A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Distrust of the Symantec PKI: Immediate action needed by webmasters (Google, Mar 14 2018)
This post outlines how site operators can determine if they’re affected by this deprecation, and if so, what needs to be done and by when. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome.

Zero-trust models can fix cloud security, but most firms are sticking to (very) old tricks (CSO Online, Mar 07 2018)
Software-defined perimeters make endpoints justify themselves, but standards and tools are still evolving

How to Delegate Administration of Your AWS Managed Microsoft AD Directory to Your On-Premises Active Directory Users (AWS Security Blog, Mar 08 2018)
You can now enable your on-premises users administer your AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. Using an Active Directory (AD) trust and the new AWS delegated AD security groups, you can grant administrative permissions to your on-premises users by managing group membership in your on-premises AD directory.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Cloud access management is integral to adopting cloud applications (Help Net Security, Mar 08 2018)
Surveying more than 1,000 IT decision makers globally, Gemalto’s 2018 Identity and Access Management Index revealed that 54% believe that the authentication methods they implement in their businesses are not as good compared to those found on popular sites including Amazon and Facebook.

Understanding the challenges of cloud security (CSO Online, Mar 08 2018)
The average percent of corporate IT spending controlled by the IT department has declined from 53 percent in 2016 to 40 percent in 2017. Functions outside of IT are now deploying an average of 58 percent of cloud services, a significant increase since 2016. The average percent of corporate data stored in cloud environments and not managed by IT has also grown from 44 percent to 53 percent.

Euro Firms Lagging on AWS CloudTrail Adoption (Infosecurity Magazine, Mar 14 2018)
European organizations view security as their number one priority when moving workloads to the cloud, but many are failing to take advantage of native security and compliance tools, according to Sumo Logic.

Cloud Security Firm Luminate Emerges From Stealth (SecurityWeek, Mar 14 2018)
Luminate, a U.S. and Israel-based company that specializes in securing access to corporate applications in hybrid cloud environments, emerged from stealth mode on Wednesday with $14 million in funding.

The security operations platform: automation, orchestration and more (CSO Online, Mar 14 2018)
As security automation and orchestration (SA&O) platforms gain an increasing foothold in the modern SOC, it’s clear that capabilities beyond automation and orchestration are needed address user requirements. It might be more appropriate to think of this emerging technology as a Security Operations Platform.

The cloud’s the limit for secure, compliant identity storage and personal data (CSO Online, Mar 08 2018)
Back in 2009, I gave a talk about cloud identity. It went down, less like a fluffy cloud and more like a lead balloon. It was too early – way too early. But as we reach peak cloud adoption, with rates of uptake reaching 93 percent, the sky’s the limit for digital identity. Cloud computing has given digital identity, particularly IAM for citizens and consumers, a real boost.

Putting the S in SDLC: Do You Know Where Your Data Is? (Dark Reading, Mar 08 2018)
Data represents the ultimate attack surface. Avoid major data breaches (and splashy headlines) by keeping track of where your data is.

DevSecOps: The Importance of Building Security from the Beginning (Dark Reading, Mar 09 2018)
Here are four important areas to tackle in order to master DevSecOps: code, privacy, predictability, and people.

DevSecOps: Automation for Assurance (Cisco Blog, Mar 13 2018)
In Part 2 of this blog series, DevSecOps – Security at the Speed of Business, we explained the “what” and “why” of our security guardrails and the Agile Hackathon method used to develop these guardrails, which enable the cloud offer teams to confidently build and deploy their offers more quickly. In Part 3, we will cover “how-to” automate security guardrails.

DevSecOps: Deception in Depth (DevOps, Mar 08 2018)
Mantraps, tripwires and tarpits … sounds like the start of a solid spy-movie plot, doesn’t it? These are among the many concepts of physical security that are making the crossover to software security.

E-Mailing Private HTTPS Keys (Schneier on Security, Mar 13 2018)
When Rowley asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum.

Apple’s Swift Programming Language Is Now Top Tier (Wired, Mar 08 2018)
Apple’s programming language Swift is less than four years old, but a new report finds that it’s already as popular as its predecessor, Apple’s more established Objective-C language.

Calendar 2 app pulled from Mac App Store after cryptomining controversy (Graham Cluley, Mar 13 2018)
Rather than paying a flat fee of $17.99 or a 99 cents per month subscription to gain access to all of Calendar 2’s advanced features, the app now offered “All advanced features for free” if you allowed it to “unobtrusively” generate the Monero cryptocurrency in the background.

SOLID Design Principles Explained – The Single Responsibility Principle (DevOps Zone, Mar 11 2018)
Single Responsibility Principle
Open/Closed Principle
Liskov Substitution Principle
Interface Segregation Principle
Dependency Inversion