A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

A secure web is here to stay (Google Online Security Blog, Feb 08 2018)
Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries (Troy Hunt, Feb 12 2018)
That script – the one at http://www.browsealoud.com/plus/scripts/ba.js – was maliciously modified to inject a cryptominer and by virtue of it being embedded directly into thousands of sites around the world, the malicious script cascaded down to users of those sites.

2017 OWASP Top 10: The Good, the Bad and the Ugly (Imperva, Feb 01 2018)
The recently released 2017 edition of the OWASP Top 10 marks its first update since 2013 and reflects the changes in the fundamental architecture of applications seen in recent years.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


Love letters from a Black Hat to all the fools on the Internet (Help Net Security, Feb 14 2018)
Roses are Red,
Violets are blue,
You use the same password everywhere,
So, I really love you!

Security at the Speed of DevOps (Tripwire, Feb 12 2018)
The DevSecOps answer is that security fits in everywhere. Rather than make security a release gateway or something that only happens in later stages of a release, security is integrated into every part of the workflow. This is also referred to as “shifting security to the left.” That would make more sense if my pipeline diagram below was a straight line rather than a loop, but the idea is that security is getting pushed into earlier stages of a release pipeline, all the way back to planning.

Hybrid data storage is growing rapidly in the digital workplace (Help Net Security, Feb 14 2018)
82% of businesses are currently deploying a mix of cloud and on- premises infrastructure. Egnyte analyzed over 14 petabytes of data across thousands of businesses worldwide to better understand the trends around the content that is being stored, shared, and collaborated on.

Now Available: Encryption at Rest for Amazon DynamoDB (AWS Security Blog, Feb 08 2018)
AWS announced Amazon DynamoDB encryption at rest, a new DynamoDB feature that gives you enhanced security of your data at rest by encrypting it using your associated AWS Key Management Service encryption keys.

Our predictions for 2018: the cloud, containers, DevOps and more (Puppet Blog Feed, Feb 13 2018)
What changes will the world of IT see in 2018? Read the predictions from some of Puppet’s wisest on everything from DevOps to microservices.

A Deep Dive into Database Attacks [Part I]: SQL Obfuscation (Imperva, Feb 12 2018)
To conduct this research, we established a honeypot net for popular SQL/NoSQL databases like Microsoft SQL Server, MySQL, Oracle, and MongoDB and then monitored access to these databases over a period of six months…

Oracle to expand automation capabilities across developer cloud services (TechCrunch, Feb 12 2018)
“We are extending the automation across all of our cloud platform services, making them self driving, self securing and self repairing and eliminating human requirements to handle all of the [installation], protection and services,” Amit Zavery, executive vice president for the Oracle Cloud Platform told TechCrunch.

Oracle Turns On Autonomous Capabilities Throughout Cloud Platform (eWEEK, Feb 14 2018)
Self-driving services use AI and machine learning to help enterprises get predictive insights into their businesses and learn about customer experiences.

Deepfence Emerges from Stealth with Container Security Platform (eWEEK, Feb 14 2018)
Deepfence, a new container security startup, emerges with Security-as-a-Microservice approach for cloud native environments.

Microsoft boosts Windows Analytics to help squash Meltdown and Spectre bugs (Help Net Security, Feb 14 2018)
A day after Microsoft announced it will be adding Windows Defender ATP down-level support for older OSes comes the news that its Windows Analytics service is getting new capabilities aimed at helping businesses tackle Meltdown and Spectre vulnerabilities on machines in their fleet.

How to Use Your Own Identity and Access Management Systems to Control Access to AWS IoT Resources (AWS Security Blog, Feb 14 2018)
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices by using the Message Queuing Telemetry Transport (MQTT) protocol, HTTP, and the MQTT over the WebSocket protocol. Every connected device must authenticate to AWS IoT, and AWS IoT must authorize all requests to determine if access to the requested operations or resources is allowed.

Palo Alto Networks extends security to the big 3 public clouds (CSO Online Cloud Security, Feb 13 2018)
Palo Alto Networks Next-Generation Security Platform expands security to all major public cloud services: Amazon Web Services, Google Cloud Platform and Microsoft Azure.