A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Malicious Docker Containers Earn Cryptomining Criminals $90K (Threatpost, Jun 14 2018)
Researchers said over a dozen malicious docker images available on Docker Hub allowed hackers to earn $90,000 in cryptojacking profits.
DevSecOps: Secrets in the Cloud (DZone, Jun 17 2018)
Akash Mahajan told his personal journey with system hardening in his talk, The Secrets in Our Clouds. Perhaps his experiences could help you implement or improve system hardening for you own system.
Researchers claim Chrome bug bounty paid to the wrong people (Naked Security – Sophos, Jun 19 2018)
Yubico has been drawn into a rare public spat over how the discovery of a security flaw affecting it products was credited.
Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report
Docker Inc. CEO Lays Out Strategy (Container Journal, Jun 15 2018)
Singh noted much of Docker Inc.’s growth has been driven via its Modernize Traditional Applications (MTA) initiative launched last year, which focuses squarely on global 10,000 companies looking to move legacy applications into the cloud by encapsulating them in Docker containers rather than refactoring them to run on a different type of virtual machine.
Containers: Building in the ‘Sec’ in DevOps (Container Journal, Jun 14 2018)
This concept of embedding security early in the development cycle is commonly referred to as “shifting security to the left.” Container security introduces new types of threats and security teams typically encounter…
Amazon Cognito Protection for Unusual Sign-in Activity and Compromised Credentials Is Now Generally Available (AWS, Jun 20 2018)
Amazon Cognito’s new advanced security features for risk-based adaptive authentication and compromised credentials protection are now generally available to secure user accounts across your web and mobile apps.
5 Tips for Integrating Security Best Practices into Your Cloud Strategy (Dark Reading, Jun 19 2018)
Do ‘cloud-first’ strategies create a security-second mindset?
Exposed Container Orchestration Systems Putting Many Orgs at Risk (Dark Reading, Jun 18 2018)
Lacework recently used the Shodan search engine, SSL data mining techniques, and some internally developed tools to uncover as many as 22,672 open container orchestration dashboards and API management systems on the Internet.
Podcast: How AWS KMS could help customers meet encryption and deletion requirements, including GDPR (AWS Security Blog, Jun 13 2018)
To make encryption easier to use, we created AWS Key Management Service (KMS) to let you scale your use of the cloud without struggling to ensure encryption is used consistently across workloads.
Trend Micro Moves to Secure Container Images (Container Journal, Jun 19 2018)
As the number of organizations that are embracing containers continues to increase, so does the number of incumbent cybersecurity vendors extending the reach of their platforms. Trend Micro, as part of that trend, has begun offering a Deep Security Smart Check module to continuously scan container images, which complements an existing Deep Security module for securing container runtimes.
Qualys Dives into Container Security (Container Journal, Jun 15 2018)
Qualys at the DockerCon 2018 conference this week unfurled Qualys Container Security (CS), a cloud-based application that promises to make it easier to embed container security controls into DevOps processes.
Introducing the redesigned Security Center Overview dashboard (Microsoft Azure Blog, Jun 19 2018)
New: Subscription Coverage: This metric presents the Security Center status of all subscriptions the user has, and Policy Compliance: This metric conveys the organization’s adherence to the security policies assigned to its resources.
Why This Paper? or Mysteries of Testing Security! (Gartner Blog Network, Jun 13 2018)
The testing paper, as we called it during development, is different. While some may consider it “a WHAT paper” (as opposed to “HOW papers” such as our SIEM, VM or MSSP guidance documents), it does seek to popularize the concept and practice of testing security in production.
NCC Group: Majority of Our Reported Flaws Have Not Been Fixed (Infosecurity Magazine, Jun 15 2018)
Firm claims vendors lack established remediation and disclosure processes
Firefox fixes critical buffer overflow (Naked Security – Sophos, Jun 18 2018)
Version 60.0.2 of the resurgent Firefox browser fixes a critical security flaw in its SVG rendering code.
Nearly Half of All Web Apps Vulnerable to Unauthorized Access (Infosecurity Magazine, Jun 19 2018)
The majority of detected vulnerabilities (65%) were a result of errors in application development – such as coding errors – with incorrect configuration of web servers accounting for a third of them.
Sysdig Extends Container Security Reach (Container Journal, Jun 14 2018)
Sysdig Secure 2.0 can now see inside container images to identify vulnerable packages, libraries and configurations before an image gets deployed in a production environment. Sysdig Secure 2.0 also can be used to manage, track and update vulnerability alerts impacting containers that already have been deployed in a production environment and employed to actions such as killing or quarantining a container if vulnerabilities or exposed credentials are found.