A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

How to Use Bucket Policies to Secure Your Amazon S3 Data (AWS Security Blog, Mar 07 2018)
Because the service is flexible, a user could accidentally configure buckets in a manner that is not secure.

1 in 50 publicly readable Amazon buckets are also writable – and that’s a data disaster waiting to happen (Graham Cluley, Mar 01 2018)
A study conducted by French cybersecurity outfit HTTPCS has revealed that 1 in 50 of all Amazon S3 buckets have not been write-protected, opening opportunities for malicious attackers to corrupt data, or even encrypt or wipe it – demanding a ransom be paid for its safe return.

Safer browsing coming soon to MacOS Chrome users (Naked Security – Sophos, Mar 07 2018)
Google’s security team recently announced that Chrome is expanding its “Safe Browsing” capabilities to help protect MacOS users from Mac-specific threats and malware.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Zero-Day Attacks Major Concern in Hybrid Cloud (Dark Reading, Feb 28 2018)
Hybrid cloud environments are particularly vulnerable to zero-day exploits, according to a new study.

6 Questions to Ask Your Cloud Provider Right Now (Dark Reading, Mar 06 2018)
Experts share the security-focused issues all businesses should explore when researching and using cloud services.

Aqua Expands Container Security Platform with MicroEnforcer Technology (eWEEK, Mar 07 2018)
Aqua Security 3.0 provides new capabilities to help organizations protect Kubernetes container workloads as well as new modes of container deployment including the AWS Fargate service.

McAfee Launches Security Platform for Azure Cloud (SecurityWeek, Mar 07 2018)
Cloud access security brokers (CASBs) can improve visibility and control, but aren’t necessarily tailored to a specific cloud. McAfee announced the first product resulting from its purchase of Skyhigh Networks, finalized in January 2018: the McAfee Skyhigh Security Cloud for Azure.

FedRAMP – Three Stages of Vulnerability Scanning and their Pitfalls (Cloud Security Alliance Blog, Mar 07 2018)
Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate (ATO), as FedRAMP requirements expect cloud service providers (CSPs) to have a mature vulnerability management program.

Visibility into network activity with Traffic Analytics – now in public preview (Microsoft Azure Blog, Mar 06 2018)
Announcing the public preview of Traffic Analytics, a cloud-based flow monitoring solution that provides visibility into user and application traffic on your cloud networks.

SecOps reality gap: 85% say practicing SecOps is a goal, 35% actually do (Help Net Security, Mar 02 2018)
More than half of companies (52 percent) admit to cutting back on security measures to meet a business deadline or objective.

Integrating Security into DevOps: The Benefits and Drawbacks (DevOps, Mar 01 2018)
If the security team is a component of the development organization, they must maintain close contact with the global security office. But they can be much closer to the product development. This means they are closely working with feature teams and determining stories that should be planned into the sprints.

One in Eight Open Source Components Contain Flaws (Infosecurity Magazine, Mar 02 2018)
The number of buggy open source components downloaded in the UK has soared by over 100% over the past year, according to new research from Sonatype.

The State of Application Penetration Testing (Dark Reading, Feb 28 2018)
“Pen testing is the third most important software security practice after code review with a static analysis tool and architectural risk analysis,” McGraw says.

A Secure Development Approach Pays Off (Dark Reading, Mar 02 2018)
Software security shouldn’t be an afterthought. That’s why the secure software development life cycle deserves a fresh look.

Facebook Automatically Upgrading Links to HTTPS to Boost Security (eWEEK, Mar 05 2018)
Facebook is now using an approach called HSTS preloading, to send users to the HTTPS secured version of a link.

Kaspersky Lab Offers $100,000 for Critical Vulnerabilities (SecurityWeek, Mar 06 2018)
Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.