A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Panerabread.com Leaks Millions of Customer Records (Krebs on Security, Apr 02 2018)
Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline, KrebsOnSecurity has learned.

Complete Guide to Enterprise Container Security *New Paper* (Securosis Blog, Apr 02 2018)
“We run more code faster, but must in turn accept a loss of visibility inside the containers. It begs the question, ‘How can we introduce security without losing the benefits of containers?'”

DevOps Security at Scale (DZone, Mar 28 2018)
There are companies who have figured out how to “run fast” with DevOps while also maintaining very high standards of information security, and there are 6 bedrock principles that emerge among them when we look at how they operate.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Enable Federated API Access to your AWS Resources for up to 12 hours Using IAM Roles (AWS Security Blog, Mar 28 2018)
Now, your applications and federated users can complete longer running workloads in a single session by increasing the maximum session duration up to 12 hours for an IAM role. Users and applications still retrieve temporary credentials by assuming roles using AWS Security Token Service (AWS STS), but these credentials can now be valid for up to 12 hours when using the AWS SDK or CLI.

Mastering Security in the Cloud for Your Insurance Organization (eWEEK, Apr 02 2018)
How do insurers navigate both the security and compliance requirements to protect themselves in the face of changing regulation and more sophisticated cyber-criminals?

5 Questions to ask cloud services providers about security (SC Magazine, Mar 30 2018)
Ask prospective cloud servers these five questions germane to security.

Why Multi-cloud Security Requires Rethinking Network Defense (SecurityWeek, Apr 02 2018)
This requires three key capabilities: advanced application and data breach prevention, consistent protection across locations and clouds, and frictionless deployment and management.

How to Use Service Control Policies in AWS Organizations (AWS Security Blog, Apr 02 2018)
With AWS Organizations, you can centrally manage policies across multiple AWS accounts without having to use custom scripts and manual processes. For example, you can apply service control policies (SCPs) across multiple AWS accounts that are members of an organization.

What is FedRAMP? How cloud providers get authorized to work with the U.S. government (CSO Online, Apr 02 2018)
The process for getting the FedRAMP seal of approval is complex, but it can ultimately be lucrative for companies that meet the security requirements.

Exploring container security: An overview (Google Cloud Platform Blog, Mar 29 2018)
This is the first in a series of blog posts that will cover container security on Google Cloud Platform (GCP), and how to secure your containers running in Google Kubernetes Engine.

Secure your backups, not just your data! (Microsoft Azure Blog, Mar 29 2018)
To secure your backups, you need a multi-layered security mechanism that not only provides a backup but also addresses all the above, so ransomware cannot affect it.

Secdevops or devsecops or devops next-generation (NG) – What is your take on devops? (CSO Online, Apr 02 2018)
Should devops adapt to include and incorporate new technologies and expand the community of practitioners?

Google to purge cryptomining extensions from Chrome Web Store (Help Net Security, Apr 03 2018)
In a bid to prevent Chrome users’ computers being covertly used for cryptocurrency mining, Google will try to purge the Chrome Web Store of extensions that hijack machines’ CPU resources to do just that.

Facebook Expands Bug Bounty Amid Spiraling Privacy Scandal (Inforsecurity Magazine, Mar 28 2018)
The social network will reward people for reporting misuses of data by app developers.

Report: What two years of real pen testing findings will tell you (Help Net Security, Apr 03 2018)
The information included in this report (Time to Fix, Vulnerability Types, Findings Criticality, Issues Fixed) is summary data from all of the penetration tests Cobalt performed in 2017.

Secure software development practices for developers, organizations and technology users (Help Net Security, Apr 03 2018)
SAFECode announced the publication of the Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program (Third Edition).

Why you should know about SSL certificates: CertDB.com Case (Hacking Articles, Apr 04 2018)
It allows the companies who specialize in the security breaches to find the problematic certificates with the aim of weakening the possibility of the hacker attacks. The service also functions as a useful tool during the penetration tests. Not to forget to mention that with the help of the certificate analysis one may discover the subdomains and domains of the particular focus that could turn to be vulnerable.