A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Protecting What Matters: Data Guardrails & Behavioral Analytics (Disrupt:Ops, Nov 06 2018)
The easiest way to understand the difference between data guardrails and data behavioral analytics is that guardrails rely on pre-built deterministic rules (which can be as simple as “if this then that”), while analytics rely on AI, machine learning, and other heuristic technologies which look at patterns and deviations.

Thoma Bravo Buys Veracode From Broadcom for $950 Million (SecurityWeek, Nov 05 2018)
Private equity investment firm Thoma Bravo on Monday announced that it has entered an agreement to acquire application security testing company Veracode from Broadcom.

DevOps and security: How to make disjointed security and DevOps teams work effectively (Help Net Security, Nov 07 2018)
What’s the answer? How do we get an effective and efficient software factory running that turns out applications out on time and on budget while also minimizing security risk?

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

The 4 Phases to Automating Cloud Management (Disrupt:Ops, Oct 31 2018)
“I find it more useful to describe my personal journey and my technical realizations along the way. If you’re a security pro, or someone trying to up-skill a security pro for cloud, odds are you will end up on a very similar path.”

Bringing enterprise network security controls to your Kubernetes clusters on GKE (Google Cloud Blog, Nov 01 2018)
These new features enable you to limit access to your Kubernetes clusters from the public internet, confining them within the secure perimeter of your VPC, and to share common resources across your organization without compromising on isolation.

Qualys Snaps Up Container Firm (Dark Reading, Oct 31 2018)
Plans to use Layered Insight’s technology to add runtime capabilities and automated enforcement to its container security tool.

Most Businesses to Add More Cloud Security Tools (Dark Reading, Nov 06 2018)
Cloud adoption drives organizations to spend in 2019 as they learn traditional security practices can’t keep up.

Hybrid cloud complexity pushes organizations to look for more security tools (Help Net Security, Nov 07 2018)
As more organizations embrace hybrid cloud – with more than 50 percent claiming a hybrid cloud setup – and serverless, now used by close to third of organizations, they lack the tools and specialization to keep up, according to Alcide.

Enterprises Need to Stop Playing Catch-Me-If-You-Can With Their Containers (Infosecurity Magazine, Nov 07 2018)
Many enterprises aren’t even aware that they have deployed containers and orchestrated containerization.

Why Automation is the Crucial Ingredient in Microservices Security (Container Journal, Nov 01 2018)
Microservices have been widely used for years. Their cousin, service oriented architecture (SOA), is even older. Yet, despite the fact that most of us are familiar with microservices now as a deployment concept, it can be easy to overlook the ways in which microservices change the game from a security perspective. In several key security-related ways, microservices are fundamentally different…

Cybersecurity professional impressions on cloud-native security (CSO Online, Oct 31 2018)
“My takeaway is that cloud-native security controls are often used as a matter of convenience and probably good enough for organizations betting on a single CSP. This may characterize mid-market organizations, but it is a mismatch for enterprises. Thus, enterprises will continue to anchor cloud security with third-party security management tools for the foreseeable future.”

How IBM’s $34B Bid for Red Hat Will Spur DevOps Adoption (DevOps, Nov 02 2018)
IBM’s proposed acquisition of Red Hat for $34 billion will have an immediate impact in raising awareness for a programmatic approach to managing hybrid clouds based on best DevOps practices.

A Deeper Dive into InSpec 3 and Google Cloud Platform (Chef Blog, Nov 06 2018)
The recently released InSpec 3 expands the developer ecosystem for compliance-as-code through plugins, integrations, and other new capabilities. This post will outline some of the ways that InSpec brings compliance-as-code to Google Cloud Platform (GCP).

Exploring container security: running and connecting to HashiCorp Vault on Kubernetes (Google Cloud Blog, Nov 01 2018)
If you’re serious about security, you need a secrets management tool that provides a single source of secrets, credentials, and other sensitive information for your organization. HashiCorp Vault is a popular open-source tool that does just that.

Not Every Security Flaw Is Created Equal (Dark Reading, Nov 01 2018)
“Our analysis shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe presents a significant piece of evidence for the efficacy of DevSecOps. The most active DevSecOps programs fix flaws more than 11.5 times faster than the typical organization.”

Magecart Strikes Again, and Kitronik Is Latest Victim (Infosecurity Magazine, Nov 05 2018)
Magecart, the payment-card–skimming malware, has taken another victim, Kitronik, a leading supplier of electronic project kits in the UK.

Midterm Elections 2018: Voting Machine Meltdowns Are Normal—That’s the Problem (Wired, Nov 06 2018)
Americans watched their voting technology break down right in front of their eyes—or on social media—Tuesday, but it’s too soon to tell if the problems reached historic proportions.

U.S. Air Force Announces Third Bug Bounty Program (SecurityWeek, Nov 06 2018)
The United States Air Force on Monday announced that it has launched its third bug bounty program in collaboration with HackerOne.