A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

How Google Chrome Spent a Decade Making the Web More Secure (Wired, Sep 04 2018)
Crucially, Chrome managed tabs in a new way; its “sandbox” made each one run with its own permissions and protected memory. That way if one tab crashed it didn’t crash the whole browser, and if an attacker tried to attack a Chrome user, she wouldn’t be able compromise more than one site at a time. For the first time, a browser functioned more like an operating system, running many isolated programs on a permission system, rather than as a single free-for-all program.

Chrome 69 is out, includes many functional and security changes (Help Net Security, Sep 05 2018)
Ten years ago Google released the first iteration of its Chrome browser. On Tuesday, the company pushed out version 69.

Conceptual and Technical Challenges in Multi-cloud Security (Infosec Island, Aug 30 2018)
Cloud vendors are in a race to close the gaps in capabilities among themselves as well as to create product differentiation that will attract and retain customers. Some services may look similar, but minor differences can lead to security issues and misconfigurations. Let’s explore some of the challenges that security organizations face with multi-cloud deployments.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Titan Security Keys: Now available on the Google Store (Google Cloud Blog, Aug 30 2018)
In July, Google announced Titan Security Keys, FIDO security keys built with a hardware chip that includes firmware engineered by Google to verify the keys’ integrity. Starting today, Titan Security Keys are available for purchase on the Google Store.

In-Q-Tel Invests in StackRox to Advance Container Security (Container Journal, Sep 05 2018)
As part of that effort, StackRox and IQT will work together to help U.S. government agencies to prioritize container runtime security issues based on factors such as orchestrator settings, network segmentation policies, secrets and container configuration. Most recently, StackRox added a risk scoring capability to its container security platform.

Microsoft Bringing Google ID Log-ins to Azure Active Directory (eWEEK, Aug 30 2018)
Now in preview, the new service will help enterprises collaborate and share applications with other companies beyond their own networks.

SnapLogic eXtreme accelerates cloud data lake initiatives (Help Net Security, Aug 30 2018)
To help enterprises harness data as an asset, SnapLogic eXtreme allows big data engineers and technical business users alike to process volumes of data without complex code.

More on Security Data Lakes – And FAIL! (Gartner Blog Network, Aug 29 2018)
“Data lakes are rarely started with a definite goal in mind, but rather with nebulous aspirations […]” – same is often seen with security data lakes.

Amazon is quietly doubling down on cryptographic security (TechCrunch, Aug 31 2018)
Amazon’s AWS has been working on a range of new cryptographic and AI-based tools to help manage the security around cloud-based enterprise services, and it currently has over 130 vacancies for engineers with cryptography skills to help build and run it all.

Encrypted cloud storage and collaboration company Tresorit secures €11.5M Series B (TechCrunch, Sep 04 2018)
Tresorit, the Swiss-Hungarian company that provides end-to-end encrypted “file sync and sharing” for businesses, has closed €11.5 million in Series B financing.

How to use AWS Secrets Manager to rotate credentials for all Amazon RDS database types, including Oracle (AWS Security Blog, Aug 29 2018)
You can now use AWS Secrets Manager to rotate credentials for Oracle, Microsoft SQL Server, or MariaDB databases hosted on Amazon Relational Database Service (Amazon RDS) automatically.

Google wants to get rid of URLs but doesn’t know what to use instead (Ars Technica, Sep 05 2018)
Their complexity makes them a security hazard; their ubiquity makes replacement nigh impossible.

Chrome: Flash is almost, almost, almost dead (Naked Security – Sophos, Sep 03 2018)
Starting with Chrome update 69, the browser will require users to explicitly enable Flash every single time they want to use it. Chrome will no longer remember this preference between sessions, so every time a user hits a site that uses Flash, they’ll have to say “yes, I really want to enable this extension.”

If an extension goes rogue, everything you do in your browser is compromised (Graham Cluley, Sep 05 2018)
The official Chrome browser extension for Mega.nz was compromised with a malicious update, stealing passwords and private keys. Keep your browser extensions to a minimum, and always be wary if they ask for elevated permissions.

The thin host to serverless model is radically realigning your security responsibilities (CSO Online, Sep 04 2018)
This is good news as infrastructure and network security oversight transfers to your cloud provider.

What Developers Can Do to Improve Cyber-Security (eWEEK, Aug 31 2018)
At the Open Source Summit, Window Snyder, chief security officer at Intel, explains why fear is not a good motivator for improving cyber-security and provides insight into how to improve software defenses.

Lean, Mean & Agile Hacking Machine (Dark Reading, Sep 04 2018)
Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting.

FOIA portal upgrade error exposes SSNs, PII (SC Magazine, Sep 03 2018)
The site revealed the partial or full social security numbers of at least 80 persons and in one case, a violent crime victim described the crime while looking for additional information on the incident.

Google Introduces Open Source Cross-Platform Crypto Library (SecurityWeek, Sep 04 2018)
Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.