A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

British Airways breach was effected by Magecart attackers (Help Net Security, Sep 11 2018)
The group has been compromising online shops left and right for years and its most recent known target before British Airways was Ticketmaster. They use the stolen information to perform card-not-present fraud and employ mules to reship thusly bought high-priced goods to addresses in Eastern Europe.

The Effectiveness of Publicly Shaming Bad Security (Troy Hunt, Sep 11 2018)
Here’s how it normally plays out: It all begins when a company pops up online and makes some sort of ludicrous statement related to their security posture, often as part of a discussion on a public social media platform such as Twitter. Shortly thereafter, the masses descend on said organisation

TLS 1.3 Won’t Break Everything (Dark Reading, Sep 07 2018)
One of the important benefits touted for TLS 1.3 is improved performance, much of which comes because of a simplified “handshake” process between client and server when establishing a session. There are several technical reasons this is possible, but one of them is that a single negotiation — that of which encryption algorithm to use — is eliminated.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

New Relic shifts with changing monitoring landscape (TechCrunch, Sep 10 2018)
”What if I could program New Relic to take action when a certain thing happens. When an application has a problem, it could post a notice to the status page or restart the service. You could automate something that has been historically done manually,” he explained.

Two seconds to take a bite out of mobile bank fraud with Artificial Intelligence (Microsoft Azure Blog, Aug 30 2018)
Artificial Intelligence (AI) models have the potential to dramatically improve fraud detection rates and detection times. One approach is described in this Mobile bank fraud solution guide. (worth checking out the PDF)

Supermicro servers fixed after insecure firmware updating discovered (Naked Security – Sophos, Sep 10 2018)
Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) – a critical component that datacentres depend on to manage servers.

Visibility is key for devops and the hybrid cloud (Network World Security, Sep 07 2018)
Instead of Dev teams relying on Ops to highlight problems, for example, they can look on the system themselves and see the same situation and know which parameters that they need to work within. This not only saves time but makes feedback loops significantly more effective.

Google’s Cloud Access Transparency Logs Now Generally Available (eWEEK, Sep 11 2018)
Google Cloud Access Transparency Logs give organizations a way to keep an eye on any access to their cloud data by Google engineers and administrators.

Visualizing Amazon GuardDuty findings (AWS Security Blog, Sep 06 2018)
Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads.

WhiteHat Security unveils AI capabilities for Sentinel Dynamic DAST solution to empower DevSecOps (Help Net Security, Sep 07 2018)
WhiteHat Security unveiled that new, artificial intelligence (AI) software is being added to WhiteHat Sentinel Dynamic, its dynamic application security testing (DAST) solution, which draws from a data lake of 95 million identified vulnerabilities.

DevOps Demystified: A Primer for Security Practitioners (Dark Reading, Sep 10 2018)
The quiz focused on application development terms that an entry-level software developer could easily answer, such as, “what’s a software library?” and “what’s an IDE?”

No One Technology is a Silver Bullet (CA Veracode, Sep 11 2018)
SAST doesn’t require a fully functional system with test data and automated test suites. DAST doesn’t require modifying the production environment, let alone finding a server and the admin to modify it. Because of these strengths SAST can be used earlier in the development cycle than both IAST and DAST. DAST can be used easier that SAST and IAST in production.

HackerOne Paid $500k in Bug Bounties at DEF CON (Infosecurity Magazine, Sep 05 2018)
Over the course of the five days, hackers filed 915 vulnerability reports, 66% of which were deemed valid. “Of the 607 valid reports, nearly 200 were marked as high or critical in severity. Customers cumulatively paid out $539,712 in bounties for one of the the greatest bounty weeks in HackerOne history.”

Trend Micro Hits Back at Mac App Store Reports (Infosecurity Magazine, Sep 11 2018)
Security giant moves to allay concerns over apps

OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements (SecurityWeek, Sep 11 2018)
Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.

What is a chaff bug? How adding bugs to apps may make them more secure (CSO Online, Sep 07 2018)
Researchers at NYU have developed a technique to add inert bugs in code to deter hackers. But could it work in reality?