A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Chrome drops ‘secure’ label for HTTPS websites (Naked Security – Sophos, May 21 2018)
When it comes to browser security, how important are the address bar icons and labels that tell users about a site’s security status? For Google at least, they matter a lot.
5 ways small to midsize businesses can stay safe in the cloud (CSO Online, May 16 2018)
By taking the right security precautions, small to midsize businesses (SMBs) can benefit greatly from cloud computing.
The AWS Bucket List for Security (Infosec Island, May 23 2018)
Professor Avishai Wool, CTO and co-founder at AlgoSec, looks at how organizations can ensure network security is extended to AWS environments
Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report
Best Practices in Securing DevOps (SecurityWeek, May 22 2018)
The growing demand for faster software delivery, using public cloud environments, microservices, and containers, has triggered a discussion on the role of security in the world of DevOps.
Google Cloud named a leader in latest Forrester Research Public Cloud Platform Native Security Wave (Google Cloud Platform Blog, May 23 2018)
The report evaluates the native security capabilities and features of public cloud providers, such as encryption, identity and access management (IAM) and workload security.
Five Words that Get In The Way of DevSecOps (SC Magazine, May 22 2018)
All the tools and processes in the world, however, don’t matter if we aren’t all speaking the same language. We must shift some of the terminology traditionally used in security and compliance to become the language of “yes, and” rather than “no”.
3.2 million LA County 211 records exposed on misconfigured AWS S3 bucket (SC Magazine, May 22 2018)
The Los Angeles County 211 service left about 3.2 million call records on an exposed AWS server that included a wide variety of personally indefinable information on callers along with the sometimes very personal reason they called looking for help.
Refining Access to Branches in AWS CodeCommit (AWS DevOps Blog, May 16 2018)
AWS CodeCommit users have been asking for a way to restrict commits to some repository branches to just a few people. In this blog post, we’re going to show you how to do that by creating and applying a conditional policy, an AWS Identity and Access Management (IAM) policy that contains a context key.
AWS IoT 1-Click – Use Simple Devices to Trigger Lambda Functions (AWS News Blog, May 16 2018)
Designed to make IoT available and accessible to a broad audience, AWS IoT 1-Click is now generally available, along with new IoT buttons from AWS and AT&T.
Detect malicious activity using Azure Security Center and Azure Log Analytics (Microsoft Azure Blog, May 17 2018)
One method is to look at the trends of processes, accounts, and computers to understand when anomalous or rare processes and accounts are run on computers which indicates potentially malicious or unwanted activity. Run this query against your data and note that what comes up is an anomaly or rare over the last 30 days.
Achieving Effective Application Security in a Cloud Generation (Infosec Island, May 16 2018)
Cloud application security requires new approaches, policies, configurations, and strategies that both allow organizations to address business needs and security risks in unison.
Yin and Yang of the Zero Trust Model – The Akamai Blog (The Akamai Blog, May 17 2018)
If we consider access to our own application and data resources as something to explicitly permit, it might be well represented by Yang; we make an active choice to allow access. Conversely, access to Internet resources (again, not cloud resources that we have some control over) could be represented by Yin; we take a more inhibitive approach and block access to undesirable resources.
Some Firefox Screenshots End Up Publicly Accessible (SecurityWeek, May 16 2018)
Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.
Researcher Earns $36,000 for Google App Engine Flaws (SecurityWeek, May 21 2018)
An 18-year-old researcher has earned more than $36,000 from Google after finding a critical remote code execution vulnerability related to the Google App Engine.
Behind the Scenes in the Deceptive App Wars (SecurityWeek, May 21 2018)
On 10 May 2018, the CSA published a remarkably negative report on AppEsteem’s ‘deceptor’ program titled, CSA Review of AppEsteem Programs. It was, said the CSA, “triggered by a groundswell of complaints and expressions of concern received by the CSA from industry members regarding this program.”
Chinese Researchers Find Vulnerabilities in BMW Cars (SecurityWeek, May 22 2018)
Researchers from Keen Security Lab, a cybersecurity research unit of Chinese company Tencent, have conducted an in-depth analysis of various systems present in BMW cars and discovered more than a dozen locally and remotely exploitable vulnerabilities.
The percentage of open source code in proprietary apps is rising (Help Net Security, May 22 2018)
The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown.
AWS GDPR Data Processing Addendum – Now Part of Service Terms (AWS Security Blog, May 22 2018)
All AWS customers globally can rely on the terms of the AWS GDPR DPA which will apply automatically from May 25, 2018, whenever they use AWS services to process personal data under the GDPR.
DevOps Security at Scale (Part 6): Technology Adoption (DZone, May 19 2018)
This is the sixth and final blog post in a series discussing how high-performing DevOps teams build secure systems at scale.
Pen testers break down bank security flaws (SC Magazine, May 23 2018)
While banks have built effective barriers for external attacks, researchers warn they have not done nearly as much work to fight threats on their internal networks.