A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

A Closer Look: OWASP Top 10 2017 – AppSec Risks (Checkmarx, Dec 06 2017)
Open Web Application Security Project (OWASP) is an organization filled with security experts from around the world who provide information about applications and the risks posed, in the most direct, neutral, and practical way. Since 2003, OWASP has been releasing the OWASP Top 10 list every three/four years. The list consists of the top biggest Application Security Risks according to OWASP.

Mastering the Art of Cloud Migration (DevOps.com, Dec 04 2017)
The secret to a successful migration lies in a well-defined, phased and iterative approach that not only streamlines the process but also accelerates the outcome. Here is one road map to assist others in transforming their migration journey

Mailsploit: Popular Email Apps Allow Spoofing, Code Injection (SecurityWeek, Dec 06 2017)
Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


AWS re:Invent Day 2 Recap (Auth0 Blog, Nov 29 2017)
Too many things to list in a quick summary. For example: GraphQL is challenging the way we write APIs. It allows clients to ask only for the data they need and in many ways can be seen as superior to the tried and true REST pattern.

AWS re:Invent Day 3 Recap (Auth0 Blog, Nov 30 2017)
Again, so many new things here. For example, Amazon announced a number of advanced security features for Amazon Cognito including multifactor authentication, breached password detection, and various anomaly detection features.

AWS re:Invent Day 4 Recap (Auth0 Blog, Dec 01 2017)
Last wrap up from AWS re:Invent, including: Amazon is betting big on its serverless framework AWS Lambda and for good reason. Its usage is growing tremendously and it is solving many use cases for organizations within the AWS ecosystem. Today, Dr. Vogles had five new announcements for AWS Lambda.

AWS Launches New Cybersecurity Services (SecurityWeek, Nov 30 2017)
Amazon Web Services (AWS) announced this week at its AWS re:Invent conference the launch of several new cybersecurity services, including for threat detection, IoT security, and secure communications for Virtual Private Cloud.

Precious cargo: Securing containers with Kubernetes Engine 1.8 (Google Cloud Platform Blog, Nov 30 2017)
With the speed of development in Kubernetes, there are often new features and security configurations for you to know about. This post will guide you through implementing our current guidance for hardening your Kubernetes Engine cluster.

OpenStack Launches Kata Containers Project to Improve Security (eWEEK, Dec 06 2017)
The new effort brings Intel Clear Containers and the Hyper runV technologies together to provide a secure base for running containers in the cloud.

Prediction: Automatic Updates are the Future (WhiteHat Security, Nov 29 2017)
Here are a few things that you can do to speed up the process of patching of your web applications.

Understanding the Mobile DevOps Process (DevOps.com, Dec 01 2017)
There are so many discussion and articles on mobile app development and how mobile DevOps practices could be integrated, adopted with existing processes and even how to use efficient resources that are beneficial for organizations. However, little has been said about why mobile DevOps could make a difference to companies that strive to enable their IT, development and operations to integrate with business goals.

Gartner Says Hire Programmers to Your Infrastructure and Ops Team (IT Pro, Dec 04 2017)
As traditional enterprises increasingly behave like platform companies, their IT and ops teams should change accordingly.

Why Security Depends on Usability — and How to Achieve Both (Dark Reading, Nov 29 2017)
Any initiative that reduces usability will have consequences that make security less effective.

Chrome to Block Apps from Injecting into Its Processes (SecurityWeek, Dec 01 2017)
Google’s Chrome web browser will soon prevent third-party software from injecting code into its processes.

Inside DARPA’s Hackfest at NASA Research Park (PCMag, Dec 01 2017)
Hackfest participants gathered at NASA Research Park to come up with innovative concepts for drones equipped with Software Defined Radios, which switch frequencies as needed.

Moving Security Beyond SSH and PKI (DevOps.com, Dec 05 2017)
SSH (secure shell) is still the most common method of remotely accessing a Linux server, which makes it a common target for attackers attempting to infiltrate corporate networks. While the protocol itself carries a number of advanced security properties, it does allow for human error, opening the door for unwarranted privileged access to sensitive company resources.