A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Identify Risk in Open Source Components (WhiteHat Security, Feb 01 2018)
An estimated 90 percent of your code is from open source and third-party libraries. How are you verifying that you have the latest version?

GitLab Acquires Gemnasium to Advance DevSecOps (DevOps, Feb 07 2018)
GitlLab, as part of its effort to extend the reach of its DevOps platform into the realm of security, has acquired Gemnasium, a provider of tools to mitigate vulnerabilities in open source code.

Misconfigured Amazon Web Services bucket exposes 12,000 social media influencers (SC Magazine, Feb 05 2018)
Another misconfigured Amazon Web Services S3 cloud storage bucket has been left insecure this time exposing the sensitive data of 12,000 social media influencers.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Oracle CEO Urges Enterprises to Ditch Data Centers and Move to Cloud (eWEEK, Feb 01 2018)
Oracle CEO Mark Hurd said the proliferation of Silicon Valley IT companies that offered enterprises a plethora of choices for their IT systems has produced complex and costly data centers that should be replaced by cloud systems.

Innovative organizations build security into their cloud strategy (Help Net Security, Feb 01 2018)
“Customers are increasingly depending on cloud computing to support the need for business agility and speed of transformation. However, to be successful business leaders need assurance that cloud security is handled in a predictable manner through automation to ensure compliance and predictability,” according to Dan Kirsch, VP, principle analyst at Hurwitz & Associates.

Security Not Keeping Up with Cloud-First Business Strategies (Infosecurity Magazine, Jan 31 2018)
40% of respondents in a new survey felt that their security solutions aren’t as flexible as the rest of their cloud initiatives.

Microsoft’s Azure revenue nearly doubled year-over-year in its second quarter (TechCrunch, Jan 31 2018)
Microsoft posted a relatively good second quarter this year that continued the ongoing process of its growth into a major cloud entity, in addition to saying it would be taking a significant charge as part of changes to U.S. tax law.

The Future of Endpoint Security is the Cloud, Part 1: Predictive Security (Carbon Black, Jan 31 2018)
For too long, endpoint security has followed the antiquated “point-in-time” security model: if the executable doesn’t match a known malware signature, let it run. It’s now time for endpoint security to move to a new model built on big data in the cloud. Only by applying the unlimited processing power and scale of the cloud to the endpoint security problem can we keep up with — and even predict — the threats coming our way.

10 Steps to Evaluate Cloud Service Providers for FedRAMP Compliance (IBM Security Intelligence, Feb 01 2018)
10 steps organizations must take to evaluate their CSPs for Federal Risk and Authorization Management Program (FedRAMP) compliance.

Top Cloud Security Misconceptions Plaguing Enterprises (Dark Reading, Feb 07 2018)
Contrary to popular opinion, there is no one single cloud. There are a wealth of cloud-based providers that own dedicated server space across the globe. Here’s how to find the best fit for your company.

Security vs. Speed: The Risk of Rushing to the Cloud (Dark Reading, Feb 06 2018)
Companies overlook critical security steps as they move to adopt the latest cloud applications and services.

Cloud service adoption creates new data center demands (Help Net Security, Feb 07 2018)
The study forecasts global cloud data center traffic to reach 19.5 zettabytes (ZB) per year by 2021, up from 6.0 ZB per year in 2016 (3.3-fold growth or a 27 percent compound annual growth rate [CAGR] from 2016 to 2021). Globally, cloud data center traffic will represent 95 percent of total data center traffic by 2021, compared to 88 percent in 2016.

Addressing Data Residency with AWS (AWS Security Blog, Feb 02 2018)
AWS has released a new whitepaper that has been requested by many AWS customers: AWS Policy Perspectives: Data Residency. Data residency is the requirement that all customer content processed and stored in an IT system must remain within a specific country’s borders, and it is one of the foremost concerns of governments that want to use commercial cloud services.

Use Forseti to make sure your Google Kubernetes Engine clusters are updated for “Meltdown” and “Spectre” (Google Cloud Platform Blog, Feb 01 2018)
One recommended action is to update all Google Kubernetes Engine clusters to ensure the underlying VM image is fully patched. You can do this automatically by enabling auto-upgrade on your Kubernetes node pools. Want to make sure all your clusters are running a version patched against these CPU vulnerabilities? The Google Cloud security team developed a scanner that can help.

Finer-grained security using custom roles for Cloud IAM (Google Cloud Platform Blog, Jan 31 2018)
Google Cloud Platform (GCP) offers hundreds of predefined roles that range from “Owner” to product- and job-specific roles as narrow as “Cloud Storage Viewer.” These are curated combinations of the thousands of IAM permissions that control every API in GCP, from starting a virtual machine to making predictions using machine learning models. For even finer-grained access control, custom roles now offer production-level support for remixing permissions across all GCP services.

Adopting Continuous Testing: 4 Success Stories (DevOps, Feb 02 2018)
Much has been written about the benefits and best practices of continuous testing. However, it’s not always clear how to make these concepts a reality. Here are a few stellar examples of how several leading organizations were able to apply continuous testing to remove roadblocks and achieve their organization’s distinct quality goals.

Securing Cloud-Native Apps (Dark Reading, Feb 01 2018)
A useful approach for securing cloud-native platforms can be adapted for securing apps running on top of the platform as well.

Abusing X.509 Digital Certificates for Covert Data Exchange (Dark Reading, Feb 05 2018)
Newly discovered hack would allow attackers to send data between two systems during TLS negotiation, researchers say.

Firefox 59’s privacy mode plugs leaky referrers (Naked Security – Sophos, Feb 06 2018)
The Firefox browser’s Private Browsing Mode won’t tell websites where visitors have come from.

Announcing turndown of the deprecated Google Safe Browsing APIs (Google Online Security Blog, Feb 06 2018)
“In May 2016, we introduced the latest version of the Google Safe Browsing API (v4). Since this launch, thousands of developers around the world have adopted the API to protect over 3 billion devices from unsafe web resources. Coupled with that announcement was the deprecation of legacy Safe Browsing APIs, v2 and v3. Today we are announcing an official turn-down date of October 1st, 2018, for these APIs. All v2 and v3 clients must transition to the v4 API prior to this date.”