A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

What Security Managers Need to Know About Amazon S3 Exposures (Disrupt:OPS, Oct 11 2018)
(1/2) The accidental (or deliberate) exposure of sensitive data on Amazon S3 is one of those deceptively complex issues. On the surface it seems entirely simple to avoid, yet despite wide awareness we see a constant stream of public exposures and embarrassments, combined with a healthy dollop of misunderstanding and victim blaming.

Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0 (Ars Technica, Oct 16 2018)
Almost everyone has now migrated to TLS 1.2, and a few have moved to TLS 1.3.

AWS Security Auditing tools comparison (Scott Piper, Oct 16 2018)
“I put all of the checks of PacBot, Security Monkey, and Prowler into a table, and then compared them to Trusted Advisor, Managed AWS Config Rules, and CloudMapper. Not all checks of the latter 3 tools are listed.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Disrupt:Ops: What Security Managers Need to Know About Amazon S3 Exposures (2/2) (Disrupt:OPS, Oct 15 2018)
In our first post we discussed how the exposure of S3 data becomes such an issue, and some details on how buckets become public in the first place. In this post we go a little deeper before laying the foundation on how to start managing S3 to avoid making these mistakes yourselves.

Disrupt:Ops: (DevSec)Ops vs. Dev(SecOps) (Disrupt:OPS, Oct 17 2018)
Regarding short-term activities, we remain partial to integrating security testing into your deployment pipeline where possible across your entire infrastructure as code. That means making sure no obvious vulnerabilities exist in the images you use to drive your auto scale groups and the source code that gets pumped into your pipeline.

Google Cloud expands its networking feature with Cloud NAT (TechCrunch, Oct 11 2018)
The marquee launch is Cloud NAT, a new service that makes it easier for developers to build cloud-based services that don’t have public IP addresses and can only be accessed from applications within a company’s virtual private cloud.

Breaking Azure Functions with Too Many Connections (Troy Hunt, Oct 10 2018)
“For the most part, Have I Been Pwned (HIBP) runs very smoothly, especially given how cheaply I run many parts of the service for. Occasionally though, I screw up and get something wrong that interrupts the otherwise slick operation and results in some outage. Last weekend was one such occasion and I want to explain what I got wrong, how you might get it wrong too and then, of course, how to fix it.”

IBM files formal JEDI protest a day before bidding process closes (TechCrunch, Oct 12 2018)
IBM announced yesterday that it has filed a formal protest with the U.S. Government Accountability Office over the structure of the Pentagon’s winner-take-all $10 billion, 10-year JEDI cloud contract. The protest came just a day before the bidding process is scheduled to close. As IBM put it in a blog post, they took issues with the single vendor approach. They are certainly not alone.

Secret Amazon Data Center Gives Nod to Seinfeld (Infosecurity Magazine, Oct 12 2018)
On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld.

Chef Launches New Version for DevSecOps Automated Compliance (SecurityWeek, Oct 16 2018)
Chef Software has announced the latest version of its InSpec compliance automation platform for DevSecOps. InSpec provides an open source high-level language to share security and compliance rules between development, security, and operations engineers. Compliance can be with internal security policy, infrastructure provisioning, and external regulatory requirements.

Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article (AWS Security Blog, Oct 04 2018)
“Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region. As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.”

How AWS SideTrail verifies key AWS cryptography code (AWS Security Blog, Oct 15 2018)
SideTrail, an open source, program analysis tool that helps AWS developers verify key security properties of cryptographic implementations. In other words, the tool gives you assurances that secret information is kept secret.

Get more control over your Compute Engine resources with new Cloud IAM features (Cloud Blog, Oct 15 2018)
Two new Cloud IAM features, resource-level IAM and IAM conditions, to help you better manage security and access control in Google Compute Engine. Resource-level IAM allows you to set IAM policies on individual resources like VM instances and disks. IAM conditions allows you to grant access based on meeting pre-defined conditions, such as resource name prefix, raw request attributes (IP, device, etc.), or a specific time frame.

Accelerating AI in healthcare: Security, privacy, and compliance (Microsoft Azure Blog, Oct 16 2018)
Use cases where AI can help vary from diagnostic imaging to predicting the patient length of stay, and even chatbots. But these initiatives must avoid breaches, ransomware, and other privacy compliance issues.

Detecting fileless attacks with Azure Security Center (Microsoft Azure Blog, Oct 15 2018)
Microsoft announced the general availability of Security Center’s Fileless Attack Detection. With Fileless Attack Detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. Fileless Attack Detection periodically scans your machine at runtime and extracts insights directly from the memory of security-critical processes.

Software-Defined Perimeter Architecture Guide Preview: Part 4 (Cloud Security Alliance Blog, Oct 08 2018)
“Over the past three blog posts on this topic, we’ve provided an overview of the Software-Defined Perimeter (SDP) Architecture Guide, including its outline, core SDP concepts, and a summary of SDP benefits. In this, our final preview blog on the Architecture Guide, we’ll introduce the SDP policy section, and conclude with a few final thoughts.”

Why we need to bridge the gap between IT operations and IT security (Help Net Security, Oct 17 2018)
According to the findings, even though IT operations personnel help influence the selection of cybersecurity tools, nearly two out of three say complexity in deployment (30 percent) and complexity in daily use (34 percent) are the biggest hindrances in security tool effectiveness.

Protecting applications from malicious scripts (Help Net Security, Oct 17 2018)
The idea with these strategies is to shift left, and to ensure that security controls are applied to your software from the beginning stages of the software development lifecycle (SDLC).

Audit Finds No Critical Flaws in Firefox Update System (SecurityWeek, Oct 11 2018)
An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated “high severity” were not easy to exploit.

GitHub launches Actions, its workflow automation tool (TechCrunch, Oct 16 2018)
Actions allow developers to not just host code on the platform but also run it. We’re not talking about a new cloud to rival AWS here, but instead about something more akin to a very flexible IFTTT for developers who want to automate their development workflows, whether that is sending notifications or building a full continuous integration and delivery pipeline.