A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Is it Time to Replace Pen Testing with Crowdsourced security? (Infosecurity Magazine, Aug 14 2018)
As crowdsourced security emerges, are we ready to throw away pen testing as a methodology?

Comcast Xfinity web flaws exposed customer data (Naked Security – Sophos, Aug 10 2018)
#1: The HTTP header used to “identify” the user contained their public-facing Comcast IP address – data that isn’t suitable to use as a secret identifier. #2: After entering a valid address, an attacker could cycle through all 10,000 four-digit numbers (0000-9999) until one of them turned out to be the four digits that matched the customer’s SSN – there was no limit on the number of guesses or the speed at which they could be tried.

Could deliberately adding security bugs make software more secure? (Naked Security – Sophos, Aug 08 2018)
A new study argues that bogging black hats down in fake flaws might be better approach to security.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

AWS Employee Flub Exposes S3 Bucket Containing GoDaddy Server Configuration and Pricing Models (Dark Reading, Aug 09 2018)
Publicly accessible S3 bucket included configuration data for tens of thousands of systems, as well as sensitive pricing information.

Ixia now offers packet-level visibility into workloads in containers and Kubernetes clusters (Help Net Security, Aug 10 2018)
Keysight Technologies announced it has extended the Ixia CloudLens visibility platform to offer packet-level visibility into workloads in containers and Kubernetes clusters.

Zscaler receives FedRAMP authorization for a Zero Trust remote access platform (Help Net Security, Aug 14 2018)
Zscaler announced that Zscaler Private Access-Government (ZPA-Government), its application access platform, meets the Federal Risk and Authorization Management Program (FedRAMP) Moderate security requirements and was granted Authority to Operate (ATO) by the Federal Communications Commission (FCC).

Container Security Firm Twistlock Raises $33 Million (SecurityWeek, Aug 15 2018)
Twistlock, a provider of solutions to protect cloud containers, today announced that it has raised $33 million in Series C funding, bringing the total raised to-date by the Portland, Oregon-based company to $63 million.

CVE and Cloud Services, Part 1: The Exclusion of Cloud Service Vulnerabilities (Cloud Security Alliance Blog, Aug 13 2018)
This is the first in a series of blogposts that will explore the challenges and opportunities in enterprise vulnerability management in relation to the increasing adoption of cloud services.

DevSecOps: Overcoming the Culture of ”No” (DZone, Aug 13 2018)
Learn about building security into your DevOps pipeline and overcoming obstacles by investing in your people.

Only 8% of orgs have effective DevSecOps practices (Help Net Security, Aug 08 2018)
92 percent of organizations struggle to implement security into the entire DevOps process despite most saying they want to do so – a staggering capability gap exposed in the new, global data report commissioned by Checkmarx. The study spotlights the biggest barriers to securing software today depending on where organizations sit on the DevOps maturity curve. Report findings are based on online survey input from 183 respondents worldwide, the majority of whom hold software development, … More →

Implementing DevSecOps in the Mainframe-Driven Enterprise (DevOps, Aug 09 2018)
Before the DevOps/Agile sensibility took hold, QA personnel showed up at the end of the release cycle, well after code was hardened.

Identifying Programmers by their Coding Style (Schneier on Security, Aug 13 2018)
Fascinating research de-anonymizing code — from either source code or compiled code…

Google Engineering Lead on Lessons Learned From Chrome’s HTTPS Push (Dark Reading, Aug 08 2018)
Google engineering director Parisa Tabriz took the Black Hat keynote stage to detail the Chrome transition and share advice with security pros.

Windows 10 to get disposable sandboxes for dodgy apps (Ars Technica, Aug 09 2018)
Apps will be run in a virtual machine that’s discarded after use.

Crowdfense platform to allow researchers to safely submit, discuss and sell 0day exploits (Help Net Security, Aug 09 2018)
Crowdfense announced the launch of their Vulnerability Research Platform (VRP). This web-based collaboration platform allows vulnerability researchers to safely submit, discuss and quickly sell single 0day exploits and chains of exploits. The VRP will open on September 3, 2018.

Over 20 Flaws Discovered in Popular Healthcare Software (Infosecurity Magazine, Aug 09 2018)
OpenEMR said to serve over 90m patients

How one man could have hacked every Mac developer (73% of them, anyway) (Naked Security – Sophos, Aug 10 2018)
An inadvertently exposed login key could have spelled cybersecurity disaster for the Homebrew project, beloved of Mac developers everywhere.

Hack the Marine Corps’ Bug Bounty Event Held in Vegas (Dark Reading, Aug 13 2018)
$80K in payouts went to handpicked hackers in nine-hour event during DEF CON in Las Vegas.

RunSafe could eliminate an entire class of infrastructure malware attacks (TechCrunch, Aug 15 2018)
CEO Joe Saunders says that the product began with the DoD research and a simple premise: “If you assume hardware in the supply chain is compromised, can you still build trusted software on top of untrusted hardware. And so we came up with techniques that we have since greatly expanded to protect the software from compromise. We eliminate an entire class of attacks and greatly reduce the attack surface for software across critical infrastructure.”

Trustwave develops free social media tool for pen testers (SC Magazine, Aug 14 2018)
Trustwave has developed and released a free tool companies can use to help them create realistic phishing emails for use with in-house training programs.