A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Facebook: No Evidence Hackers Accessed Third-Party Apps (Infosecurity Magazine, Oct 03 2018)
Social network’s claims seem to limit impact of breach

Latest Building Security In Maturity Model reflects software security initiatives of 120 firms (Help Net Security, Oct 03 2018)
Synopsys released BSIMM9, the latest version of the Building Security In Maturity Model (BSIMM) designed to help organizations plan, execute, and measure their software security initiatives (SSIs). The ninth iteration of BSIMM reflects data collected over a 10-year study of real-world SSIs across 120 firms.

What each cloud company could bring to the Pentagon’s $10 B JEDI cloud contract (TechCrunch, Sep 29 2018)
The RFP process closes on October 12th and the winner is expected to be chosen next April.


Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.


Form factor wars: Cloud-based or on-premises security technologies? (CSO Online, Sep 26 2018)
While most organizations are willing to consider cloud-based or on-premises security solutions, nearly one-third still demand the control associated with on-premises.

Hackers Can Stealthily Avoid Traps Set to Defend Amazon’s Cloud (Wired, Oct 02 2018)
A honeytoken can be any data planted to attract hacker interaction. You might, for instance, send yourself an email marked “Important bank stuff,” and put in a link that’s really a honeytoken, to let you know if your account gets breached. In the cloud, honeytokens are often authentication credentials that look like the keys to the kingdom, but actually act as canaries in the coal mine. It’s a clever ruse, and a vital one given the stakes of cloud security.

Kubernetes 1.12 Improves Cloud-Native Security With TLS Bootstrap (eWEEK, Sep 27 2018)
“Things like the TLS Bootstrap where you’re having to set up certificates and certificate authorities, signing requests and all of that, that’s really tricky to get, right. So, it makes sense that it took some time.”

6 Ways to Use CloudTrail to Improve AWS Security (Infosec Island, Oct 02 2018)
Managing security in Amazon Web Services (AWS) is not a set-it-and-forget-it type of proposition. Here are six, key best practices that will help your organization identify issues within your AWS accounts, and will optimize the benefits of using a host-based approach…

Palo Alto Networks to Acquire Cloud Security Firm RedLock for $173 Million (SecurityWeek, Oct 03 2018)
Palo Alto Networks on Wednesday announced that it has entered a definitive agreement to acquire cloud security company RedLock for roughly $173 million in cash.

How to clone an AWS CloudHSM cluster across regions (AWS Security Blog, Oct 01 2018)
You can use AWS CloudHSM to generate, store, import, export, and manage your cryptographic keys. It also permits hash functions to compute message digests and hash-based message authentication codes (HMACs), as well as cryptographically sign data and verify signatures.

Daniel Schwartz-Narbonne shares how automated reasoning is helping achieve the provable security of AWS boot code (AWS Security Blog, Oct 02 2018)
“I recently sat down with Daniel Schwartz-Narbonne, a software development engineer in the Automated Reasoning Group (ARG) at AWS, to learn more about the groundbreaking work his team is doing in cloud security.”

CVE and Cloud Services, Part 2: Impacts on Cloud Vulnerability and Risk Management (Cloud Security Alliance, Sep 28 2018)
Thus, just as enterprise customers must trust cloud service providers with their sensitive data, they must also trust, blindly, that the cloud service providers are properly remediating the vulnerabilities in their environment in a timely manner.

How to Create a Self-Healing IT Infrastructure (DevOps Zone, Sep 26 2018)
Learn about creating self-healing IT infrastructure of truly self-managed environments where the system itself handles the configuration.

Advanced Threat Protection for Azure Storage now in public preview (Microsoft Azure Blog, Oct 01 2018)
We are excited to announce that this week we have made Advanced Threat Protection available for public preview on Azure Storage Blob service. Advanced Threat Protection for Azure Storage detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit storage accounts.

Putting Security on Par with DevOps (Dark Reading, Oct 03 2018)
DevSecOps is nothing more — and nothing less — than the process of uniting the two main stakeholders, DevOps and security, in a spirit of collaboration. Many organizations have multiple DevOps teams, especially with multiple business units. That’s why it’s important for the security practice to own the cloud security program, which can encompass uniform monitoring and central visibility across all public cloud environments.

A final call for replacing security certificates using Symantec roots (Help Net Security, Oct 01 2018)
In 2017, Google and Mozilla deemed Symantec’s controls over their PKI insufficient to continued operation within the browser root store and put in place a plan for gradual distrust of Symantec roots. Other browsers followed suit. On Oct. 31, 2017, DigiCert completed its acquisition of Symantec Website Security and put in place a plan, approved by browsers, to issue new certificates for Symantec brands and replace those to be distrusted by reissuing them on our trusted roots.

DevSecOps and Development: Making the World Safer One Application at a Time (DevOps Zone, Sep 28 2018)
In order to have great success you need leadership that defines the key standards, actively facilitates learning and collaboration and provides the freedom necessary for innovation to occur. Another reason why you need it – great leadership builds trust.

Google taking new steps to prevent malicious Chrome extensions (Ars Technica, Oct 02 2018)
Company plans stricter rules for developers and greater control for users.

ShiftLeft announces code-informed runtime protection for Microsoft’s .Net Framework (Help Net Security, Sep 26 2018)
ShiftLeft announced the general availability of its security-as-a-service platform for Microsoft’s .Net Framework. .Net developers can now leverage the commercial source code analysis solution with an OWASP Benchmark Score of 75 percent to create custom security profiles that protect their applications in runtime.

Twitter patches bug that may have spilled users’ private messages (WeLiveSecurity, Sep 26 2018)
The flaw affected one of the platform’s APIs between May 2017 and September 10 of this year, when it was patched “within hours”

Gremlin raises $18 million, announces Application Level Fault Injection (Help Net Security, Oct 01 2018)
Along with the new funding round, Gremlin has launched Application Level Fault Injection (ALFI), enabling DevOps teams to inject failure at the application level for developing full-stack resiliency, including within serverless environments.