A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Mudge & Rating software security Consumer Reports-style (CSO Online, Jan 18 2018)
Founded by l0pht hacker and former head of cybersecurity research at DARPA Peiter “Mudge” Zatko, and bankrolled with seed funding from the US Air Force, the Cyber Independent Testing Lab (CITL) presented their methodology and some preliminary results at the 34c3 hacker conference in Leipzig, Germany a few weeks ago.

On Negative Pressure or Why NOT Objectively Test Security? (Gartner Blog Network, Jan 22 2018)
A question came up as we are ramping up our testing security and breach and attack simulation tools research projects. Just how motivated are organizations to test whether they have…

Container Security 2018: Runtime Security Controls (Securosis Blog, Jan 22 2018)
“After the focus on tools and processes in previous sections, we can now focus on containers in production systems. This includes which images are moved into production repositories, selecting and running containers, and the security of underlying host systems.”

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Meltdown and Spectre Patches From Intel and Others Have a Rough Start (Wired, Jan 23 2018)
In the haste to address the Meltdown and Spectre vulnerabilities that shook the computer industry, several clumsy patch attempts have had to be pulled.

Container Security 2018: Logging and Monitoring (Securosis Blog, Jan 24 2018)
“When we go beyond network segregation and network policies for what we allow, the ability to detect misuse is extremely valuable, which is where monitoring and logging come in. Additionally, most Development and Security teams are not aware of the variety of monitoring options available, and we have seen a variety of misconceptions and outright fear of the volume of audit logs to capture, so we need to address these issues.”

Veeam Acquires N2WS to Protect AWS Workloads (eWEEK, Jan 18 2018)
The acquisition bolsters Veeam as a data protection provider for AWS by adding to its portfolio of solutions that offer availability for any app, any data, across any cloud, the company said.

5 Steps to Better Security in Hybrid Clouds (Dark Reading, Jan 23 2018)
Following these tips can improve your security visibility and standardize management across hybrid environments.

How to Connect Directly to AWS Key Management Service from Amazon VPC by Using an AWS PrivateLink Endpoint (AWS Security Blog, Jan 22 2018)
AWS Key Management Service (AWS KMS) now supports Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by AWS PrivateLink. This means you now can connect directly to AWS KMS through a private endpoint in your VPC, keeping all traffic within your VPC and the AWS network.

Cloud App Encryption and CASB (Cloud Security Alliance Blog, Jan 19 2018)
At the highest level, the concept is quite simple – data flowing out of the organization is encrypted, as it is stored in the cloud. However, in practice there are nuances in the configuration options that may have impact on how you implement encryption in the cloud. This article outlines important architectural decisions to be made prior to the implementation of encryption solutions through CASB.

The competitive edge of DevSecOps (CA Technologies, Jan 22 2018)
According to the survey, the organizations that exhibit these attributes also report other benefits – such as 50% higher profit growth and are 2.5x more likely to be outpacing their competitors – when compared with the mainstream. This evidence shows that it can be done and that there are organizations that are doing it successfully.

Security Strategies for DevOps, APIs, Containers and Microservices (Imperva, Jan 17 2018)
In particular, this means focusing on:
1) Securing environments using APIs
2) Implementing continuous security
3) Adopting evolving security practices
4) Securing sensitive data
5) Maintaining current best practices for application vulnerabilities

Security and DevOps – What We Learned at DOES17 (SecurityWeek, Jan 24 2018)
His core point is that internal security can’t see itself as a sort of third party to the organization, interjecting security policies and controls as they see fit. Rather, security needs to provide resources to help DevOps teams become “security self-sufficient,” baking security into the DevOps pipeline.

Azure Search enterprise security: Data encryption and user-identity access control (Microsoft Azure Blog, Jan 24 2018)
Azure Search now supports encryption at rest for all incoming data indexed on or after January 24, 2018, in all regions and SKUs including shared (free) services.

Common Approaches to Automated Application Security Testing – SAST and DAST (SecurityWeek, Jan 18 2018)
Not all automated assessment approaches are created equal. When developing an automated testing strategy for an application, it is critical to match the testing approach and testing tool to the characteristics of the target application.

Marrying the Business Need With Technology, Part 3: Re-aggregating the Tools (Radware, Jan 19 2018)
The key here is that the traditional manufacturers and the analysts need to educate the new buyers (developers) about the differences in the value and how we can answer their core business issues in ways that save time and money.

File Inclusion Vulns, SQL Injection Top Web Defacement Tactics (Dark Reading, Jan 22 2018)
Hacktivists driven by political, religious, and other causes commonly exploit basic vulnerabilities to spread their messages, researchers say.

Flexera Extends Scope of Open Source Scanning Tools (DevOps.com, Jan 23 2018)
To help IT organizations track both usage and dependencies of open source software, Flexera has updated the FlexNet Code Insight software to continuously scan the network for open source software and highlight any known security and compliance issues.