A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Facebook Open Sources TLS 1.3 Library (SecurityWeek, Aug 07 2018)
Already deployed globally on Facebook’s mobile apps, load balancers, and internal services, the library handles millions of TLS 1.3 handshakes every second across the social media giant’s infrastructure. At the moment, over 50% of Facebook’s Internet traffic is secured with TLS 1.3, while its mobile apps also leverage TLS 1.3’s zero round-trip resumption (0-RTT) data.

How a Hacker Used Python to Extract the Source Code for ‘Super Mario Bros.’ (Motherboard, Aug 02 2018)
Hacker Matthew Earl used Python to extract raw visual data from Nintendo’s code.

Snapchat Source Code Leaked (SecurityWeek, Aug 08 2018)
Hackers obtained some source code for the popular messaging application Snapchat and made it public on GitHub, claiming that they were ignored by the app’s developer.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Virtual Trusted Platform Module for Shielded VMs: security in plaintext (Google Cloud Blog, Aug 06 2018)
“As part of the launch, we used Shielded VM to create several of our curated Google Compute Engine instances and attached a virtual Trusted Platform Module 2.0 (TPM) device to them. “Okay…,” we hear you asking, “what’s a TPM device and why should I care?””

Qualys integrates real-time network analysis in its Cloud Platform (Help Net Security, Aug 06 2018)
Qualys has introduced Passive Network Sensor (PNS), a new member of the Qualys sensor family that natively integrates network analysis functions into the Qualys Cloud Platform.

Amazon sponsors r00tz at DEF CON 2018 (AWS Security Blog, Aug 06 2018)
r00tz is a conference dedicated to teaching kids ages 8-18 how to become white-hat hackers.

Can You Implement DevOps in Large Organizations? (DevOps, Aug 01 2018)
Trying to modernize workflows through DevOps can be a challenge for any company, but there are different challenges, risks and benefits for bigger companies

Enhance your DevSecOps practices with Azure Security Center’s newest playbooks (Microsoft Azure Blog, Aug 06 2018)
Azure administrators may use these playbooks to deploy fully operational web and Compute workloads, security management tools such as Azure Security Center & Web App Firewalls (WAFs), and SQL threat protection.

Bugcrowd launches Disclose.io to provide a safe harbor for white hat hackers (Help Net Security, Aug 06 2018)
Bugcrowd and Amit Elazari, a University of California, Berkeley doctoral candidate and CLTC grantee, announce the launch of Disclose.io — a project to standardize practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs (VDPs).

GitHub to Warn Users on Compromised Passwords (SecurityWeek, Aug 06 2018)
In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.

IBM Security now opens network of four secure testing facilities globally (Help Net Security, Aug 08 2018)
IBM Security announced X-Force Red Labs, a network of four secure facilities dedicated to testing the security of devices and systems including consumer and industrial IoT technologies, automotive equipment, and Automated Teller Machines (ATMs).

Securing continuous deployment for applications in the cloud (CSO Online Cloud Security, Aug 01 2018)
Container orchestration tools lack the necessary security controls but attribute based access control (ABAC) can help.

Security Researchers Express Concerns Over Mozilla’s New DNS Resolution For Firefox (Slashdot, Aug 05 2018)
When Mozilla turns this on by default, the DNS changes you configured in your network won’t have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone’s DNS requests.

Salesforce Customer Data Possibly Exposed in API Glitch (Dark Reading, Aug 06 2018)
The issue was discovered and fixed on July 18.

IOActive to Detail Stock Trading App Vulnerabilities at Black Hat (eWEEK, Aug 07 2018)
IOActive looked at both desktop and mobile stock trading applications and found security to be lacking.