A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

A Microsoft DevSecOps SAST Exercise (Microsoft DevOps Blog, Aug 17 2018)
Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your actual security risk.

Chrome 69 will take the next step to killing Flash, roll out new design (Ars Technica, Aug 21 2018)
Flash will have to be enabled every time a site tries to use it.

Deploy only what you trust: introducing Binary Authorization for Google Kubernetes Engine (Cloud Blog, Aug 20 2018)
Google introduced Binary Authorization in beta so you can be more confident that only trusted workloads are deployed to Google Kubernetes Engine. Integrated into the Kubernetes Engine deployment API, Binary Authorization is a container security feature that provides a policy enforcement chokepoint to ensure only signed and authorized images are deployed in your environment.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


Reduce your exposure to brute force attacks from the virtual machine blade (Microsoft Azure Blog, Aug 22 2018)
One way to reduce exposure to an attack is to limit the amount of time that a port on your virtual machine is open. Ports only need to be open for a limited amount of time for you to perform management or maintenance tasks. Just-In-Time VM Access helps you control the time that the ports on your virtual machines are open.

Facebook Awards $1M for Defense-Based Research (Dark Reading, Aug 16 2018)
The company today awarded $200,000 to winners of the Internet Defense Prize after spending $800,000 on the Secure the Internet grants.

Google Introduces Cloud HSM beta for hardware crypto key security (Cloud Blog, Aug 20 2018)
Google announced the beta release of Cloud HSM, a managed cloud-hosted hardware security module (HSM) service. Cloud HSM allows you to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs…

Aqua Security Launches Open-Source Kube-Hunter Container Security Tool (eWEEK, Aug 20 2018)
The new tool aims to help organizations conduct penetration tests against Kubernetes container orchestration system clusters to help identify and improve cyber-security issues.

CloudPassage debuts Halo Cloud Secure, delivering security of public cloud infrastructure (Help Net Security, Aug 21 2018)
CloudPassage announced the general availability of Halo Cloud Secure, which offers protection of public cloud infrastructure, delivering security and DevOps teams a “single pane of glass” view of security and compliance across all of their cloud service provider (CSP) accounts.

Data Protection, Security and Shared Responsibility: What You Need to Know about AWS (SC Magazine, Aug 21 2018)
The ideal data protection strategy that addresses AWS’ shared responsibility model should be able to backup natively within the elastic cloud environment of AWS. That way you’ve eliminated the need for on-premises backup media and offsite storage locations as well as additional bandwidth, and other considerations.

How to automate the import of third-party threat intelligence feeds into Amazon GuardDuty (AWS Security Blog, Aug 17 2018)
Amazon GuardDuty is an AWS threat detection service that helps protect your AWS accounts and workloads by continuously monitoring them for malicious and unauthorized behavior. You can enable Amazon GuardDuty through the AWS Management Console with one click.

Hardening the security of Azure IoT Edge (Microsoft Azure Blog, Aug 20 2018)
There’s always the need to balance security investments with protection goals and missing this balance results in either inadequate protection or overspending. One very important axis towards achieving this balance is to assess the risks on the IoT device and invest in adequate secure silicon hardware technologies like hardware security modules (HSM) for mitigation.

Why Python Continues to Be the Swiss Army Knife of Programming (eWEEK, Aug 16 2018)
Here is a list of reasons why Python is repeatedly ranked among the top five programming languages by organizations like TIOBE and GitHub.

Busting the security myth: Should I use WordPress for my website? (Help Net Security, Aug 17 2018)
WordPress has been around for 15 years. Today it powers around 30% of the top 10 million websites on the internet. Being such a popular platform, WordPress has been in the limelight quite a few times, more often than not for wrong reasons – security, or lack of. Though is it really as insecure as many think?

Comodo CA acquires CodeGuard (Help Net Security, Aug 17 2018)
CodeGuard allows business owners to reverse damage caused by cyber attacks or impacts of development issues, content management errors and server crashes.

Firefox axes add-ons, developer pushes back (Naked Security – Sophos, Aug 20 2018)
Mozilla has wiped 23 extensions from its directory of Firefox browser add-ons after finding what it says were inappropriate functions in the code.

Code of App Security Tool Posted to GitHub (SecurityWeek, Aug 20 2018)
Code of DexGuard, software designed to secure Android applications and software development kits (SDKs), was removed from GitHub last week, after being illegally posted on the platform.

Twitch admits exposing user messages after archiving error (Naked Security – Sophos, Aug 21 2018)
Games streaming giant Twitch has admitted accidentally exposing some users’ messages to other users as it shut down its legacy in-house messaging system in May.

Philips cardiovascular software found to contain privilege escalation, code execution bugs (SC Magazine, Aug 20 2018)
Multiple versions of cardiovascular imaging and information management software from Philips have been found to contain vulnerabilities that could lead to escalated privileges and arbitrary code execution.

Clinging to TLS 1.0 Puts Sites Outside PCI DSS Compliance (Dark Reading, Aug 21 2018)
More than half of organizations could be out of compliance, new research shows.

Badge Reading App Exposed Details of Black Hat Conference Attendees (SecurityWeek, Aug 22 2018)
A researcher discovered that a vulnerability in the badge reading app used at the recent Black Hat security conference exposed the registration details of all attendees.