A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Visualizing Meltdown on AWS (AppOptics Blog, Jan 16 2018)
One January 3, 2018, the Meltdown and Spectre CPU architecture flaws were announced to the world. Due to early leaks, the announcement was made roughly a week earlier than planned. These bugs are easily the largest vulnerabilities announced in the last decade and require a complete reassessment of microprocessor architectures, and how software and hardware interact.

Container Security 2018: Build Pipeline Security (Securosis Blog, Jan 11 2018)
“Build pipeline security breaks down into two basic areas. The first is application security: essentially testing your code and its container to ensure it conforms to security and operational practices…The second area of concern is the tools used to build and deploy applications – including source code control, build tools, the build controller, container registries, container management facilities, and runtime access control.”

Take a Digital Tour of an AWS Data Center to See How AWS Secures Data Centers Around The World (AWS Security Blog, Jan 16 2018)
AWS has launched a digital tour of an AWS data center, providing you with a first-ever look at how AWS secures data centers around the world. The videos, pictures, and information in this tour show you how security is intrinsic to the design of our data centers, our global controls, and the AWS culture.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Container Security 2018: Securing Container Contents (Securosis Blog, Jan 15 2018)
“Third-party tools focus on security benefits outside what engine providers offer, such as examining libraries for known flaws. So while things like process controls, digital signing services to verify chain of custody, and creation of a bill of materials based on known trusted libraries are all important, you’ll need more than what is packaged with your base container management platform…”

Cloud Migration Fundamentals (Imperva, Jan 09 2018)
The advantages offered by a cloud-based environment make it an easy decision for most companies to make. Still, there are numerous critical choices to be made that can transform the complexities of the migration process into a relatively smooth transition—especially regarding application and data security.

Cloud security is not just the cloud vendor’s responsibility (CSO Online, Jan 16 2018)
Somehow, many organizations seem to forget their own security practices and responsibilities once they start moving to the cloud.

Azure Security Center adds support for custom security assessments (Microsoft Azure Blog, Jan 16 2018)
Azure Security Center monitors operating system (OS) configurations using a set of 150+ recommended rules for hardening the OS, including rules related to firewalls, auditing, password policies, and more. If a machine is found to have a vulnerable configuration, a security recommendation is generated.

Shift Left’: Codifying Intuition into Secure DevOps (Dark Reading, Jan 10 2018)
Shifting left is more than a catchy phrase. It’s a mindset that emphasizes the need to think about security in all phases of the software development life cycle.

The DevOps Revolution is Changing Cloud Security – Don’t Get Left Behind (Dome9, Jan 04 2018)
What’s really happening is that DevOps teams are finally taking on their share of the security responsibilities rather than throwing things over to the fence to traditional security teams. With proper management this doesn’t have to be a burden. In fact, you’ll come to see it as a blessing.

WPA3 to feature much needed security enhancements (Help Net Security, Jan 16 2018)
The Wi-Fi Alliance, a non-profit organization that tests and slaps the “Wi-Fi Certified” logo on products that meet certain standards of interoperability, has announced enhancements for WPA2 and the imminent introduction of WPA3.

Spectre and Meltdown patches causing trouble as realistic attacks get closer (Ars Technica, Jan 15 2018)
Driver incompatibilities and microcode problems are both being reported.

Four Malicious Google Chrome Extensions Affect 500K Users (Dark Reading, Jan 16 2018)
Third-party tools focus on security benefits outside what engine providers offer, such as examining libraries for known flaws. So while things like process controls, digital signing services to verify chain of custody, and creation of a bill of materials based on known trusted libraries are all important, you’ll need more than what is packaged with your base container management platform.

Firefox locks down its future with HTTPS ‘secure contexts’ (Naked Security – Sophos, Jan 17 2018)
Firefox developers must start using ‘secure contexts’ for new features “effective immediately.”

Cloudflare Access aims to replace corporate VPNs (TechCrunch, Jan 17 2018)
If you’re part of a reasonably big company, chances are there are certain resources that are only available via the intranet, internal network, or whatever your company calls it. A common way to access these from outside company property is a VPN, but VPNs are rather a clumsy solution — one companies like Google and Amazon are leaving behind. Now Cloudflare wants you to do the same and use its new Access service instead.

Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted (The Register, Jan 11 2018)
Developers (again) find preferences hole (again) that bypasses login box (again)

Why TLS 1.3 isn’t in browsers yet (Cloudflare, Jan 09 2018)
You need to update clients and servers and make sure everything in between continues to work correctly. The Internet is in the middle of such an upgrade right now. Transport Layer Security (TLS), the protocol that keeps web browsing confidential (and many people persist in calling SSL), is getting its first major overhaul with the introduction of TLS 1.3.

What is SAP penetration testing? (ERPScan, Jan 16 2018)
Why do you need to access an SAP system security? The first idea is rather simple, an SAP System is a tempting target for hackers as it stores and manages the lifeblood of any organization – critical information and business processes. However, it is not the only reason…

Three ways to configure robust firewall rules (Google Cloud Platform Blog, Jan 12 2018)
If you administer firewall rules for Google Cloud VPCs, you want to ensure that firewall rules you create can only be associated with correct VM instances by developers in your organization…