A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Is security on the verge of a fuzzing breakthrough? (Naked Security – Sophos, Oct 18 2017)
Smart, efficient fuzzing could give every developer the opportunity to find bugs efficiently, during development

The Full List of the Security, Compliance, and Identity Sessions, Workshops, and Chalk Talks Being Offered at AWS re:Invent 2017 (AWS Security Blog, Oct 24 2017)
Now that you can reserve seating in AWS re:Invent 2017 breakout sessions, workshops, chalk talks, and other events, the time is right to review the list of introductory, advanced, and expert content being offered this year.

How to Choose a Cloud Provider (Devops.com, Oct 25 2017)


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Veracode: 75% Of Apps Have at Least One Vulnerability on Initial Scan (Dark Reading, Oct 20 2017)
But developers not the only ones to blame, company says.

Microsoft tears into Chrome security as patching feud continues (Naked Security – Sophos, Oct 23 2017)
Everybody wins as Google and Microsoft’s security one-upmanship continues

Top Threats to Cloud Computing Plus: Industry Insights (Cloud Security Alliance, Oct 23 2017)
Here’s an updated “Treacherous 12: Top Threats to Cloud Computing + Industry Insights,” a refreshed release to the 2016 report that includes new real-world anecdotes and examples of recent incidents that relate to each of the 12 cloud computing threat categories identified in the original paper.

Kaspersky code review doesn’t solve the spying problem (CSO Online Salted Hash, Oct 23 2017)
Kaspersky Lab has announced a transparency initiative, opening their source code up to independent review. The announcement comes after reports form the Wall Street Journal and the New York Times, stating that Russian hackers used Kaspersky’s product to steal sensitive materials from an NSA contractor’s computer.

Study: 18% of fed agencies embrace DMARC yet 25% of email fraudulent, unauthenticated (SC Magazine, Oct 23 2017)
Of the 18 percent of agencies that do have DMARC in play, only half are maximizing the benefits of the standard by quarantining or rejecting unauthenticated email to prevent domain name spoofing.

The Great Security Research of Tomorrow is Already Dead (Cylance, Oct 24 2017)
There is a real need for advanced security research that addresses the fundamental problems of security, because the network hasn’t really changed while the world has. Without research into why we haven’t figured out a way to have security, rather than mostly security, then we aren’t there yet…

One-Third of Businesses Can’t Keep Up with Cloud Security (Dark Reading, Oct 24 2017)
One in three organizations cannot maintain security as cloud and container environments expand.

Finding Your Appetite for Security Automation (and Why That’s Important) (Dark Reading, Oct 24 2017)
Yes, automation is becoming increasingly critical. But before you go all-in, determine the level that’s right for your company.

Continuous Security Testing for Microservices (Blog – Checkmarx, Oct 19 2017)
Unlike the classic monolithic approach to developing an application, microservices break the application down to its various components with each component behaving as full a stack as possible. Imagine many mini-apps that together make one unified application. Those mini-apps often revolve around a specific business capability and must be able to communicate and scale seamlessly. Expectedly, there are pros and cons…

Event Management: Let the Noise Wail Without Going Deaf (Blogs – DevOps.com, Oct 25 2017)
The discipline of event management has matured, and has continued to mature, over decades as a mechanism for determining the status of elements of a managed environment from the state. Best practice in event management consists of…

How Containers Improve Software Quality Testing (Container Journal, Oct 25 2017)
Because the containerized host environment remains the same from the beginning of the delivery pipeline to the end, developers and the IT Ops team have a consistent frame of reference for discussing and troubleshooting the application.

Turns out, security drives cloud adoption — not the other way around (Google Cloud Platform Blog, Oct 20 2017)
What may be unexpected however is that this same pool of respondents cited their “increased confidence in cloud security” as a nearly equal driver of increased cloud usage.

New ways to manage sensitive data with the Data Loss Prevention API (Google Cloud Platform Blog, Oct 19 2017)
The Data Loss Prevention (DLP) API, which went beta in March, can help you quickly find and protect over 50 types of sensitive data such as credit card numbers, names and national ID numbers. Google also announced several new ways to help protect sensitive data with the DLP API, including redaction, masking and tokenization.

How Azure Security Center automates the detection of cyber attack (Microsoft Azure Blog, Oct 24 2017)
Earlier this year Greg Cottingham wrote an article breaking down an example of an Azure Security Center detected attack against SQL Server. In this post they go into more detail…