A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

How to Monitor/Respond Amazon S3 Buckets with Public Access (AWS Security Blog, May 01 2018)
How to use AWS Config to monitor our Amazon Simple Storage Service (S3) bucket ACLs and policies for violations which allow public read or public write access.

Moving Fast and Securing Things (Slack, May 02 2018)
The SDL at Slack and goSDL – The tool (which you can find here: https://github.com/slackhq/goSDL) is a web application that guides anyone involved with a new feature, like developers or PMs, through questions and checklists to improve the security posture of whatever they’re working on.

Exploring container security: Running a tight ship with Kubernetes Engine 1.10 (Google Cloud Platform Blog, Apr 26 2018)
Here are the latest best practices for hardening your Kubernetes Engine cluster, with updates for new features in Kubernetes Engine versions 1.9 and 1.10.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


RSAC 2018: Building a Cloud-Native Security Program (The Duo Blog, Apr 26 2018)
As part of the Application Security, Cloud Security & Virtualization and Security Strategy tracks at RSAC 2018, DisruptOPS CEO Rich Mogull and Informatica CTO Bill Burns detailed how to build a complete cloud security program in Building and Adopting a Cloud-Native Security Program.

Evaluating Cloud Management Platforms and Tools – The Gartner Toolkit (Gartner Blog Network, May 01 2018)
Gartner clients can use this research to assess cloud management vendor solutions and determine which areas of management they cover.

DevOps Security at Scale (Part 3): Focus on Flow and Velocity (DZone, Apr 27 2018)
A high-velocity DevOps team should never have to throw any security practices overboard to ship features faster. By using tools like Kanban, having a Security Policy as Code approach, and reducing the batch size of changes, amongst other tactics, you can deliver safer software faster.

Secure Builds with AWS CodeBuild and LayeredInsight (AWS DevOps Blog, Apr 26 2018)
One approach to embed governance and runtime security in your build pipelines running on AWS CodeBuild using Layered Insight.

Enhanced Domain Protections for Amazon CloudFront Requests (AWS Security Blog, Apr 27 2018)
Over the coming weeks, Amazon will add enhanced domain protections to Amazon CloudFront. The short version is this: the new measures are designed to ensure that requests handled by CloudFront are handled on behalf of legitimate domain owners.

How to Eliminate the Need for Hardcoded AWS Credentials in Devices by Using the AWS IoT Credentials Provider (AWS Security Blog, Apr 30 2018)
AWS IoT has introduced the credentials provider feature that allows a caller to authenticate AWS requests by having an X.509 certificate. The credentials provider authenticates a caller using an X.509 certificate, and vends a temporary, limited-privilege security token. The token can be used to sign and authenticate any AWS request.

How to centralize DNS management in a multi-account environment (AWS Security Blog, Apr 26 2018)
The most common solution is to implement local DNS in each account and use conditional forwarders for DNS resolutions outside of this account. While this solution might be efficient for a single-account environment, it becomes complex in a multi-account environment.

Reducing Risk in Applications Using Docker Containers (DevOps, May 02 2018)
José Manuel Ortega (jmortega.github.io ) is a software engineer and security researcher in Spain. He gave an overview of typical Docker deployments, explained the attack surface and threats, presented how to detect vulnerabilities and outlined a couple of best practices. In short, his advice will help you learn how to better secure your Docker containers.

Secure credential management for ETL workloads using Azure Key Vault and Data Factory (Microsoft Azure Blog, Apr 30 2018)
Secure credential management is essential to protect data in the cloud. With Azure Key Vault, you can encrypt keys and small secrets like passwords that use keys. Azure Data Factory is now integrated with Azure Key Vault.

An inconvenient truth – DevSecOps operate in silos, separated from security (SC Magazine, Apr 27 2018)
Some 35 percent of developers receive no formalised training on secure coding practices and many organisations bolt security on to the end of the development lifecycle from a team in another silo.

Are You Protecting Your DevOps Software ‘Factory’? (Dark Reading, May 01 2018)
New study highlights insecurities in DevOps toolchain implementations.

Google adds SSO verification check to G Suite (Naked Security – Sophos, Apr 30 2018)
The best answer Google can come up with to the problem will arrive from 7 May when G Suite users logging in using Chrome via SAML single sign-on (SSO) providers will start seeing a new prompt the first time they log in.

RSAC 2018: Building a Software Security Maturity Program (The Duo Blog, Apr 25 2018)
In Realizing Software Security Maturity: The Growing Pains and Gains presented at RSAC 2018, Senior Application Security Engineer Kelby Ludwig and Director of Application Security Mark Stanislav explain how they did it at Duo.

Only half of CI/CD workflows include appsec testing elements (Help Net Security, Apr 27 2018)
While organizations cited a lack of automation and consistency, reduced speed, and the noise of false positives as the primary challenges of DevSecOps, the survey also showed that the use of automated tools integrated early in the software development life cycle can have a positive impact on both the speed and the overall quality and security of software.

Mozilla Adding New CSRF Protection to Firefox (SecurityWeek, Apr 27 2018)
Mozilla announced this week that the upcoming Firefox 60 will introduce support for the same-site cookie attribute in an effort to protect users against cross-site request forgery (CSRF) attacks.

Uber Updates Bug Bounty Program (SecurityWeek, Apr 30 2018)
Uber last week updated the legal terms of its bug bounty program and provided guidance for good faith vulnerability research. The changes come just months after the ride-sharing giant admitted paying a couple of individuals as part of an effort to cover up a massive security incident.

Speed at Which New Drupal Flaw Was Exploited Highlights Patching Challenges (Dark Reading, Apr 30 2018)
In the rush to patch, organizations can create fresh problems for themselves.