A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

MD5 and SHA-1 Still Used in 2018 (Schneier on Security, Dec 24 2018)
Last week, the Scientific Working Group on Digital Evidence published a draft document — “SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics” — where it accepts the use of MD5 and SHA-1 in digital forensics applications

Automating a DevOps-Friendly Security Policy (Dark Reading, Dec 20 2018)
There can be a clash of missions between security and IT Ops teams, but automation can help.

Cybercriminals Host Malicious Payloads on Google Cloud Storage (SecurityWeek, Dec 19 2018)
A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

3 Reasons to Train Security Pros to Code (Dark Reading, Dec 20 2018)
United Health chief security strategist explains the benefits the organization reaped when it made basic coding training a requirement for security staff.

Why are some vulnerabilities disclosed responsibly while others are not? (Help Net Security, Dec 20 2018)
EU’s cybersecurity agency ENISA has delved into the problematics of vulnerability disclosure and has released a report that addresses economic factors, incentives and motivations that influence the behaviour of the various vulnerability disclosure actors, as well as two case studies of recently disclosed high-profile vulnerabilities (Meltdown, Spectre, EternalBlue) that illustrate how the process occurs.

Singapore Government Announces Second Bug Bounty Program (SecurityWeek, Dec 21 2018)
The government of Singapore this week announced plans to launch a second bug bounty program in collaboration with hacker-powered security platform HackerOne.

Choose the Right Level of Abstraction with Public Cloud Container Services (Gartner Blog Network, Dec 20 2018)
Many organizations lack the technical expertise to take on the significant engineering effort of deploying and maintaining container orchestration platforms in production.

The Seven Steps of the DevOps Lifecycle Process (IT Pro, Dec 20 2018)
A well implemented devops process should mean delivering better code, faster. But getting it right does mean investing in an appropriate process. Here’s a framework for seven steps to successful devops.

Security Analytics: Benefits and Best Practices for Deploying (IT Pro, Dec 20 2018)
Security analytics offer a comprehensive, automated system for staying on top of security alerts and events. What should your IT team keep in mind when researching and deploying these tools?