A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

10 Years of Cloud Security (Gartner Blog Network, Jun 01 2018)
“Our 2008 research highlighted 4 key findings that have remained significant considerations for the use of public cloud computing…”

Simplify Login with Application Load Balancer Built-in Authentication (AWS News Blog, May 30 2018)
AWS now has built-in authentication support in Application Load Balancers (ALB). ALB can now securely authenticate users as they access applications, letting developers eliminate the code they have to write to support authentication and offload the responsibility of authentication from the backend.

Microsoft faces wrath of developers after GitHub acquisition (Naked Security – Sophos, Jun 06 2018)
Microsoft’s come a long way in the past 10 years, since former chief Steve Ballmer called open-source a malignant cancer.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Cloud functions present new security challenges (CSO Online, Jun 04 2018)
Containers have got nothing on serverless apps, also known as cloud functions or, on Amazon, as Lambda functions. First released by Amazon and IBM in 2014 — and then by Google and Microsoft in 2016 — cloud functions are even smaller, even lighter, and even shorter lived. They’re even harder to secure.

Open AWS S3 bucket exposes info on 50,000 Honda India (SC Magazine, May 31 2018)
Komtech Security Center recently found that information – including names, phone numbers, gender, passwords and email addresses for users and their contacts – on 50,000 Honda Connect App users.

Discover all IT assets across your global hybrid infrastructure (Help Net Security, Jun 05 2018)
Qualys announced Asset Inventory (AI), a new cloud app with capabilities that provide customers a single source of truth for IT assets spread across hybrid environments including on-premises, endpoints, clouds and mobile, with synchronization capabilities to Configuration Management Databases (CMDBs) to keep asset data up-to-date.

Tenable Extends Cloud Application Security Scanning Capabilities (eWEEK, Jun 05 2018)
Tenable is updating its cloud-delivered services capabilities, adding new connectors to support GCP and Azure, while also advancing web application discovery features.

How to rotate your Twitter API key and bearer token automatically with AWS Secrets Manager (AWS Security Blog, May 31 2018)
In addition to database credentials, AWS Secrets Manager makes it easier to rotate, manage, and retrieve API keys, OAuth tokens, and other secrets throughout their lifecycle.

Five Cloud Migration Mistakes That Will Sink a Business (Cloud Security Alliance Blog, Jun 05 2018)
“The Cloud Service Provider (CSP) will do everything.”

The Evolution of Docker Container Security: Part 1 (IT Pro, Jun 05 2018)
Docker container security owes a nod to several different schools of thought about how to group processes together and make them do work, but not easily get out of control.

Aqua Security Survey Finds Sharp Rise in DevSecOps (DevOps, Jun 06 2018)
The survey, conducted by Aqua Security, finds 62 percent of respondents have a formal or informal DevSecOps team. That’s up from last year, during which a similar survey found only 13 percent of respondents had a DevSecOps team in place.

7 tips to maintain security controls in your GCP DR environment (Google Cloud Platform Blog, Jun 04 2018)
When you integrate a cloud provider like GCP into your DR plan, you no longer have to invest up front in mostly idle backup infrastructure. Testing that DR plan no longer seems so daunting, as you can bring up your DR environment automatically and close it all down again when it’s no longer needed—and it’s always ready for the next tests. In the event of an actual disaster, the DR environment can be made ready.

Use Azure Monitor to integrate with SIEM tools (Microsoft Azure Blog, Jun 04 2018)
Azure has tried to simplify the integration process with security information and event management (SIEM) tools, such as routing data to a single event hub and enabling multiple diagnostic settings per resource, and have work in flight that will ease setup and management of log routing across large Azure environments.

Azure Security Center can identify attacks targeting Azure App Service applications (Microsoft Azure Blog, May 31 2018)
One of Azure’s most popular service is App Service which enables customers to build and host web applications in the programming language of their choice without managing infrastructure.

Web Application Firewalls Adjust to Secure the Cloud (Dark Reading, Jun 04 2018)
Cloud-based WAFs protect applications without the costs and complexity of on-prem hardware. Here’s what to keep in mind as you browse the growing market.

Bizarre Chrome and Firefox flaw exposed Facebook details (Naked Security – Sophos, Jun 05 2018)
Researchers have discovered a weakness in the way Chrome and Firefox interact with Cascading Style Sheets 3 (CSS3) that could have caused them to leak usernames, profile pictures and likes from sites such as Facebook.

26 Million Users Hit by Ticketfly Hack (SecurityWeek, Jun 05 2018)
Ticketfly, the ticket distribution service owned by Eventbrite, has started restoring services after its website was defaced by a hacker who also gained access to user information.

An Encryption Upgrade Could Upend Online Payments (Wired, Jun 06 2018)
While ditching TLS 1.0 encryption will benefit the payments ecosystem, it’ll be rough going for those with older devices.

Beginners Guide for John the Ripper (Part 1) (Hacking Articles, Jun 05 2018)
We know the importance of John the ripper in penetration testing, as it is quite popular among password cracking tool. In this article, we are introducing the John the ripper and its various usage for beginners.