A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
#RSAC: It’s Time to Kill the Pen Test (Infosecurity Magazine, Apr 17 2018)
There’s also the issue of pen tests being “a very slow and expensive way to work your way through just a few of the CIS Top 20” whilst they don’t help you with the basics.
Devs know application security is important, but have no time for it (Help Net Security, Apr 17 2018)
48% of respondents admitted that they don’t have enough time to spend on application security, while 35% of developers from companies with no DevOps practices received no training on application security in the past year.
NIST Seeking Comments on New AppSec Practices Standards (Dark Reading, Apr 17 2018)
Working in conjunction with SAFECode, NIST is opening the floor to suggestions at RSA about secure software development life cycle guidelines.
Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report
Data Visibility, Control Top Cloud Concerns at RSA (Dark Reading, Apr 18 2018)
As the traditional perimeter dissolves and sensitive data moves to the cloud, security experts at RSA talk about how they’re going to protect it.
Cloud Security Alert – Log Files Are Not the Answer (Infosec Island, Apr 18 2018)
First, all necessary data may not be collected through log files. Second, while event logs are useful for identifying when an alert was triggered, they do not provide enough information to determine what caused the alert. Third, sophisticated adversaries are increasingly adept at moving inside an organization without triggering any alerts.And finally, in the long run, logs can be expensive to manage.
Microsegmentation: Strong Security in Small Packages (Dark Reading, Apr 12 2018)
A deep dive into how organizations can effectively devise and implement microsegmentation in a software-defined networking data center.
Avoiding Holes in Your AWS Buckets (Infosec Island, Apr 12 2018)
Amazon Web Services (AWS) S3 buckets are the destination for much of the data moving to the cloud, and many have been mistakenly misconfigured and left open to public access.
One in five serverless apps has a critical security vulnerability (Network World Security, Apr 12 2018)
According to the audit of more than 1,000 apps by Israeli security firm PureSec, most vulnerabilities and weaknesses were caused by copying and pasting insecure sample code into real-world projects, poor development practices, and lack of serverless education.
7 Steps to a Smooth, Secure Cloud Transition (Dark Reading, Apr 13 2018)
Security leaders share their top steps to keep in mind as your organization moves data and applications to the cloud.
McAfee Expands Cloud Security Program (SecurityWeek, Apr 16 2018)
It isn’t immediately clear why the cloud first strategy has slowed, but it could partly be down to uncertainty about the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018.
Qualys brings web application security to DevOps (Help Net Security, Apr 16 2018)
Qualys Web Application Scanning (WAS) 6.0 now supports Swagger version 2.0, a new native plugin for Jenkins for automated vulnerability scanning of web applications, and the new Qualys Browser Recorder.
DevOps May Be Cause of and Solution to Open Source Component Chaos (Dark Reading, Apr 16 2018)
DevOps is accelerating the trend of componentized development approaches, but its automation can also help enforce better governance and security.
Google Will Distrust Additional CAs, IT Pros Predict (Infosecurity Magazine, Apr 12 2018)
Just 15% of respondents believe that Google’s decision to distrust Symantec certificates is a one-time event.
Most Web Apps Contain High-Severity Vulnerabilities (Infosecurity Magazine, Apr 16 2018)
High-severity vulnerabilities were found in 100% of tested banking and finance web applications.
Infrastructure-agnostic web app protection with virtual patching option (Help Net Security, Apr 18 2018)
The software can be deployed as a next-gen web application firewall (WAF), reverse proxy for comprehensive application coverage, or for runtime application self-protection (RASP).