A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
DevOps & digital transformation are creating insecure apps (Help Net Security, Oct 08 2018)
Not unlike last year’s findings, the top four most likely DAST vulnerabilities to be discovered remain:
Information leakage (45 percent)
Content spoofing (40 percent)
Cross site scripting (38 percent)
Insufficient transport layer protection (23 percent).
Microsoft shows off government cloud services with JEDI due date imminent (TechCrunch, Oct 09 2018)
Just a day after Google decided to drop out of the Pentagon’s massive $10 billion, 10-year JEDI cloud contract bidding, Microsoft announced increased support services for government clients. In a long blog post, the company laid out its government focused cloud services.
Lessons Learned from the Facebook Breach: Why Logic Errors Are So Hard to Catch (Dark Reading, Oct 09 2018)
In practice, that means three stages of review: At the DevOps level, use automated tools to find the low-hanging fruit and developers who code with security in mind. Use quality assurance (QA) teams that have deep knowledge of how your application should work. Lastly, beef up your bug bounty program to ensure an external review of your application from talented and experienced security researchers.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.
What a CIO Needs to Know About Cloud Security (eWEEK, Oct 03 2018)
1: Cloud usage continues to be on the rise, 2: Better security is enabling additional cloud usage, 3: Know the core vulnerability of the cloud, 4: Phishing causes 95 percent of all cyber data breaches.
Cloudera, Hortonworks Merger Will Create New Data Platform (eWEEK, Oct 04 2018)
Combination of two longtime rivals expected to establish a unified Hadoop and industry standard platform that will cover data management from data center, to the cloud, to the edge and to AI.
For some cloud services more than 75% of accounts are utilized by hackers (Help Net Security, Oct 04 2018)
Researchers found that 21.57% percent of accounts originating from cloud service IP ranges appear to be fraudulent. Malicious accounts are eight times more likely to originate via cloud services than normal users. In fact, some cloud services and data centers can have more than 75% fraudulent accounts.
CloudKnox Raises $10.8 Million to Help Manage Cloud Privileges (SecurityWeek, Oct 04 2018)
Losing control of accounts with elevated privileges is a major concern for all organizations, and can only be solved by enforcing a strict policy of least privilege. That is not easy, but even harder in hybrid cloud environments. It has been estimated that there are almost 8,000 separate actions — or privileges — available across AWS, Azure, Google Cloud and vSphere. Managing privilege to this amount of actions is almost impossible manually.
Utimaco launches Cryptoserver Cloud: HSM as a Service for secure multi-cloud environments (Help Net Security, Oct 08 2018)
Utimaco announced its cloud HSM offering in Europe and Asia. With CryptoServer Cloud, the German hardware security specialist launches a customizable HSM as a Service.
Most enterprises highly vulnerable to security events caused by cloud misconfiguration (Help Net Security, Oct 05 2018)
Just about every company surveyed registered concern about cloud misconfiguration, with 46 percent saying they were “highly concerned” and 46 percent being “somewhat concerned.” This level of concern has not yet translated into action, with only 28 percent reporting that they continuously monitor misconfiguration alerts.
Symantec Brings Workload Assurance Security to the Cloud (eWEEK, Oct 09 2018)
Symantec is expanding its cloud security portfolio with new cloud workload assurance capabilities, enhanced cloud workload security features, as well as a new Managed Cloud Defense service.
Bridging the priority gap between IT and security in DevOps (Help Net Security, Oct 04 2018)
For DevOps teams to address this priority gap between IT and security teams during DevOps, the best strategy involves optimizing automated solutions to support the governance, risk, and compliance activities that are now considered essential to any modern software process. Such automated approaches are consistent with industry models such as the Gartner Application Security Risk Threat Management (ASTRM) model.
Hackers Earn $150,000 in Marine Corps Bug Bounty Program (SecurityWeek, Oct 04 2018)
The U.S. Department of Defense’s sixth public bug bounty program, Hack the Marine Corps, has concluded, and white hat hackers who took part in the challenge earned more than $150,000.
Git Gets Patched for Newly Found Flaw (Dark Reading, Oct 09 2018)
A vulnerability in Git could allow an attacker to place malicious, auto-executing code in a sub-module.
IT Science Case Study: Connecting Dev Tools for Continuous Integration (eWEEK, Oct 09 2018)
Harness reduced Jobvite’s deployment time by 10X. Prior to Harness, a typical production deployment for the team would take 27 minutes; now that same deployment takes just 2 minutes. Jobvite engineers can also now build, deploy and fix their own code.
Alert Logic extends security to cover any container across multiple platforms (Help Net Security, Oct 09 2018)
Alert Logic’s update to the Network Intrusion Detection System (NIDS) for containers adds container log management and extends capabilities beyond Amazon Web Services (AWS) to Microsoft Azure, on-premises and hosted environments.
Google Criticizes Apple Over Safari Security, Flaw Disclosures (SecurityWeek, Oct 08 2018)
One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple’s Safari web browser.
Health websites routinely share your activity with 57 third-parties (Help Net Security, Oct 09 2018)