A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The hybrid cloud market just got a heck of a lot more compelling (TechCrunch, Oct 30 2018)
Let’s start with a basic premise that the vast majority of the world’s workloads remain in private data centers. Cloud infrastructure vendors are working hard to shift those workloads, but technology always moves a lot slower than we think. That is the lens through which many cloud companies operate.

IBM to buy Red Hat for $34B in cash and debt, taking a bigger leap into hybrid cloud (TechCrunch, Oct 29 2018)
“IBM will become the world’s number-one hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses.”

Cloudera and Hortonworks Merge (Securosis, Oct 25 2018)
“I can confirm we see the same lack of interest in deployment of Hadoop to the cloud, the same use of S3 as a storage medium when Hadoop is used atop Infrastructure as a Service (IaaS), and the same developer-driven selection of whatever platform is easiest to use and deploy on.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Quick and Dirty: Building an S3 Guardrail with Config (DisruptOPS, Oct 25 2018)
“In How S3 Buckets Become Public, and the Fastest Way to Find Yours we reviewed the myriad of ways S3 buckets become public and where to look for them. Today I’ll show the easiest way to continuously monitor for public buckets using AWS Config. The good news is this is pretty easy to set up…”

Building a Multi-cloud Logging Strategy: Introduction (Securosis, Oct 25 2018)
“The road to cloud is littered with the charred remains of many who have attempted to create multi-cloud logging for their respective employers. But cloud services are very different – structurally and operationally – than on-premise systems.”

Securing Serverless: Attacking an AWS Account via a Lambda Function (Dark Reading, Oct 25 2018)
“Caleb decided to let people attack his AWS account through a Lambda function that enables you to run shell commands. Sounds like a worthy challenge. After all, it’s not every day that someone lets you wreak havoc on their account and run attacks freely. Now I was excited!”

Microsoft has no problem taking the $10B JEDI cloud contract if it wins (TechCrunch, Oct 26 2018)
Earlier this month, Google withdrew, claiming ethical considerations. Amazon’s Jeff Bezos responded in an interview at Wired25 that he thinks that it’s a mistake for big tech companies to turn their back on the U.S. military. Microsoft president Brad Smith agrees.

Disrupt:Ops: Consolidating Config Guardrails with Aggregators (DisruptOPS, Oct 26 2018)
“In Quick and Dirty: Building an S3 guardrail with Config we highlighted one of the big problems with Config: you need to set it up in each region of each account…for this post I want to highlight how to aggregate Config into a unified dashboard.”

Investigating Implausible Bloomberg Supermicro Stories (ServeTheHome, Oct 30 2018)
“..we are going to more thoroughly address the Bloomberg Businessweek article alleging that China targeted 30 companies by inserting chips in the manufacturing process of Supermicro servers. Despite denials from named companies and the technology press casting some reasonable doubt on the story, Bloomberg doubled down and posted a follow-up article claiming a different hack took place.”

DAM Not Moving to the Cloud (Securosis, Oct 29 2018)
“I do still want some of DAM’s monitoring functions for cloud migrations, specifically looking for SQL injection attacks – which are still your issue to deal with – as well as looking for credential misuse, such as detecting too much data transfer or scraping. Cloud providers log API access to the database installation, and there are cloud-native ways to perform assessment. But on the monitoring side there are few other options for watching SQL queries.”

How to analyze AWS WAF logs using Amazon Elasticsearch Service (AWS Security Blog, Oct 30 2018)
Log analysis is essential for understanding the effectiveness of any security solution. It can be valuable for day-to-day troubleshooting and also for your long-term understanding of how your security environment is performing.

Control and improve your security posture with Azure Secure score (Microsoft Azure, Oct 25 2018)
Secure score takes into consideration the severity and the impact of the recommendation. Based on that information, it assigns a numerical value to show how fixing this recommendation can improve your security posture.

The Case for MarDevSecOps (Dark Reading, Oct 30 2018)
The shadow IT that has been supporting marketing behind the scenes can finally come together in the light of day under a single force — MarDevSecOps.

Networking and DevOps (Gartner Blog Network, Oct 30 2018)
There’s a lot of information (and misinformation) out there about networking and devops (or some variation of Net + Dev + Ops + Sec, if you prefer). Virtualizing appliances, adding APIs and automating manual networking tasks are good – but alone do not mean you have DevOpsified all the network things.

Firefox 63 gets tough with trackers (Naked Security – Sophos, Oct 25 2018)
Mozilla’s Enhanced Tracking Protection is going mainstream.

WordPress takes aim at ancient versions of its software (Naked Security – Sophos, Oct 24 2018)
If you’re running a very old version of WordPress on your website, the project’s staff would like a word with you.

Could TLS session resumption be another ‘super cookie’? (Naked Security – Sophos, Oct 25 2018)
Researchers think they’ve spotted a tracking technique that nobody has been paying attention to – TLS session resumption.

Snakes in the grass! Malicious code slithers into Python PyPI repository (Naked Security – Sophos, Oct 30 2018)
Not for the first time, typosquatting malware made its way into an open source code repository.

How one man could have taken over any business on Facebook (Naked Security – Sophos, Oct 31 2018)
He discovered a way to import administrators to a business account via a call to the social network’s website that didn’t have any access control set on it. This made it possible to add anyone as an administrator to any business account, he claimed. The attack could be executed by making a simple HTTP post to Facebook’s site that included the ID of the targeted business, the ID of the attacker’s account, and a session ID.

6 takeaways from McAfee MPower (CSO Online, Oct 27 2018)
The company articulates its device-to-cloud security strategy with vision and series of announcements.