening Azure Analysis Services with the new firewall capability (Microsoft Azure Blog, Oct 12 2017)
Do not forget to harden your servers by taking advantage of basic firewall support. In the Azure Portal, you can find the firewall settings when you display the properties of your Azure AS server.