A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Using Machine Learning to Connect the Dots in Container Security (Container Journal, Oct 31 2017)
There is often an inverse relationship in which the more powerful, useful or convenient a technology is for the end user, the larger the risk it poses from a security perspective. The things that make it a great technology also expose it to potential exploit and compromise. This is definitely true when it comes to containers.

McAfee won’t allow government code reviews as Kaspersky offers more transparency (SC Magazine, Oct 27 2017)
McAfee announced it will no longer permit foreign governments to scrutinize its product source code for hidden backdoors.

Google to Ditch Public Key Pinning in Chrome (Threatpost, Oct 30 2017)
Google said that in an upcoming version of Chrome it will deprecate the browser’s support for HTTP public key pinning. Instead, it will adopt the “safer” more flexible solution of Expect-CT headers.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Tips for Creating Unit Tests for Mobile Apps (Blogs – DevOps.com, Nov 01 2017)
Mobile app testing ensures your application is working perfectly without any freezes, bugs or crashes. There are unit, auto, system and acceptance tests, and this article talks about unit testing for mobile apps.

Hackers abusing digital certs smuggle malware past security scanners (The Register, Nov 01 2017)
Malware writers are widely abusing stolen digital code-signing certificates, according to new research. Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing.

Mozilla looses trust in Dutch Certs, raises wider concerns in industry (SC Magazine, Oct 30 2017)
Dutch moves to strengthen the powers of its state authorities leads Mozilla to propose excluding Dutch CAs from its trust list – could form part of a wider undermining of trust in the Internet

HashiCorp raises $40M for its cloud infrastructure automation services (TechCrunch, Oct 24 2017)
HashiCorp is probably best known for Terraform, its open-source tool for automatically provisioning infrastructure by describing it as code. But the company also offers a whole range of additional open-source security tools and products that enable multi-cloud deployments, as well as enterprise versions of these tools that add features for larger teams on top of these free versions.

How to Prepare for AWS’s Move to Its Own Certificate Authority (AWS Security Blog, Oct 30 2017)
AWS is in the process of moving certificates for services such as Amazon EC2 and Amazon DynamoDB to use certificates from Amazon Trust Services as well. Most software doesn’t need to be changed to handle this transition, but there are exceptions.

Now You Can Use Amazon ElastiCache for Redis with In-Transit and At-Rest Encryption to Help Protect Sensitive Information (AWS Security Blog, Oct 26 2017)
Amazon ElastiCache for Redis now supports encryption for secure internode communications to help keep personally identifiable information (PII) safe. Both encryption in transit and at rest are supported.

Everyday Compliance with InSpec (Chef Blog, Oct 25 2017)
By codifying controls and tests inside of an InSpec profile, the steps necessary to “be compliant” can be mutually understood by both the auditors and the auditees.

Azure is certified to meet strict UK Government Cyber Essentials PLUS requirements (Microsoft Azure Blog, Nov 01 2017)
Azure has attained the UK’s Cyber Essentials PLUS badge and meets the requirements outlined in the Cyber Essentials Scheme Assurance Framework.

Azure Storage Introduction (Auth0 Blog, Nov 01 2017)
Learn about the many ways that Microsoft Azure Storage enables us to store information.