A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Pentagon Reveals “Do Not Buy” Software List (Infosecurity Magazine, Jul 31 2018)
Russian and Chinese firms targeted in attempt to improve cybersecurity

Google Cloud introduces shielded virtual machines for additional security (TechCrunch, Jul 25 2018)
These specialized VMs run on GCP and come with a set of partner security controls to defend against things like rootkits and bootkits, according to Google. There are a whole bunch of things that happen even before an application launches inside a VM, and each step in that process is vulnerable to attack.

Best Practices for Entering into Cloud Service Agreements (SC Magazine, Jul 31 2018)
Cloud service agreements often present customers with more questions than answers about security, data protection, IP rights and more.

Without data, your security strategy is just a guess.
The Mosaic Security Research market intelligence platform provides the data you need for OWASP’s Cyber Defense Matrix. Find out more.

Gartner Says Worldwide IaaS Public Cloud Services Market Grew 29.5 Percent in 2017 (Gartner, Aug 01 2018)
The worldwide infrastructure as a service (IaaS) market grew 29.5 percent in 2017 to total $23.5 billion, up from $18.2 billion in 2016, according to Gartner, Inc. Amazon was the No. 1 vendor in the IaaS market in 2017, followed by Microsoft, Alibaba, Google and IBM.

Experts tips on hardening security with Azure security (Microsoft Azure Blog, Jul 30 2018)
…how the work of the Microsoft Threat Intelligence Center is helping to secure Azure and the global security landscape.

Bricata delivers new network security options for the cloud (Help Net Security, Jul 27 2018)
This release permits its management console and new cloud sensors to be deployed in a cloud environment. This provides security analysts with anywhere, anytime access for administering sensors and defending against threats across on-premises and cloud environments.

Plug Your Cloud Cybersecurity Holes (Infosec Island, Jul 26 2018)
Threat detection and analytics are only as effective as the granularity the network infrastructure provides for packet access.

Security Center’s adaptive application controls are generally available (Microsoft Azure Blog, Jul 25 2018)
Adaptive application controls help you define the set of applications that are allowed to run on configured groups of virtual machines (VM). Enabling adaptive application controls for your VMs will allow you to do a few things. First, it recommends applications (EXEs, MSIs, and Scripts) for whitelisting, automatically clustering similar VMs to ease manageability and reduce exposure to unnecessary applications.

DevSecOps Sees Slow Adoption but Wider Incident Handling (Infosecurity Magazine, Jul 26 2018)
More than three-quarters of DevOps pros do not practise ‘DevSecOps’, or are still in the process of implementation

F5 Updates Access Manager, SSL Orchestrator to Boost Web App Security (eWEEK, Jul 26 2018)
F5 Networks is updating its SSL Orchestrator and Access Manager products as new research reveals that web application attacks cost organizations an average of $8 million.

Imperva acquires Prevoty to expand customers’ security capabilities (Help Net Security, Jul 27 2018)
Imperva and Prevoty will provide security solutions to protect application services residing on-premises and in the cloud. This solution aligns with how organizations are developing and deploying application services in a hybrid cloud world.

XSS Flaws Most Common Over Past Nine Years (Infosecurity Magazine, Jul 27 2018)
NCC Group says it’s still uncovering decades-old flaw in its research

More browser extensions and apps caught spying on users (Naked Security – Sophos, Jul 26 2018)
The pop-up blocking function of many apps and browser extensions appears to obscure an ulterior motive – spying on a user’s web traffic.

DMARC Fully Implemented by Half of U.S. Government Agencies (SecurityWeek, Jul 30 2018)
More than half of U.S. government agencies have fully implemented the DMARC email security standard in response to a binding operational directive from the Department of Homeland Security, according to email threat protection company Agari.

Why No HTTPS? Questions Answered, New Data, Path Forward (Troy Hunt, Jul 31 2018)
So that little project Scott Helme and I took on – WhyNoHTTPS.com – seems to have garnered quite a bit of attention. We had about 81k visitors drop by on the first day and for the most part, the feedback has been overwhelmingly positive. Most people have said it’s…

Mozilla still working on Firefox’s site isolation security revamp (Naked Security – Sophos, Aug 01 2018)
Mozilla’s Firefox browser doesn’t have site isolation security yet, but plans to enable it are in the works.