A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Three of the Most Crucial Sections of the DevSecOps Roadmap (DisruptOPS, Nov 08 2018)
“As Rich Mogull says, Cloud Security starts with architecture and ends with automation. Our DevSecOps roadmap adheres to this guidance. This post will dig into the three sections of the roadmap at a high level. Then we’ll follow up with additional posts to delve into each aspect of the roadmap.”

Amazon Web Services launches second GovCloud Region in the United States (Help Net Security, Nov 13 2018)
With the launch of the AWS GovCloud (US-East) Region, AWS now provides 57 Availability Zones across 19 geographic regions globally with another 12 Availability Zones and four regions coming online in Bahrain, Hong Kong SAR, South Africa, and Sweden between the end of 2018 and the first half of 2020.

A simpler way to assess the network exposure of EC2 instances: AWS releases new network reachability assessments in Amazon Inspector (AWS Security Blog, Nov 09 2018)
AWS recently released the Network Reachability rules package in Amazon Inspector, the automated security assessment service that enables you to understand and improve the security and compliance of applications deployed on AWS.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Google Wants More Projects Integrated With OSS-Fuzz (SecurityWeek, Nov 07 2018)
Google revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz. Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.

Cloud Security: How to Secure Your Sensitive Data in the Cloud (Gemalto, Nov 07 2018)
A Bring Your Own Key (BYOK) approach that enables them to securely create and manage their own encryption keys, separate from the CSP’s where their sensitive data is being hosted.

Dropbox strengthens security ecosystem with Google Cloud Identity and expanded partnerships (Help Net Security, Nov 09 2018)
Dropbox is partnering with Google Cloud Identity, BetterCloud, Coronet, Proofpoint, and SailPoint, all of which have built integrations to support Dropbox Business.

(DevSec)Ops vs. Dev(SecOps) (DisruptOPS, Nov 12 2018)
“. As much as you try to automate everything in your DevOps world, humans still play, and they make mistakes. We all do. Having Guardrails in place to monitor, and most importantly automatically fix, the issues found will dramatically reduce risk.”

Cloud Security Firm Netskope Raises $168.7 Million (SecurityWeek, Nov 13 2018)
Cloud security firm Netskope on Tuesday announced that it has raised $168.7 million in a Series F funding round, which brings the total raised by the company to date to over $400 million.

How to create and retrieve secrets managed in AWS Secrets Manager using AWS CloudFormation template (AWS Security Blog, Nov 12 2018)
AWS Secrets Manager now integrates with AWS CloudFormation so you can create and retrieve secrets securely using CloudFormation. This integration makes it easier to automate provisioning your AWS infrastructure.

Using AWS Firewall Manager and WAF to protect your web applications with master rules and application-specific rules (AWS Security Blog, Nov 12 2018)
This blog post will take you through the specific steps to implement firewall rules using both AWS Web Application Firewall (AWS WAF) and AWS Firewall Manager, including how to use a predefined set of AWS WAF rules like a master rule set that you can enforce on multiple resources.

Deep dive into managed TLS certs for HTTP(S) Load Balancers (Google Cloud Blog, Nov 07 2018)
“At Google, we believe in using TLS wherever possible. In 2014, Google’s Search team announced that using HTTPS would positively impact page rankings. Fast forward to 2018, and we’ve taken it a step further: Chrome now marks HTTP sites as “Not Secure.” We’re not stopping there, though. Eventually, we’ll assume TLS everywhere and only call out sites that are not secure.”

Methods to Audit Docker Container Security (Container Journal, Nov 14 2018)
The open source Anchore tool can be used to validate Docker images. How it works is that Docker images are downloaded, and then ran against policies as defined by the user.

Protect Linux containers running in IaaS with Azure Security Center (Microsoft Azure Blog, Nov 13 2018)
Azure Security Center now provides you with several new capabilities to help you secure your containers.

Checkmarx Acquires Custodela (Dark Reading, Nov 07 2018)
The purchase adds DevSecOps capabilities to a software license compliance platform.

DigiCert works with its partners to move past Google’s distrust of Symantec TLS certificates (Help Net Security, Nov 07 2018)
In the year since acquiring Symantec’s Website Security and PKI businesses, DigiCert has managed a certificate replacement program leading to the wholesale exchange of Symantec CA infrastructure and replacing more than 5 million certificates.

Threat Stack acquires runtime application security vendor Bluefyre (Help Net Security, Nov 08 2018)
With the addition of Bluefyre, Threat Stack will empower developers to build applications that can detect and prevent threats at runtime, including applications running on Kubernetes.

Facebook Bug Let Websites Access Private User Data (Infosecurity Magazine, Nov 13 2018)
Facebook reportedly fixed a bug that granted websites access to user info and their contacts.

HTTP/3: Come for the speed, stay for the security (Naked Security – Sophos, Nov 14 2018)
Key personnel at the Internet Engineering Task Force (IETF) have suggested basing the next version of a core web protocol on Google technology.