A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Underground vendors reliably obtain code signing certs (Help Net Security, Jun 26 2018)
More and more malware authors are switching to buying new, valid code signing certificates issued by Certificate Authorities instead of using stolen (compromised) ones, researchers have found.

Does DevSecOps eliminate the segregation of duties between security and DevOps? (CSO Online, Jun 26 2018)
Yes, some cloud-native application development tools include basic security features. No, that does not mean DevOps should “own” security.

Window Snyder Joins Intel as Chief Software Security Officer (SecurityWeek, Jun 26 2018)
Snyder has worked in the cybersecurity industry for two decades, including as senior security strategist at Microsoft, co-founder of Matasano, security chief at Mozilla, and security and privacy product manager at Apple. Prior to joining Intel, she was Fastly’s chief security officer for three years.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

How AWS uses automated reasoning to help you achieve security at scale (AWS Security Blog, Jun 20 2018)
Zelkova translates policies into precise mathematical language and then uses automated reasoning tools to check properties of the policies. These tools include automated reasoners called Satisfiability Modulo Theories (SMT) solvers, which use a mix of numbers, strings, regular expressions, dates, and IP addresses to prove and disprove logical formulas.

AppSec in the World of ‘Serverless’ (Dark Reading, Jun 21 2018)
The term ‘application security’ still applies to ‘serverless’ technology, but the line where application settings start and infrastructure ends is blurring.

What You Should Know Before Deploying SQL Server in a Public Cloud (eWEEK, Jun 20 2018)
Among the concerns is the increased risk and complexity associated with running SQL Server in any public cloud, where high-availability (HA) clustering configurations can be challenging to implement—and can increase the overall cost of the solution.

Microsoft Combats Bad Passwords With New Azure Tools (SecurityWeek, Jun 21 2018)
Microsoft this week announced the public preview of new Azure tools designed help its customers eliminate easily guessable passwords from their environments.

Latticework introduced Amber, a personal hybrid cloud storage platform (Help Net Security, Jun 24 2018)
Amber is a multimedia storage and streaming device that gives users control over their digital assets, offering the convenience of the cloud in the privacy of their own homes.

Securing Serverless Apps: 3 Critical Tasks in 3 Days (Dark Reading, Jun 26 2018)
Serverless workloads in the cloud can be as secure as traditional applications with the right processes and tools. The key: start small, scale as your application scales, and involve everyone.

New guide helps explain cloud security with AWS for public sector customers in India (AWS Security Blog, Jun 20 2018)
Part of a series diving into customer compliance issues across industries and jurisdictions, such as financial services guides for Singapore, Australia, and Hong Kong.

Protect your Compute Engine resources with keys managed in Cloud Key Management Service (Google Cloud Platform Blog, Jun 22 2018)
“In Google Cloud Platform, customer data stored at rest is always encrypted by default using multiple layers of encryption technology. We also offer a continuum of encryption key management options to help meet the security requirements of your organization.”

Splunk Pushes Into the Realm of DevOps (DevOps, Jun 25 2018)
Most IT operations teams suffer from alert fatigue, Fitz noted, and most alerts are ignored because of a lack of context. The combination of Splunk and VictorOps will result in alerts that more precisely identify the root cause of any IT issue…

XebiaLabs provides DevOps framework for the cloud (Help Net Security, Jun 25 2018)
The framework connects enterprise DevOps practices with common cloud management functionality and provides an essential foundation as enterprises accelerate their transformations to cloud-based applications.

What the DevSecOps 2018 Survey Results Really Mean for Developers and Security (DZone, Jun 25 2018)
Let’s unpack the 2018 DevSecOps Community Report data and what it means for developers and the future of DevOps.

Achieving Powerful Security for DevOps With Seamless Automation (DZone, Jun 21 2018)
Today there are some fantastic tools available for enabling DevOps processes such as Chef, Puppet, and Ansible. However, for many DevOps teams, security remains a largely manual process.

Major trends in app development, agile/DevOps maturity, and low-code adoption (Help Net Security, Jun 21 2018)
Another key research finding was that low-code is no longer just for innovators and early adopters. For example, 34 percent of respondents said their organization was already using a low-code platform. And, a further 9 percent said they were about to start using one.

Microsoft Edge bug could be exploited to spill your emails to malicious sites (WeLiveSecurity, Jun 22 2018)
Since a patch for the flaw has already been released, users are well advised to make sure that they’re running the browser’s most recent version.

Secure Code: You Are the Solution to Open Source’s Biggest Problem (Dark Reading, Jun 25 2018)
Seventy-eight percent of open source codebases examined in a recent study contain at least one unpatched vulnerability, with an average of 64 known vulnerabilities per codebase.

EFF Secures Email Delivery With STARTTLS Everywhere (SecurityWeek, Jun 26 2018)
The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.