A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Thwarting the Tactics of the Equifax Attackers (Cloudflare Blog, Nov 13 2017)
We are now 3 months on from one of the biggest, most significant data breaches in history, but has it redefined people’s awareness on security? The answer to that is absolutely yes, awareness is at an all-time high. Awareness, however, does not always result in positive action.

Minimum Viable Cloud (MVC) is an Anti-Pattern (Securosis Blog, Nov 06 2017)
“It doesn’t work. Not for long. MVC fundamentally breaks agility and reinforces bad old habits. Even if you try to design a ‘friendlier’ MVC deployemnt, it doesn’t scale and doesn’t offer the security benefits of a cloud-native approach.”

Defense Department’s vulnerability disclosure program racks up 2,837 security flaws (SC Magazine, Nov 13 2017)
Under Hack the Pentagon, the Defense Department “has resolved nearly 500 vulnerabilities in public facing systems with bug bounty challenges,” yielding hackers more than $300,000 in bounties, “and saving the DoD millions of dollars,” HackerOne noted.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Google Chrome Will Stop Sketchy Redirects Soon (Wired, Nov 08 2017)
With its latest update, Chrome’s going to quash the junky redirects that turn the web into a house or horror.

The Future of SecOps: Behind the 8 Ball (Securosis Blog, Nov 10 2017)
“As the velocity of technology infrastructure change continues to increase, it is putting serious stress on Security Operations (SecOps). This has forced security folks to face the fact that operations has never really been our forte. That’s a bit harsh, but denial never helps address serious problems.”

Amazon takes steps to reduce S3 misconfiguration leaks (SC Magazine, Nov 13 2017)
The company announced the addition of five new encryption and security features including default encryption, permission checks, cross-region replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Reports.

Hybrid cloud: Consistency solves complexity (Hybrid Cloud Blog, Nov 13 2017)
The benefits of hybrid cloud are compelling, but getting there may seem daunting. It doesn’t need to be. The process becomes far less complex when you adopt a model that provides true integration and consistency.

Microsoft Uses Neural Networks to Make Fuzz Tests Smarter (Dark Reading, Nov 15 2017)
Neural fuzzing can help uncover bugs in software better than traditional tools, company says.

Introducing Certified Kubernetes (and Google Kubernetes Engine) (Google Cloud Platform Blog, Nov 13 2017)
To ensure a consistent developer experience across different Kubernetes offerings, Google has been working with the Cloud Native Computing Foundation (CNCF) and the Kubernetes community to create the Certified Kubernetes Conformance Program.

Firefox 57 Brings Better Sandboxing on Linux (BleepingComputer, Nov 15 2017)
The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files.

Building Secure Enclaves on AWS (Vidder Blog, Nov 15 2017)
A secure enclave is a virtual container within the public cloud which is interlocked with secured facility’s physical and virtual security controls.

How to Make Your Software HIPAA-Compliant (Blogs – DevOps.com, Nov 10 2017)
Healthcare IT tools must correspond to all HIPAA requirements to make medical institutions integrate them. Let’s talk about the major aspects of software development in this industry.

Make sure you pick the right security tools for the cloud (CSO Online, Nov 15 2017)
Organizations must evolve beyond on-premises security mentalities and address the emerging demands of the cloud. Not doing so will hinder migration, deteriorate security posture and cost money and time.

Hypervisors: Now a Tool to Protect against Security Blind Spots (Dark Reading, Nov 09 2017)
By facilitating live introspection of virtual machine memory, the Xen Project is striving to eliminate stealthy attack techniques like EternalBlue.

Updated AWS SOC Reports Are Now Available with 19 Additional Services in Scope (AWS Security Blog, Nov 10 2017)
Newly updated reports are available for AWS System and Organization Control Report 1 (SOC 1), formerly called AWS Service Organization Control Report 1, and AWS SOC 2: Security, Availability, & Confidentiality Report.

DevOps Chat: Aqua Security Seeks To Secure Containers (Blogs – DevOps.com, Nov 09 2017)
Alan Shimel talks with Rani Osnat of Aqua Security to discuss the recent funding round ($25M) and the state of the container security market.

NeuVector 1.3 Improves Container Threat Detection Capabilities (eWEEK, Nov 15 2017)
Container security startup NeuVector adds new features to help identify privilege escalation attacks and detect risks hidden within tunneled traffic.