A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Why crypto is much harder than engineers think (Help Net Security, Dec 19 2017)
Researchers analyzed the statistical properties of public keys (from a large sample of Estonian public keys). They found that the keys were not truly random, as they should be. This meant that it was possible to derive the private key from the public key in days, rather than the expected thousands of years.
How to Set Up Continuous Golden AMI Vulnerability Assessments with Amazon Inspector (AWS Security Blog, Dec 20 2017)
As companies mature in their cloud journey, they implement layered security capabilities and practices in their cloud architectures. One such practice is to continually assess golden Amazon Machine Images (AMIs) for security vulnerabilities. AMIs provide the information required to launch an Amazon EC2 instance, which is a virtual server in the AWS Cloud.
As Kubernetes surged in popularity in 2017, it created a vibrant ecosystem (TechCrunch, Dec 18 2017)
For a technology that the average person has probably never heard of, Kubernetes surged in popularity in 2017 with a particular group of IT pros who are working with container technology. Kubernetes is the orchestration engine that underlies how operations staff deploy and manage containers at scale.
AWS Updated Its ISO Certifications and Now Has 67 Services Under ISO Compliance (AWS Security Blog, Dec 20 2017)
AWS has updated its certifications against ISO 9001, ISO 27001, ISO 27017, and ISO 27018 standards, bringing the total to 67 services now under ISO compliance.
How to Enhance the Security of Sensitive Customer Data by Using Amazon CloudFront Field-Level Encryption (AWS Security Blog, Dec 14 2017)
You can configure CloudFront to help enforce secure, end-to-end connections using HTTPS SSL/TLS encryption. You also can take advantage of CloudFront integration with AWS Shield for DDoS protection and with AWS WAF (a web application firewall) for protection against application-layer attacks, such as SQL injection and cross-site scripting.
Docker CEO Tries to Navigate Business Threat From Google (IT Pro, Dec 20 2017)
While Docker and Kubernetes serve slightly different purposes, customers who choose Google’s tool can avoid paying Docker.
AWS raises machine learning expectations for cloud security (CSO Online, Dec 18 2017)
AWS’s new GuardDuty and Macie offerings unleash the power of machine learning to secure your data. Are they right for your enterprise?
Cloud Audit Logging for Kubernetes Engine: Answer the who, what, when of admin accesses (Google Cloud Platform Blog, Dec 18 2017)
Sometimes, in Google Kubernetes Engine, you want to investigate what’s happened in your cluster. Thankfully, Stackdriver Cloud Audit Logging now supports Kubernetes Engine in beta, and can help you answer “Who did what, where and when?” to your cluster.
How Azure Security Center detects vulnerabilities using administrative tools (Microsoft Azure Blog, Dec 20 2017)
Earlier this month, Azure Security Center released a new analytic to detect suspicious account creation operations that might be used as backdoor accounts. This analytic includes several criteria to distinguish between benign administrative account creation and suspicious activities that need to be alerted on.
Enterprise Security Package preview for Azure HDInsight (Microsoft Azure Blog, Dec 18 2017)
Azure introduced features for these use cases:
As a data scientist, I want to use my Active Directory domain credentials to run queries on the cluster.
As a cluster admin, I want to configure role-based access control to restrict access to data only as needed.
As a cluster admin, I want to view audit logs, in terms of who accessed what data, and whether access succeeded or failed.
Understand your continuous deployment maturity (Forrester, Dec 20 2017)
The assessment should take 10 minutes or less to complete with the outcome identifying where you are in your continuous deployment journey. DevOps teams should focus and build four critical competencies including: process, structure, measurement, and technology.
Persistent Storage: You’ll be Hearing More (DevOps.com, Dec 19 2017)
As containers take over the IT environment, a problem that has existed since virtual machines (VMs) became popular has become more urgent: how to keep persistent storage, and keep it consistent.
The Rise of the Service Mesh for Microservices Apps (Container Journal, Dec 18 2017)
Service meshes are the latest, greatest thing in the microservices and containers world. Let’s take a look at what a service mesh is and how they are being used to improve microservices architectures.
Google Researcher Finds Critical Flaw in Keeper Password Manager (SecurityWeek, Dec 18 2017)
Google Project Zero researcher Tavis Ormandy recently discovered that the Keeper password manager had been affected by a critical flaw similar to one he identified just over one year ago in the same application.
Code Execution Flaws Found in Trend Micro Smart Protection Server (SecurityWeek, Dec 19 2017)
Researchers at Core Security have discovered five vulnerabilities in Trend Micro’s Smart Protection Server product, including flaws that could have been exploited for remote code execution.
Application security is maturing, but independent testing is crucial (CSO Online, Dec 20 2017)
As siloes are pulled down, collaboration increases, and more security testing is automated, we should see tangible improvements in application security, but third-party testing will remain a vital piece of the puzzle for the foreseeable future.