A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Microsoft issues patch to disable Intel’s buggy Spectre update (SC Magazine, Jan 29 2018)
Intel told customers last week not to implement its patches after reports that they prompted computers to reboot spontaneously.

How Containers & Serverless Computing Transform Attacker Methodologies (Dark Reading, Jan 25 2018)
The pace of hacker innovation never slows. Now security technologies and methods must adapt with equal urgency.

What is microsegmentation? How getting granular improves network security (Network World Security, Jan 30 2018)
Microsegmentation is a way to create secure zones in data centers and cloud deployments that allow you to isolate workloads and protect them individually.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Google to Create a Cloud App Marketplace, Chasing Amazon (IT Pro, Jan 30 2018)
Google Cloud and MobileIron Inc., which offers a cybersecurity tool for cellphones, are partnering on a new online marketplace that will allow businesses to buy cloud services and distribute them to employees, while keeping corporate data secure. The platform which customers will be able to access through mobile telecom providers, may roll out in the second half of the year.

Selling Cloud-Based Cybersecurity to a Skeptic (Dark Reading, Jan 26 2018)
When it comes to security, organizations don’t need to look at cloud as an either/or proposition. But there are misconceptions that need to be addressed.

Red Hat Acquires Kubernetes Vendor CoreOS for $250M (eWEEK, Jan 31 2018)
Both Red Hat and CoreOS are active contributors to the open-source Kubernetes container orchestration platform that was first created by Google, and both vendors have their own platforms that were directly competitive with each other. Red Hat’s OpenShift platform was re-focused on Kubernetes in January 2015 and CoreOS entered the market with its Tectonic platform in April 2015, after re-working its Fleet container cluster technology.

Microsoft Improves Azure Cloud Disaster Recovery Visibility (eWEEK, Jan 31 2018)
Microsoft adds new monitoring capabilities to Azure Site Recovery, allowing users to gauge how well their configurations can handle IT mishaps.

AWS Adds 16 More Services to Its PCI DSS Compliance Program (AWS Security Blog, Jan 26 2018)
AWS has added 16 more AWS services to its Payment Card Industry Data Security Standard (PCI DSS) compliance program, giving you more options, flexibility, and functionality to process and store sensitive payment card data in the AWS Cloud.

Cisco Unveils Container Platform Based on Kubernetes (Container Journal, Jan 31 2018)
Announced at a Cisco Live! event, the Cisco Container Platform announcement comes three months after the company signed a strategic alliance under which it will work with Google to create hybrid cloud computing offerings based on Kubernetes.

Why DevOps Principles Fit Well in Highly Regulated Industries (DevOps, Jan 30 2018)
DevOps can be your biggest ally when it comes to regulation and compliance—as long as you follow a few simple rules:
1) View auditors (regulators) as stakeholders in the DevOps journey.
2) Codify compliance requirements and policies.
3) Automate your delivery pipeline end to end.

edgescan Release their Industry Leading 2018 Cyber Security Vulnerability Statistics Report (Edgescan, Jan 29 2018)
“Many of the cyber security weaknesses discovered are due to simple measures not being taken. This is not a result of unwillingness to be more secure but in most cases it’s rather a question of visibility and situational awareness.”

Security Testing: At What Level? (Gartner Blog Network, Jan 29 2018)
So, there are good arguments that you need to test at the level of your likely adversary…But how do you know that level? Even if your threat assessment capabilities are not shitty, this is likely achievable by a tiny minority only… people who basically know what “threat assessment” even means (some actually call it “threat modelling” despite the appsec connotations…