A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Facebook Broadens Its Bug Bounty to Include Third-Party Apps (Wired, Sep 17 2018)
Starting Monday, Facebook will pay at least $600 to researchers who spot third-party apps behaving badly on its platform.

2018 State of DevOps Report: Practical guidance for your DevOps evolution (Puppet, Sep 12 2018)
“Based on anecdotal evidence, the authors of this year’s report believed that most successful DevOps transformations follow a specific pattern: Starting with grassroots efforts, early successes and proven practices are shared with other teams. Next, the successful patterns are shared with multiple teams throughout a department, and finally, are spread to other departments. Analysis of our survey data showed that this observed pattern is true for highly evolved organizations.”

GovPayNow.com Leaks 14M+ Records (Krebs on Security, Sep 17 2018)
“Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.”


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


Why the Pentagon’s $10 billion JEDI deal has cloud companies going nuts (TechCrunch, Sep 15 2018)
By now you’ve probably heard of the Defense Department’s massive winner-take-all $10 billion cloud contract dubbed the Joint Enterprise Defense Infrastructure (or JEDI for short).

The Security Costs of Cloud-Native Applications (Dark Reading, Sep 18 2018)
The larger the organization, the more likely it will rely on cloud-native apps for new deployments. For example, 55% of companies with $250 million to $499 million in revenue have most of their new apps running as cloud native. That number jumps to 60% for companies with $500 million to $999 million in revenue, 63% for those with $1 billion to $4.9 billion in revenue, and 71% for those with $5 billion to $9.9 billion in revenue.

Building Security into the 3 Phases of Container Deployment (Container Journal, Sep 13 2018)
All three phases of container deployment—build, ship and runtime—have to be secured, and each has specific requirements. Let’s look at each one in detail.

Container Security Firm Sysdig Raises $68.5 Million (SecurityWeek, Sep 12 2018)
Sysdig’s products enable organizations to closely monitor their containers and microservices, ensure that vulnerabilities are identified and threats are blocked, and enforce compliance.

Cloud-Native Attacks Executed Against Known CVEs (Infosecurity Magazine, Sep 14 2018)
What researchers discovered was that 60% of cloud-native services are not automatically patched to the latest version. Additionally, over 90% of attacks are automatically executed against outdated code and known CVEs.

Deleting your data in Google Cloud Platform (Google Cloud Blog, Sep 13 2018)
A new whitepaper: Data deletion on Google Cloud Platform. This paper explains what happens when customer data is deleted in GCP and how long it takes to complete Google’s data deletion process.

Software-Defined Perimeter Architecture Guide Preview: Part 3 (Cloud Security Alliance Blog, Sep 18 2018)
One of the key security benefits that SDP provides is that not only are the organization’s servers protected by the SDP Gateway, but the SDP infrastructure itself is secured against access by unauthorized users. This makes it safer to deploy SDP components in internet-facing roles, compared with traditional security infrastructure (such as VPNs) which are directly and easily accessible to attackers.

How Security Center and Log Analytics can be used for Threat Hunting (Microsoft Azure Blog, Sep 12 2018)
Some examples of these simple hunts that an analyst can start with in Azure and elsewhere.

Trust through transparency: incident response in Google Cloud (Google Cloud Blog, Sep 12 2018)
A white paper to give Google’s Cloud customers a closer look at how they manage data incidents.

Cybersecurity as catalyst for greater adoption of agile development (Help Net Security, Sep 12 2018)
At one point in time there likely was a good reason for the checklist, but in a world of agile security, not only do a lot of those checklists not make sense, many recommendations are actually damaging to an organization.”

Extended Validation Certificates are Dead (Troy Hunt, Sep 17 2018)
That’s it – I’m calling it – extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from “barely there” to “as good as non-existent”.

DevOps and the Dark Pools of Security Technical Debt (DevOps, Sep 18 2018)
When it comes to prioritizing efforts, devoting attention to the non-functional requirements of DevOps infrastructure security often takes a back seat to the more observable value that the output of these systems provide. This is where security technical debt is created.

Why the DevOps Trinity is Key for Digital Transformation (DevOps, Sep 12 2018)
To build a sustainable DevOps culture and achieve true DevOps success, organizations need to consider the DevOps Trinity—people, processes and tools—and understand how to connect all three…

Common Security Challenges in CI/CD Workflows (DZone, Sep 13 2018)
Learn about the serious security challenges that face those working with CI/CD development and testing workflows and how to start tackling them.