A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Google introduces Endpoint Verification (Google Cloud Platform Blog, Jul 03 2018)
“Having that inventory of what computers employees are using provides valuable information which the enterprise can use to maintain security. Available to all Google Cloud Platform (GCP), Cloud Identity, G Suite Business, and G Suite Enterprise customers, Endpoint Verification consists of a Chrome extension and native app and is available for ChromeOS, macOS, and Windows devices.”

How to access secrets across AWS accounts by attaching resource-based policies (AWS Security Blog, Jun 27 2018)
You can use AWS Secrets Manager to rotate, manage, and retrieve secrets such as database credentials and API keys throughout their lifecycle. And you can now use these secrets across AWS accounts by attaching resource-based policies to secrets.

Linux distro hacked on GitHub, “all code considered compromised” (Naked Security – Sophos, Jun 29 2018)
Gentoo, a popular distribution of Linux, has had its GitHub repository hacked. Hacked, as in “totally pwned”, taken over, and modified; so far, no one seems to be sure quite how or why.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

The benefits of mature cloud security strategies (Help Net Security, Jul 02 2018)
According to the report, 48% of respondents were categorized as discoverers, 31% as controllers, and 21% as enablers.

Preparing for Transport Layer Security 1.3 (Dark Reading, Jul 02 2018)
The long-awaited encryption standard update is almost here. Get ready while you can to ensure security, interoperability, and performance.

IP filtering for Event Hubs and Service Bus (Microsoft Azure Blog, Jul 03 2018)
IP Filtering feature is now enabled for Azure Service Bus and Azure Event Hubs. This feature allows customers to control which IPs are accessing their resources.

Terrible passwords outlawed in Microsoft’s new Azure tool (Naked Security, Jun 28 2018)
Azure AD Password Protection prevents users from setting a password from the company’s list of 500 most common and easily-guessed examples.

Secure Cloud Infrastructure with Dynamic Authorization (Axiomatics, Jun 28 2018)
The built-in IAM features that are provided in cloud offerings simply don’t offer the security and control required to leverage data in the cloud while keeping critical data secure. The built-in mechanisms suffer from the same drawbacks existing Role based Access Control (RBAC) systems on-premise have.

How to improve software vulnerability disclosure in Europe (Help Net Security, Jun 29 2018)
As software gets embedded in more and more things we use every day, the problem of software vulnerability reporting and patching rises in importance. Unfortunately, only a few European countries have put vulnerability disclosure processes in place.

Shift to microservices and continuous software delivery puts pressure on DevOps observability (Help Net Security, Jul 02 2018)
71 percent of engineers pushing code into production at least weekly and nearly one-third doing so at least once per day.

Mozilla Announces Root Store Policy Update (SecurityWeek, Jul 03 2018)
Version 2.6 of the Root Store Policy requires CAs to clearly disclose email address validation methods in their certificate policy (CP) and certification practice statement (CPS). The CP/CPS must also clearly specify IP address validation methods, which have now been banned in specific circumstances.

Google Slammed for Cutting off Cloud Platform Customer Without Warning (eWEEK, Jul 03 2018)
Google issued an apology for turning off a cloud customer’s critical production app without warning over suspicious account activity.

Facebook patches bug that allowed blocked friends to see content (SC Magazine, Jul 03 2018)
Facebook’s privacy woes continue with the company having to reach out to 800,000 customers who had people that they had blocked become unblocked.

Cloud Migration Strategies and Their Impact on Security and Governance (Cloud Security Alliance, Jun 29 2018)
There are profound differences in the issues that each of these categories faces, and the hard decisions that have to be made. Most of these decisions are about governance and risk management.

How cloud storage solutions are evolving to fight hackers (CSO Online, Jul 03 2018)
Decentralized cloud services are disrupting the industry, increasing security and more. Here’s how these companies are looking to the future and designing a new breed of storage solutions: decentralized, blockchain-backed cloud platforms.

GitLab Moves to Automate DevOps (DevOps.com, Jun 28 2018)
GitLab is looking to eliminate the pain of setting up and maintaining DevOps processes by making available an option that automates DevOps processes end to end using a prescriptive approach defined by GitLab.

Cloud Daddy launches Secure Backup, AWS-native data protection solution (Help Net Security, Jun 29 2018)
Cloud Daddy’s Secure Backup is the solution that joins backup and disaster recovery, security, and infrastructure management into one offering for AWS users.