A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The Future of SecOps: Regaining Balance (Securosis Blog, Nov 27 2017)
Instead of having “expensive staff focused on rote and tedious functions,” the “valuable, constrained, and usually highly skilled humans [should be] doing what humans are good at, such as:
-identifying triggers that might indicate malicious activity
-drilling into suspicious activity to understand the depth of attacks and assess potential damage
-figuring out workarounds to address attacks”

Huge MacOS bug lets anyone login as root without a password: what you need to know (Graham Cluley, Nov 28 2017)
Want to have god-like powers over a Mac? Just enter your username as root… no password required.

The 10 Most Viewed Security-Related AWS Knowledge Center Articles and Videos for November 2017 (AWS Security Blog, Nov 22 2017)
These 10 Knowledge Center security articles and videos have been the most viewed this month.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

New Research: How To Manage Public Cloud Costs on Amazon Web Services and Microsoft Azure (Gartner Blog Network, Nov 27 2017)
How to manage public IaaS and PaaS cloud costs on AWS and Microsoft Azure…cloud providers price lists, pricing models, discounts and billing mechanisms can be complex to manage even for mature cloud users. Understanding the most cost-effective option to run certain workloads is a management challenge that organizations are often unprepared to address.

Microsoft Azure Cloud Becomes More Location-Aware (eWEEK, Nov 28 2017)
With some help from TomTom, Microsoft’s new Azure Location Based Services will enable enterprise developers to bake location-awareness into their cloud and Internet of things applications.

AWS announces two new EC2 instance types (TechCrunch, Nov 29 2017)
At the re:Invent customer conference in Las Vegas, AWS announced two new instance types designed for specific kinds of applications. The first is a generalized EC2 instance designed for developers who are trying to get a feel for the kinds of resources their application might require. The company also announced new H1 EC2 instances designed with lots of storage for big data applications.

Leaky AWS Storage Bucket Spills Military Secrets, Again (Threatpost, Nov 28 2017)
For the second time in ten days, researchers at UpGuard released sensitive data belonging to the United States Defense Department that was stored insecurely online.

Easier Certificate Validation Using DNS with AWS Certificate Manager (AWS Security Blog, Nov 22 2017)
Before issuing a certificate for your website, Amazon must validate that you control the domain name for your site. You can now use AWS Certificate Manager (ACM) Domain Name System (DNS) validation to establish that you control a domain name when requesting SSL/TLS certificates with ACM.

Infosec expert viewpoint: DevOps security (Help Net Security, Nov 27 2017)
A Ponemon Institute survey of nearly 1,250 global public sector IT decision makers and managers revealed that public sector organizations undergoing digital transformation are losing confidence in IT operations’ ability to manage the influx of new technologies and evolving citizen and mission expectations. Despite the rising complexity of IT, respondents see promise in DevOps to help achieve future mission success.

The Forrester Wave: Continuous Integration Tools, Q3 2017 (Forrester, Nov 28 2017)
The new Forrester Wave™: Continuous Integration Tools, Q3 2017 for application development and delivery professionals is now live! Forrester survey data indicates most developers (67% of 2,000 developers surveyed) use CI tools as part of their software development process, but only 17% use them daily.

Barracuda Networks Advances DevSecOps Agenda (DevOps.com, Nov 27 2017)
Barracuda Networks announced its Barracuda NextGen Firewall can be configured via the IT automation framework developed by Puppet Labs. Previously, only the company’s Web Application Firewall was integrated with the Puppet framework.

Ciao, Chrome: Firefox Quantum Is The Browser Built for 2017 (Wired, Nov 25 2017)
The new Firefox is fast, it’s secure, and it’s full of clever little things that make web browsing better.

Facebook Flaw Allowed Removal of Any Photo (SecurityWeek, Nov 27 2017)
A researcher says he received a $10,000 bounty from Facebook after finding a critical vulnerability that could have been exploited to delete any photo from the social media network.

Developers Can Do More to Up Their Security Game: Report (Dark Reading, Nov 28 2017)
Developers can play a vital role in accelerating the adoption of AppSec practices…Security vendor Veracode recently analyzed data from some 400,000 scans of applications written in Java, .Net, Android, iOS, PHP, and several other languages at large, medium, and small organizations.

Federal Websites Still Lack Basic Security (Infosecurity Magazine, Nov 27 2017)
According to the second edition of the Benchmarking US Government Websites report from the Information Technology and Innovation Foundation (ITIF), 91% of the 469 federal government websites reviewed fail at least one key performance measure, including one-third that fail on at least one important security measure.

Git Some Security: Locking Down GitHub Hygiene (Dark Reading, Nov 28 2017)
In the age of DevOps and agile development practices that lean heavily on GitHub and other cloud resources, strong controls are more important than ever.

Akamai Finds Web App Attacks Increased in Q3 2017 (eWEEK, Nov 29 2017)
Akamai’s third quarter 2017 State of the Internet/Security report reveals a growing number of web application attacks. Gaming industry is the top DDoS target.

Trend Micro Acquires Application Security Firm Immunio (SecurityWeek, Nov 28 2017)
Cybersecurity firm Trend Micro announced on Tuesday that it has acquired Montréal, Canada-based web application security firm Immunio for an undisclosed sum.