A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

​Kubernetes’ first major security hole discovered (ZDNet, Dec 05 2018)
There’s now an invisible way to hack into the popular cloud container orchestration system Kubernetes.

Quora data breach: 100 million users affected (Help Net Security, Dec 04 2018)
Question-and-answer website Quora has suffered a data breach that may have affected approximately 100 million of its users.

AWS is bringing the cloud on prem with Outposts (TechCrunch, Nov 28 2018)
You can now put AWS into your data center with AWS hardware, the same design they use in their own data centers. The two new products are part of AWS Outposts.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Researchers Introduce Smart Greybox Fuzzing (SecurityWeek, Nov 29 2018)
A team of researchers has introduced the concept of smart greybox fuzzing, which they claim is much more efficient in finding vulnerabilities in libraries that parse complex files compared to existing fuzzers.

How Oracle Is Convincing Institutional Users to Move to Cloud (eWEEK, Dec 04 2018)
Oracle has launched a new consulting platform called Soar, which the company contends is the world’s first automated cloud migration offering. This will serve as the basis for much of its innovation in the future, CEO Mark Hurd tells eWEEK.

Google Cloud Security Command Center is now in beta and ready to use (Google Cloud Blog, Dec 05 2018)
“n March, we announced Cloud Security Command Center in alpha, becoming the first major cloud provider to offer organization-level visibility into assets, vulnerabilities, and threats. Starting today, this security service is available to Google Cloud Platform (GCP) customers in beta.”

Blind spots and how to see them: Observability in a serverless environment (Help Net Security, Nov 28 2018)
While it’s tempting to equate serverless with less security responsibility for your organization, the shared responsibility model still holds true.

Google Makes Secure LDAP Generally Available (SecurityWeek, Nov 29 2018)
Google this week announced the general availability of secure LDAP, after introducing the capability in October at Next ’18 London.

AWS wants to rule the world (TechCrunch, Dec 02 2018)
Whether it was hardware like the new Inferentia chip and AWS Outposts, the new on-prem servers or blockchain and a base station service for satellites, if AWS saw an opportunity, they were not ceding an inch to anyone.

Scaling a governance, risk, and compliance program for the cloud, emerging technologies, and innovation (AWS Security Blog, Dec 03 2018)
Governance, risk, and compliance (GRC) programs are sometimes looked upon as the bureaucracy getting in the way of exciting cybersecurity work. But a good GRC program establishes the foundation for meeting security and compliance objectives. It is the proactive approach to cybersecurity that, if done well, minimizes reactive incident response.

Docker Looks to Improve Container Development With Enterprise Desktop (eWEEK, Dec 04 2018)
While many developers have already embraced the community edition of Docker Desktop, the new Enterprise Desktop integrates additional tools and capabilities to help make it easier to build container applications.

Microservices becoming architectural style of choice for application development (Help Net Security, Dec 05 2018)
Microservices – a software development technique where an application is created by combining numerous smaller services – have evolved from fad to trend, becoming an architectural style of choice for new application development and the migration target for many existing systems, according to O’Reilly.

Announcing Chef Automate integration with Google Cloud Security Command Center (Chef Blog, Dec 05 2018)
“Chef is proud to be a launch partner with Google, delivering an integration between Cloud SCC and Chef Automate. Cloud SCC helps security teams gather data, identify threats, and act on them before they result in business damage or loss.”

What cloud platforms are DevOps professionals being asked to understand? (Help Net Security, Dec 03 2018)
Cloud Academy released its November 2018 Data Report revealing trends and shifts in the cloud computing industry.

DevOps Chat: DevSecOps with Signal Sciences’ James Wickett (DevOps, Dec 04 2018)
James Wickett is the man to go to for DevSecOps. The founder of the Rugged DevOps movement, which has merged into the DevSecOps group, James is one of the most knowledgeable people on the subject of DevSecOps.

Mozilla Testing DNS-over-HTTPS in Firefox (SecurityWeek, Nov 30 2018)
Mozilla is moving forward with yet another project designed to provide users with increased security: it is now testing DNS-over-HTTPS (DoH) in Firefox stable.

iTunes Doesn’t Encrypt Downloads—on Purpose (Wired, Dec 02 2018)
While HTTPS has made the web at large a much safe place, Apple has chosen to forgo it for iTunes and App Store downloads.

Zoom patches serious video conferencing bug (Naked Security – Sophos, Dec 04 2018)
Zoom moved to patch a bug in its service this week that enabled people to hijack customer video conferences.

XS-Search Flaw Found in Google’s Issue Tracker (SecurityWeek, Dec 03 2018)
A security flaw recently discovered in Google’s Monorail open-source issue tracker could be exploited to perform a Cross-Site Search (XS-Search) attack, a security researcher says.

Jared, Kay Jewelers Parent Fixes Data Leak (Krebs on Security, Dec 03 2018)
The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.