A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

How Developers got Password Security so Wrong (Cloudflare Blog, Feb 21 2018)
Unfortunately; salting is no longer enough, passwords can be cracked quicker and quicker using modern GPUs (specialised at doing the same task over and over). When a site suffers a security breach, users passwords can be taken offline in database dumps in order to be cracked offline.

Introducing CloudMapper: An AWS Visualization Tool (The Duo Blog, Feb 20 2018)
Duo built CloudMapper to generate interactive network diagrams of AWS accounts and is releasing it as an open-source tool to the larger developer community.

EnvKey wants to create a smarter place to store a company’s API keys and credentials (TechCrunch, Feb 27 2018)
If an engineer ends up leaving a company, on their own, or for any other reason, the company work is going to have to quickly work to change all of their keys for their credentials and keys application components. That’s a huge hassle, because often times it’s hard to know where they are stored, who can access what, and how to change everything at a massive scale — especially if the company is a huge one.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Friendly warnings left in unsecured Amazon S3 buckets which expose private data (Graham Cluley, Feb 22 2018)
This is a friendly warning that your Amazon AWS S3 bucket settings are wrong.
Anyone can write to this bucket.
Please fix this before a bad guy finds it.

93% of Cloud Applications Aren’t Enterprise-Ready (Dark Reading, Feb 23 2018)
The average business uses 1,181 cloud services, and most don’t meet all recommended security requirements, Netskope says.

Unsecured AWS led to cryptojacking attack on LA Times (Naked Security – Sophos, Feb 27 2018)
Cryptojackers have been discovered sneaking mining code on to a big brand’s website through the back door of a poorly secured Amazon AWS (Amazon Web Service) S3 bucket.

AWS Single Sign-On Now Enables Command Line Interface Access for AWS Accounts Using Corporate Credentials (AWS Security Blog, Feb 22 2018)
AWS made it easier to use the AWS Command Line Interface (CLI) to manage services in your AWS accounts. Now you can sign into the AWS Single Sign-On (AWS SSO) user portal using your existing corporate credentials, choose an AWS account and a specific permission set, and get temporary credentials to manage your AWS services through the AWS CLI.

Announcing SSL policies for HTTPS and SSL proxy load balancers (Google Cloud Platform Blog, Feb 28 2018)
Applications in cloud deployments have diverse security needs. When you use a load balancer as an HTTPS or TLS front end, you need to be able to control how it secures connections to clients. In some cases, your security or compliance requirements may restrict the TLS protocols and ciphers that the load balancer can use. For other applications, you may need the load balancer to support older TLS features in order to accommodate legacy clients.

Security Center Playbooks and Azure Functions Integration with Firewalls (Microsoft Azure Blog, Feb 27 2018)
Every second counts when an attack has been detected. We have heard from you that you need to be able to quickly take action against detected threats. At Ignite 2017, we announced Azure Security Center Playbooks, which allow you to control how you want to respond to threats detected by Security Center.

Creating a single pane of glass for your multi-cloud Kubernetes workloads with Cloudflare (Google Cloud Platform Blog, Feb 28 2018)
One of the great things about container technology is that it delivers the same experience and functionality across different platforms. This frees you as a developer from having to rewrite or update your application to deploy it on a new cloud provider—or lets you run it across multiple cloud providers. With a containerized application running on multiple clouds, you can avoid lock-in, run your application on the cloud for which it’s best suited, and lower your overall costs.

Automated Compliance Testing Tool Accelerates DevSecOps (SecurityWeek, Feb 21 2018)
Chef has released InSpec version 2.0 of its compliance automation technology. InSpec evolved from technology acquired with the purchase of German startup company VulcanoSec in 2015. The latest version improves performance and adds new routines. Chef claims it offers 90% Windows performance gains (30% on Linux/Unix) over InSpec 1.0.

DevSecOps: How Security Teams Can Better Support Their Developer Counterparts (DevOps, Feb 22 2018)
Understanding the SDLC for your company is key to finding ways to help that make sense. Have discussions with your development leaders and influential developers to find some ways to win. Create a pilot program with a friendly development team and pour all of your effort into making them successful.

Hunter2 wants to teach engineers to handle web app security with a hands-on approach (TechCrunch, Feb 27 2018)
Hunter2 aims to spin up training labs centered around real-world scenarios to teach engineers exactly why something broke in a web app, and how to fix it. Engineers work through responsive web apps, which are spun up on a fully functional server, that include some scenarios built off of real-world events — like the Equifax hack.

DevSecOps Is an Abomination! (DevOps Zone, Feb 28 2018)
Dr. Frankenstein’s monster is one of the most hated and misunderstood monsters of all time. Frankenstein brought his creation into the world without proper forethought or planning. He simply stitched various body parts together to form an uncontrollable abomination. There are similarities here with how DevSecOps is typically created. Frankenstein wannabes simply bolt security on to DevOps or stitch security policies from different tools together. The result is an uncontrollable DevSecOps abomination. DevSecOps abominations wreak havoc on operations and development teams daily.

Facebook bug reveals identity of page admin via email (Naked Security – Sophos, Feb 26 2018)
The autogenerated emails sent on behalf of a named Facebook page gave away more about the accounts behind the page than you’d expect.

Zero trust approach to application security and critical infrastructure protection (SC Magazine, Feb 27 2018)
The core thesis of Zero Trust is instead of taking a well-defined perimeter to security, assume that there is no perimeter protected by a firewall, and use other solutions and techniques to detect anomalies and take swift corrective remediation action. Here I’m proposing that we take a similar approach for code and application security to protect critical infrastructure, where the static and dynamic testing is performed as early in the software development life cycle as possible under the assumption that there are always potential security vulnerabilities being introduced.

Advance Web Application Testing using Burpsuite (Hacking Articles, Feb 27 2018)
“Today we are going to discuss advance option of Burp Suite pro for web penetration testing; here we had used Bwapp lab which you can install from here and acunetix vulnerable web application which is available online for making web application penetration practices.”