A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The Meltdown/Spectre Bugs for a Non-Technical Audience (Cloudflare, Jan 09 2018)
Last week the news of two significant computer bugs was announced. They’ve been dubbed Meltdown and Spectre. Here’s what you need to know.

How Cloud Security Managers Should Respond to Meltdown and Spectre (Securosis Blog, Jan 05 2018)
“This is a very big deal for cloud computing. The immediate risk is very manageable but we need to be prepared for the long-term implications.”

The future of server virtualization (Gartner Blog Network, Jan 09 2018)
x86-based server virtualisation has changed. It has rapidly evolved and is now a mature market.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Building a Container Security Program 2018: Introduction (Securosis Blog, Jan 07 2018)
“We run more code and faster, but must accept a loss of visibility inside the container. It begs the question, “How can we introduce security without losing the benefits of containers?”

Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems (Microsoft Secure, Jan 09 2018)
Microsoft describes the discovered vulnerabilities, what customers can do to help keep themselves safe, and what they’ve learned so far about performance impacts.

What Global Manufacturers Need to Know About Security in the Cloud (Infosec Island, Jan 08 2018)
Entrusting data to a cloud-based application or cloud services provider is a major step, and manufacturers need to fully educate themselves about the security risks and advantages of cloud-based software.

Container Security 2018: Threats and Concerns (Securosis Blog, Jan 09 2018)
“What kinds of threats are we talking about, specifically? Things like malicious or moronic source code changes. Malicious or mistaken alterations to automated build controllers. Configuration scripts with errors, or which expose credentials. The addition of insecure libraries or down-rev/insecure versions of existing code. We want to know whether runtime code has been scanned for vulnerabilities. And we worry about failures to audit all the above and catch any errors.”

Last week in Azure: Securing Azure infrastructure from CPU vulnerability, and more (Microsoft Azure Blog, Jan 08 2018)
Last week in Azure started 2018 with addressing a far-reaching security vulnerability at the CPU level, new developer tools for big data, tech content, and more.

Predictions for DevOps Security in 2018 (DevOps.com, Jan 10 2018)
The need to move away from a reactive DevOps security model will see more teams integrating new solutions that leverage machine learning, analytics and orchestration that can provide incident management insights in real time. Based on that approach, here are three security predictions for DevOps in 2018.

What is DevSecOps? Developing more secure applications (CSO Online, Jan 09 2018)
DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.

Open Source Components, Code Volume Drag Down Web App Security (Dark Reading, Jan 03 2018)
The number of new Web application vulnerabilities published last year was 212% greater than the number disclosed in 2016, Imperva says in a new report this week.

Application fuzzing in the era of Machine Learning and AI (Microsoft Secure, Jan 03 2018)
AI is a natural next step given that most software testing for bugs and vulnerabilities is either manual or prone to false positives. With practically every security product claiming to be machine learning and AI-enabled, it can be hard to understand which offerings can deliver real value over current approaches.

Continuous security: What’s in a name? (Help Net Security, Jan 09 2018)
From a terminology perspective, it’s okay to lump all security automation under a single umbrella term. But we should use such a term to indicate that we’re talking about security automation in general, which is great when talking about engineering philosophy, business goals, etc.

Website Glitch Let Me Overstock My Coinbase (Krebs on Security, Jan 09 2018)
Coinbase and Overstock.com just fixed a serious glitch that allowed Overstock customers to buy any item at a tiny fraction of the listed price. Potentially more punishing, the flaw let anyone paying with bitcoin reap many times the authorized bitcoin refund amount on any canceled Overstock orders.

Wi-Fi security overhaul coming with WPA3 (Naked Security – Sophos, Jan 10 2018)
Nearly 14 years after it ratified the Wireless Protected Access 2 (WPA2), the Wi-Fi Alliance has given the world a peek at what might be coming next for wireless security.

Bugsnag snares $9 million Series B, now gives you a software stability score (TechCrunch, Jan 10 2018)
Bugsnag, the cloud service that helps developers find bugs inside their software, announced a $9 million Series B. They also released a new version of their dashboard that features a stability score than can give customers an unbiased grade of the current stability of their software.

Top 5 OWASP Resources No Developer Should Be Without (Checkmarx, Jan 09 2018)
Writing secure code is now a must for developers. The rising number of attacks on organizations big and small and the fallout for companies who’ve been breached are growing. As such, security is finally moving out of the periphery to become a mainstay for business continuity.

For strong API security, you need a program not a piecemeal approach (CSO Online, Jan 08 2018)
When designed and managed properly, APIs can be less problematic than traditional integration methods and can actually increase an organization’s security posture.