A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Voting Machines with Remote-Access software on States’ Systems (Motherboard, Jul 18 2018)
Remote-access software and modems on election equipment ‘is the worst decision for security short of leaving ballot boxes on a Moscow street corner.’

How Google’s Safe Browsing Helped Build a More Secure Web (Wired, Jul 17 2018)
You may not have heard of Safe Browsing, but it’s made the web more secure for over a decade. Here’s its story, from the people who built it.

HackerOne Bug Bounty Programs Paid Out $11 Million in 2017 (SecurityWeek, Jul 12 2018)
HackerOne hosts roughly 1,000 programs that over the past years have received over 72,000 vulnerability reports from researchers in more than 100 countries. The bounties paid out since the launch of the company until June 2018 reached over $31 million.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

StackRox upgrades its Container Security Platform (Help Net Security, Jul 13 2018)
It is the integrated solution for container security that incorporates a feedback loop between the different phases of the container life cycle. This functionality uses threat information detected at runtime to inform risk scoring and policy enforcement as containers are built and deployed, resulting in actionable insights with greater context.

CyberArk Privileged Access Security Solution is available on AWS Marketplace (Help Net Security, Jul 13 2018)
CyberArk’s use of Amazon Machine Images (AMI) and AWS CloudFormation simplify the discovery and prioritization of privileged account risk in the cloud. Additional integrations with AWS, including automating the onboarding of credentials through integrations with Amazon CloudWatch and AWS Lambda, enable security teams to dramatically reduce the risk of unsecured credentials.

McAfee ePolicy Orchestrator now available on AWS (Help Net Security, Jul 17 2018)
This AWS deployment option provides organizations time to focus on security concerns by eliminating the hardware, networking and database maintenance tasks associated with private, server-based solutions.

Cloud Security: Lessons Learned from Intrusion Prevention Systems (Dark Reading, Jul 17 2018)
The advancement of AI-driven public cloud technology is changing the game of “protection by default” in the enterprise.

Alert Logic extends network IDS capability for containers (Help Net Security, Jul 18 2018)
The Alert Logic network IDS capability supports containers deployed on AWS including Docker, Amazon Elastic Container Service, Kubernetes, CoreOS, and AWS Elastic Beanstalk.

CrowdStrike’s Falcon Discover enhances security for workloads on AWS (Help Net Security, Jul 18 2018)
Falcon Discover provides security, operations and development teams with visibility and control over Amazon Elastic Compute Cloud (Amazon EC2) instances, improving security posture.

How to connect to AWS Secrets Manager service within a Virtual Private Cloud (AWS Security Blog, Jul 12 2018)
You can now use AWS Secrets Manager with Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by AWS Privatelink and keep traffic between your VPC and Secrets Manager within the AWS network.

Introducing commercial Kubernetes applications in GCP Marketplace (Google Cloud Platform Blog, Jul 18 2018)
“Today, we are excited to be the first major cloud provider to offer production-ready commercial Kubernetes apps right from our marketplace, bringing you simplified deployment, billing, and third-party licensing.”

Azure Security Center is now integrated into the subscription experience (Microsoft Azure Blog, Jul 16 2018)
Azure Security Center is now available in public preview in the subscription experience

George Gerchow, CSO at Sumo Logic: Our DevSecOps strategy (Help Net Security, Jul 16 2018)
The first piece that we focus on is code analysis, and so we work quite closely with our developers upfront as they release code in small chunks…The second piece is around change management. So, having a very progressive, agile change management process is key. …The third step is around compliance monitoring – why you’re making these changes….The fourth one is to start doing threat investigation the minute that code hits a production environment.

CloudBees DevOptics provides insights into DevOps performance (Help Net Security, Jul 13 2018)
The four key metrics called out in the 2017 State of DevOps Report are: Deployment Frequency, Mean Lead Time, Mean Time to Recover and Change Failure Rate.

GitHub adds Python support for security alerts (Help Net Security, Jul 17 2018)
GitHub has announced that its recently introduced feature for alerting developers about known vulnerabilities in software packages that their projects depend on will now also work for Python packages.

Russia Publishes Only 10% of CVEs (Infosecurity Magazine, Jul 17 2018)
Report finds Russia’s vulnerability database, while highly focused, is incomplete and slow

The evolutionary waves of the penetration-testing / vulnerability assessment market (Jeremiah Grossman, Jul 17 2018)
4th Wave: “You want us to allow anyone in the world to test our security, tell us about our vulnerabilities, and then reward them with money? You’re out of your mind!”

Chrome users get Site Isolation by default to ward off Spectre attacks (Help Net Security, Jul 13 2018)
Site Isolation, the optional security feature added to Chrome 63 late last year to serve as protection against Spectre information disclosure attacks, has been enabled by default for all desktop Chrome users who upgraded to Chrome 67.