A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries (SecurityWeek, Mar 22 2018)
GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.

Patches for Meltdown and Spectre aren’t that bad after all (Network World Security, Mar 27 2018)
An industry vendor that tested the Meltdown and Spectre patches says one significant area of performance is impacted, and even that is a rare scenario.

Certificate Transparency and Nimbus (Cloudflare Blog, Mar 23 2018)
Certificate Transparency (CT) is an ambitious project to help improve security online by bringing accountability to the system that protects HTTPS. Cloudflare is announcing support for this project by introducing two new public-good services.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Hunting Cybercriminals with AWS Honey Tokens (Dark Reading, Mar 22 2018)
Researchers at Black Hat Asia demonstrated how they used AWS honey tokens to detect security breaches at scale.

A Google Cloud Platform Primer with Security Fundamentals (IBM The State of Security, Mar 25 2018)
We’ve previously discussed best practices for securing Microsoft Azure and Amazon Web Services, but this time we are going to turn our attention to Google Cloud Platform. Google Cloud Platform (GCP) has grasped 5 percent of the cloud market and is growing at an impressive 76 percent year over year, but it is somewhat less discussed than AWS and Azure.

Shodan and passwords sitting in a tree, S-H-O-W-I-N-G! (Naked Security – Sophos, Mar 26 2018)
If an application offers authentication security, it’s always a good idea to turn it on if that isn’t the default setting.

Kubernetes 1.10 Release Advances Storage and Improves Security (eWEEK, Mar 28 2018)
The first major release of 2018 for the open-source Kubernetes container orchestration platform is now available, including a patch for a critical vulnerability that could have enabled an attacker to access the host filesystem.

Experiences and attitudes towards cloud-specific security capabilities (Help Net Security, Mar 26 2018)
An overwhelming 83 percent of respondents have concerns about deploying traditional firewalls in the cloud, with 39 percent naming “pricing and licensing not appropriate for the cloud,” and 34 percent citing “lack of integration prevents cloud automation” as their top two concerns.

Chef’s Approach to CIS Critical Security Controls v7.0 (Chef Blog, Mar 22 2018)
There are 20 Controls set out within the Critical Security Control framework, in this post we’ll focus on the 6 Basic Controls defined as “Key controls which should be implemented in every organization for essential cyber defense readiness” and come back to the entire set in a later post.

Bad Bots Increasingly Hide Out in Cloud Data Centers (Dark Reading, Mar 27 2018)
Humans accounted for nearly 58% of website traffic in 2017 — the rest were bad and good bots.

Cloud Security Concerns Surge (Infosecurity Magazine, Mar 27 2018)
90% cybersecurity professionals confirm they are concerned about cloud security, up 11 percentage points from last year.

All AWS Services GDPR ready (AWS Security Blog, Mar 26 2018)
AWS services comply with the General Data Protection Regulation (GDPR). This means that, in addition to benefiting from all of the measures that AWS already takes to maintain services security, customers can deploy AWS services as a key part of their GDPR compliance plans.

34 Cloud Security Terms You Should Know (Cloud Security Alliance Blog, Mar 23 2018)
In an attempt to simplify it even more we have created a glossary of 34 commonly misunderstood cloud security terms and what they mean.

Building trust through Access Transparency (Google Cloud Platform Blog, Mar 22 2018)
According to an MIT Sloan Management Review survey of more than 500 IT and business executives, 87% of respondents cited auditability as an important factor in evaluating cloud security—second only to a provider’s ability to prevent data compromises.

Is Application Security Dead? (Dark Reading, Mar 22 2018)
The nature of the field has changed greatly because of the move to the cloud and enterprise digital transformation.

Yet another Apple password leak – how to avoid it (Naked Security – Sophos, Mar 28 2018)
Passwords in plaintext – again! Here’s Apple’s latest macOS password bug – plus a handy workaround to deal with it.