A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Misconfigured Clouds Compromise 424% More Records in 2017 (Dark Reading, Apr 04 2018)
Cybercriminals are increasingly aware of misconfigured systems and they’re taking advantage, report IBM X-Force researchers.

Web Application Firewalls: The Definitive Primer (Imperva, Mar 27 2018)
Imperva commissioned a comprehensive study that explores WAF functionality in-depth (including adjacent WAF technologies) and clarifies how it fits into a network’s overall technology design.

Orgs Are Holding Back on Cloud-Based Security (Infosecurity Magazine, Apr 10 2018)
On average, IT decision makers believe 36% of remote workers bypass security policies; in reality, 48% of office worker respondents admit to bypassing remote work policies and 82% of office workers admit to going around their VPN when working remotely. About 62% of office workers have bypassed the IT department to access a new application, and nearly 80% of IT decision makers believe this type of shadow IT is a major security concern.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

2017 Cloud security Spotlight Report (IT Pro, Apr 05 2018)
Visibility into cloud infrastructure is the biggest security management headache for 37% of respondents. Compliance comes in second (36%) and setting consistent security policies as the third biggest headache at 33%.

ShiftLeft: Fully automated runtime security solution for cloud applications (Help Net Security, Apr 05 2018)
There is a different type of data loss that app developers should be conscious and worry about: cloud applications inadvertently sending critical data to unencrypted/public databases/services.

Aqua Extends Container Security Platform With Compliance Features (eWEEK, Apr 09 2018)
Aqua now includes compliance checks to help identify personally identifiable information in container application images. In addition, the Aqua update can identify embedded “secrets” that include passwords and access tokens. Aqua also scans for malware in container images as well as container hosts to help identify threats.

Cisco broadens Tetration security delivery with cloud, virtual buying options (Network World Security, Apr 10 2018)
Cisco’s Tetration-V and Tetration-SaaS give businesses interested in the security-analytics platform the option of a cloud service or software that runs on virtual appliances.

AWS Certificate Manager Launches Private Certificate Authority (AWS News Blog, Apr 04 2018)
AWS added a new feature for AWS Certificate Manager (ACM), Private Certificate Authority (CA). This new service allows ACM to act as a private subordinate CA. Previously, if a customer wanted to use private certificates, they needed specialized infrastructure and security expertise that could be expensive to maintain and operate.

AWS Firewall Manager: Central Management for Your Web Application Portfolio (AWS News Blog, Apr 04 2018)
There’s often tension between distributed and centralized control, especially in larger organizations. While a distributed control model allows teams to move fast and to respond to specialized local needs, a central model can provide the right level of oversight for global initiatives and challenges that span all teams.

AWS Config Rules Update: Aggregate Compliance Data Across Accounts and Regions (AWS News Blog, Apr 04 2018)
“Sophisticated AWS customers invariably control multiple AWS accounts. Some of these are the results of acquisitions or a holdover from bottom-up, departmental adoption of cloud computing. Others create multiple accounts in order to isolate developers, projects, or departments from each other. We strongly endorse this as a best practice, and back it up with cross-account features in many AWS services, as well as AWS Organizations for policy-based management that spans accounts.”

Securing messages published to Amazon SNS with AWS PrivateLink (AWS Security Blog, Apr 10 2018)
Amazon Simple Notification Service (SNS) now supports VPC Endpoints (VPCE) via AWS PrivateLink. You can use VPC Endpoints to privately publish messages to SNS topics, from an Amazon Virtual Private Cloud (VPC), without traversing the public internet.

Rotate Amazon RDS database credentials automatically with AWS Secrets Manager (AWS Security Blog, Apr 05 2018)
AWS Secrets Manager, a service that makes it easier to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. You can configure Secrets Manager to rotate secrets automatically, which can help you meet your security and compliance needs.

Serverless Apps a New Frontier for Cybersecurity (IT Pro, Apr 10 2018)
Serverless applications increase the attack surface by introducing privilege escalation and application dependencies.

How to automatically scan Cloud Storage buckets for sensitive data: Taking charge of your security (Google Cloud Platform Blog, Apr 11 2018)
How to automate data classification using the DLP API and Cloud Functions, Google Cloud Platform’s event-driven serverless compute platform that makes it easy for you to integrate and extend cloud services with code.

Application Security Groups now generally available in all Azure regions (Microsoft Azure Blog, Apr 05 2018)
Microsoft added Application Security Groups (ASG) in all Azure regions. This feature provides security micro-segmentation for your virtual networks in Azure.

How Security Can Bridge the Chasm with Development (Dark Reading, Apr 05 2018)
Enhancing the relationships between security and engineering is crucial for improving software security. These six steps will bring your teams together.

The eternal struggle: Security versus users (Help Net Security, Apr 09 2018)
There’s an old joke that a job in security is a safe place to be grumpy. From what I’ve seen over my career, that is often true. Security people seem to cherish their reputation for being pessimistic and untrusting. Some take it further and cast their disdain upon the users, who obviously need to be protected from themselves.

One-Fifth of Open-Source Serverless Apps Have Critical Vulnerabilities (Infosecurity Magazine, Apr 06 2018)
According to PureSec’s audit, most vulnerabilities and weaknesses were caused by human error.

100% of Web Apps Contain Vulnerabilities (Infosecurity Magazine, Apr 05 2018)
All apps tested by Trustwave displayed at least 1 vulnerability, with 11 as the median number detected per application.

Analyzing Sucuri’s 2017 Hacked Website Trend Report (PerezBox, Apr 07 2018)
What’s concerning is to see the current state of e-commerce open-source CMS applications. Take a look at OpenCart (92%), PrestaShop (74%), OsCommerce (96%) and Magento (80.3%).