A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

U.S. General Service Administration Launches Bug Bounty Program (SecurityWeek, Sep 24 2018)
The United States General Service Administration’s (GSA) Technology Transformation Service (TTS) has launched a bug bounty program on HackerOne, the hacker-powered security platform announced on Friday.

In Quiet Change, Google Now Automatically Logging Users Into Chrome (Dark Reading, Sep 24 2018)
The change is a complete departure from Google’s previous practice of keeping sign-in for Chrome separate from sign-ins to any Google service.

App developers are STILL allowed to read your Gmails (Naked Security – Sophos, Sep 24 2018)
Google is still allowing third-party developers access to access its users’ Gmail data, it said in a letter to Senators last week.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


AWS Organizations now requires email address verification in order to invite accounts to an organization (AWS Security Blog, Sep 20 2018)
AWS Organizations, the service for centrally managing multiple AWS accounts, enables you to invite existing accounts to join your organization. To provide additional assurance about your organization’s identity to AWS accounts that you invite, AWS Organizations is adding a new feature. Beginning on September 27, 2018, you’ll need to verify the email address associated with your organization’s master account before you invite existing accounts to join your organization.

A Kubernetes FAQ for the C-suite (Cloud Blog, Sep 24 2018)
Executives want to know what role Google Cloud can play in their business transformation journeys. Not that long ago, those meetings rarely featured Kubernetes. Today, however, many executives have taken note of its potential to transform the way enterprises build and run applications; it’s no surprise to read that 54% of Fortune 100 companies are using Kubernetes in some form.

Microsoft Deletes Passwords for Azure Active Directory Applications (Dark Reading, Sep 24 2018)
At Ignite 2018, security took center stage as Microsoft rolled out new security services and promised an end to passwords for online apps.

Attivo Brings Cyber-Security Deception to Containers and Serverless (eWEEK, Sep 24 2018)
Attivo’s ThreatDefend deception platform can now enable organizations to create decoy containers and serverless functions, in an attempt to trap attackers.

The Cloud Security Conundrum: Assets vs. Infrastructure (Dark Reading, Sep 25 2018)
The issue for cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or what have you. The important questions are: Who has access to it, and how is it protected?

The Linux Foundation brings network automation and cloud native communities together (Help Net Security, Sep 25 2018)
The Linux Foundation announced further collaboration between telecom and cloud industry leaders enabled by the Cloud Native Computing Foundation (CNCF) and LF Networking (LFN), fueling migrations of Virtual Network Function (VNFs) to Cloud-native Network Functions (CNFs).

Chef launches deeper integration with Microsoft Azure (TechCrunch, Sep 25 2018)
And to remain in compliance, Chef is also launching an integration of its InSpec security and compliance tools with Azure. InSpec works hand in hand with Microsoft’s new Azure Policy Guest Configuration (who comes up with these names?) and allows users to automatically audit all of their applications on Azure.

How to seamlessly domain join Amazon EC2 instances to a single AWS Managed Microsoft AD Directory from multiple accounts and VPCs (AWS Security Blog, Sep 25 2018)
You can now share a single AWS Directory Service for Microsoft Active Directory (also known as an AWS Managed Microsoft AD) with multiple AWS accounts within an AWS Region. This capability makes it easier and more cost-effective for you to manage directory-aware workloads from a single directory across accounts and Amazon Virtual Private Clouds (Amazon VPC).

Guard against security vulnerabilities in your software supply chain with Container Registry vulnerability scanning (Google Cloud Blog, Sep 19 2018)
Google Cloud is pleased to announce Container Registry vulnerability scanning in beta, helping to automatically detect known security vulnerabilities during the early stages of the CI/CD process and prevent the deployment of vulnerable images.

Strengthen security with key Azure innovations (Microsoft Azure Blog, Sep 24 2018)
Two key innovations coming up shortly: Managing your own hardware security module (HSM) & Auditing and automated approval process for service access to Azure compute.

Building security into DevOps versus bolting it on (Help Net Security, Sep 20 2018)
This concept of embedding security early in the development cycle is commonly referred to as shifting security to the left. Container security introduces new types of threats, and security teams typically encounter the following…

Snyk raises $22M on a $100M valuation to detect security vulnerabilities in open source code (TechCrunch, Sep 25 2018)
Open source software is now a $14 billion+ market and growing fast, in use in one way or another in 95 percent of all enterprises.

Privacy Protection Means Encryption at the Application Layer (SecurityWeek, Sep 20 2018)
GDPR Article 32 requires businesses to protect its systems and applications “from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data” by taking into account “appropriate technical and organizational measures”. These technical measures must include a formal process for application security and vulnerability assessment if comprehensive data security is to be achieved.

Retail Sector Second-Worst Performer on Application Security (Dark Reading, Sep 20 2018)
A “point-in-time” approach to PCI compliance could be one reason why so many retailers appear to be having a hard time.

Bug Exposed Direct Messages of Millions of Twitter Users (SecurityWeek, Sep 24 2018)
Twitter has patched a bug that may have caused direct messages to be sent to third-party developers other than the ones users interacted with. The problem existed for well over a year and it impacted millions of users.

Security and privacy improvements in macOS Mojave (Help Net Security, Sep 25 2018)
Apple has released macOS Mojave, which comes with a new Dark Mode, a redesigned Mac App Store, and many new and modified features. It also sports changes aimed at enhancing users’ privacy and security.

Breach at US Retailer SHEIN Hits Over Six Million Users (Infosecurity Magazine, Sep 25 2018)
““It is our understanding that the breach began in June 2018 and continued through early August 2018 and involves approximately 6.42 million customers.”