A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
New feature to prevent Amazon S3 bucket misconfiguration (Help Net Security, Nov 19 2018)
This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access.
Instagram accidentally reveals plaintext passwords in URLs (Naked Security – Sophos, Nov 20 2018)
It’s yet another security stumble following the massive Facebook hack in September, and it likely points to shoddy encryption practices.
How to manage security governance using DevOps methodologies (AWS Security Blog, Nov 20 2018)
“The approach I’ll demonstrate in this post isn’t a silver bullet, but it’s a method by which you can control some of that inevitable shift in threat evaluations resulting from changes in business and technical operations, such as vulnerability announcements, feature updates, or new requirements.”
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.
AWS Security Profiles: Brittany Doncaster, Solutions Architect (AWS Security Blog, Nov 15 2018)
In the weeks leading up to re:Invent, AWS is posting tons of short interviews with their people who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing. This is one of those.
Five lessons for building your roadmap to a secure hybrid cloud future (Microsoft Azure Blog, Nov 15 2018)
…how federal CIOs can best prepare for a cloud environment that works securely with on-premises datacenters.
Container strategies don’t take security seriously enough (Help Net Security, Nov 15 2018)
A surprising percentage of respondents are running their containerized applications only on premise…
AWS Adds New Feature for Preventing Data Leaks (SecurityWeek, Nov 16 2018)
AWS’s latest attempt to prevent leaks is called Amazon S3 Block Public Access, which should provide an additional layer of protection for both an entire account and individual buckets.
Alcide raises $7M to redefine cloud security (Help Net Security, Nov 20 2018)
The Alcide Microservices Firewall brings application-aware micro-segmentation, always on threat intelligence, powered by Alcide’s embedded policies enforcement capabilities.
Taking charge of your data: using Cloud DLP to de-identify and obfuscate sensitive information (Google Cloud Blog, Nov 20 2018)
“In this post we’ll tackle how to protect that data by incorporating data obfuscation and minimization techniques automatically into your workflows—leaving less potential for human error.”
From Reactive to Proactive: Security as the Bedrock of the SDLC (Dark Reading, Nov 15 2018)
Secure code development should be a priority, not an afterthought, and adopting the software development life cycle process is a great way to start.
How DevSecOps Can Help Avoid Catastrophic Breaches (DevOps, Nov 19 2018)
What is common across all these scenarios? They arguably could have been avoided with basic safeguards underpinned by a healthy dose of DecSecOps. In hindsight, let’s see what specific strategies developers can adopt to avoid such horrendous leaks.
Firefox Alerts Users When Visiting Breached Sites (SecurityWeek, Nov 15 2018)
Mozilla has added a new feature to Firefox to alert users when they visit a website that has been part of a data breach in the past.
Make-A-Wish website compromised to serve cryptojacking script (Help Net Security, Nov 20 2018)
Visitors of the international website of the US-based non-profit Make-A-Wish Foundation have had their computing power misused to covertly mine cryptocurrency, Trustwave researchers have found.
Facebook Boosts Bug Bounty Payouts for Account Takeover Flaws (eWEEK, Nov 21 2018)
Facebook wants to make it easier and more worthwhile for security researchers to responsibly disclose account takeover vulnerabilities.