A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

All these vulnerabilities, rarely matter. (Jeremiah Grossman, May 07 2018)
There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day.

Cloud computing security chaos continued at RSA Conference 2018 (CSO Online, May 02 2018)
Cloud security has growing needs and lots of challenges. Here are some thoughts on solutions and strategies.

Exploring container security: Using Cloud Security Command Center (and five partner tools) to detect and manage an attack (Google Cloud Platform Blog, May 03 2018)
This is the sixth in a series of blog posts on container security at Google. If you suspect that a container has been compromised, what do you do? In today’s blog post on container security, we’re focusing in on container runtime security—how to detect, respond to, and mitigate suspected threats for containers running in production.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Gartner Forecasts India Public Cloud Revenue to Grow 37.5 Percent in 2018 (Gartner, May 09 2018)
The India public cloud services revenue is projected to grow 37.5 percent in 2018 to total US$2.5 billion, up from US$1.8 billion in 2017, according to Gartner, Inc.

How to use Amazon AppStream 2.0 to reduce your bastion host attack surface (AWS Security Blog, May 02 2018)
Demo of the use of Amazon AppStream 2.0 as a hardened and auto-scaled bastion host solution, and show how it could reduce the attack surface by stripping away the underlying OS and exposing only the necessary tools to system administrators that need access to protected network segments.

How to encrypt and sign DynamoDB data in your application (AWS Security Blog, May 03 2018)
If you store sensitive or confidential data in Amazon DynamoDB, you might want to encrypt that data as close as possible to its origin so your data is protected throughout its lifecycle.

Google Moves to Better Isolate Containers (Container Journal, May 04 2018)
Google this week at the KubeCon + CloudNativeCon Europe 2018 conference launched a series of container initiatives designed to better secure and isolate containers.

How a Strong Identity Management System Can Ease Your Transition to the Hybrid Cloud (Auth0 Blog, Apr 27 2018)
With hybrid cloud deployment becoming popular, keeping tight control on authentication and authorization has become essential.

A smooth transition to the cloud is possible with identity governance (Help Net Security, May 04 2018)
With identity governance, organizations can establish controls from users and their applications, but also discover, classify and manage access to sensitive data.

Google Security Updates Target DevOps, Containers (Dark Reading, May 07 2018)
The tech giant explains why it’s rolling out a new cloud security management tool and an open-source framework for confidential computing.

How to adopt the mindset of continuous security for security operations (Help Net Security, May 09 2018)
Co-founder and CTO at Capsule8. In this Hel Nnet security podcast, he talks about continuous security, what it is, and how you should bring more of this mindset to your security operations.

Google Launches “Asylo” Framework for Confidential Computing (SecurityWeek, May 04 2018)
Google this week announced the release of an open-source framework and software development kit (SDK) that allows developers to build applications targeting trusted execution environments.

Google rolls out .app domains with built-in HTTPS (WeLiveSecurity, May 04 2018)
Google has rolled out .app, a new top-level domain (TLD); it is the first TLD to require HTTPS (encrypted) traffic (unencrypted (HTTP) traffic is disallowed).

Build security into software up front: Believe it or not, it’s cheaper and faster (Help Net Security, May 08 2018)
And to the frequently stated worry that ongoing security testing creates intolerable delays in time to market, Forrester found the opposite: that it cuts time to market by 25%.

Half of all companies do not have adequate application security visibility (Help Net Security, May 09 2018)
The Ponemon Institute surveyed nearly 1,400 IT and IT security practitioners in the United States, European Union and Asia-Pacific to understand the risk unprotected applications pose to businesses when running in unsecured environments and how they are addressing this risk.

Uber car software detected woman before fatal crash but failed to stop (Naked Security – Sophos, May 09 2018)
Uber has reportedly discovered that the fatal crash was likely caused by a software bug in its self-driving car technology.

Half of Global Fortune 100 continue to download flawed Apache Struts used to breach Equifax (SC Magazine, May 08 2018)
Equifax twice missed finding Apache Struts vulnerability that exposed data on 147.9 million U.S. consumers and cost the company its top management as well as an estimated $242 million to date.

Cryptomining with JavaScript in an Excel spreadsheet (Graham Cluley, May 09 2018)
It didn’t take long at all for a security researcher to demonstrate how easy it was to turn an Excel spreadsheet into a cryptomining machine.