A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
SecMon State of the Union: Revisiting the Team of Rivals (Securosis Blog, Apr 24 2018)
In this post (and the rest of the series) Securosis discusses the degree each tool matches up to the emerging use cases, and how technologies such as cloud and IoT impact your security monitoring strategy and toolset.
Overcoming DevOps Implementation Challenges (IBM The State of Security, Apr 23 2018)
There are several fundamental challenges and problems that must be dealt with for the successful implementation of DevOps in an organization.
Announcing the new AWS Certified Security – Specialty exam (AWS Security Blog, Apr 23 2018)
The AWS Certified Security — Specialty exam is here. This new exam allows experienced cloud security professionals to demonstrate and validate their knowledge of how to secure the AWS platform.
Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report
Exploring container security: Digging into Grafeas container image metadata (Google Cloud Platform Blog, Apr 12 2018)
The great thing about containers is how easy they are to create, modify and share. But that also raises the question of whether or not they’re safe to deploy to production. One way to answer that is to track metadata about your container, for example, who worked on it, where it’s stored, and whether it has any known vulnerabilities.
Keeping the Business Safe Across Hybrid Cloud Environments (Dark Reading, Apr 18 2018)
Aggressive cloud adoption increases threat surface and makes it more difficult for infosec teams to keep track of what the business is doing. Donald Meyer, Head of Data Center and Cloud at Check Point Software, explains how infosec teams can more effectively mitigate risk without hampering business agility.
Security Experts Warn of New Cyber-Threats to Data Stored in Cloud (eWEEK, Apr 19 2018)
While established cyber-attack vectors, such as malware and ransomware, continue to be a challenge for IT security pros, a panel of experts at the SANS Institute detailed new and emerging threats.
How Cloud Computing Impacts Corporate Security for Better or Worse (eWEEK, Apr 20 2018)
A survey conducted by Oracle and KPMG finds that too often inadequate attention is paid to implementing strong security measures when meeting urgent demand to deploy new cloud services.
New Survey Shows Hybrid Cloud Confidence (Dark Reading, Apr 23 2018)
Executives are mostly confident in their hybrid cloud security, according to the results of a new survey.
Speeding the Secure Cloud Adoption Process (Cloud Security Alliance Blog, Apr 16 2018)
The report, authored by the CSA Global Enterprise Advisory Board, examines such areas as the adoption of cloud and related technologies, what both enterprises and cloud providers are doing to ensure security requirements are met, how to best work with regulators, the evolving threat landscape, and goes on to touch upon the industry skills gap.
Azure Sphere Gives Boost to IoT Security, But Gaps Remain (IT Pro, Apr 24 2018)
Aiming for IoT security at the silicon level, Microsoft debuts Azure Sphere security services and a new MCU architecture. But can the ‘crossover’ secure most MCU-powered devices?
Security for Containers — or, Containers for Security (Container Journal, Apr 12 2018)
Can we use for containers for security? Our thesis is that transitioning application deployment to containers will increase security and decrease attack surface, compared to any non-container deployment. Indeed, containers are probably one of the best tools for application security, provided they are used properly.
How Azure Security Center helps detect attacks against your Linux machines (Microsoft Azure Blog, Apr 24 2018)
Azure Security Center (ASC) is now extending its Linux threat detection preview program, both on cloud and on-premise. New capabilities include detection of suspicious processes, suspect login attempts, and anomalous kernel module loads.
Trust: The Secret Ingredient to DevSecOps Success (Dark Reading, Apr 20 2018)
Security practitioners must build trusted relationships with developers and within cross-functional DevOps teams to get themselves embedded into continuous software delivery processes.
Oath Pays $400,000 in Bug Bounties in One Day (SecurityWeek, Apr 23 2018)
Internet media company Oath paid more than $400,000 in bounties during the H1-415 one-day HackerOne event in San Francisco, where 41 hackers from 11 countries were present.
Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege (Project Zero, Apr 18 2018)
Perhaps once again Microsoft might be able to harden the OS to make it more difficult to exploit these types of vulnerabilities.
Flexibility vs. Security – A False Choice (SecurityWeek, Apr 24 2018)
As a security professional you should remember three key things to guide you: 1. You support the business mission, 2. Productivity often trumps any and all security requirements if forgotten, 3. Security is never an absolute
Two-thirds of online banking systems in 2017 contained high-risk vulnerabilities (SC Magazine, Apr 25 2018)
75 percent of online banking systems contained cross-site scripting flaws, 69 percent lacked protection from data interception, 63 percent had insufficient authorisation, 50 percent were vulnerable to sensitive data disclosure.
How lean development improved software security at Fannie Mae (CSO Online, Apr 25 2018)
Continual improvement methodologies strengthen security, shorten dev cycles and help the c-suite see infosec’s value.
Microsegmentation evolves into a compensating control security tool (CSO Online, Apr 12 2018)
Illumio integrates Qualys data into its security platform to provide real-time vulnerability maps, enabling organizations to implement microsegmentation as a compensating control.