A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The patterns of elite DevSecOps practices (Help Net Security, Mar 05 2019)
– DevOps automation – Elite DevSecOps practices are 350% more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.
– Open source controls – 62% of respondents with elite programs have an open source governance policy in place where automation improves adhere to it, compared to just 25% of those without DevOps practices.
– Container controls – 51% of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16% of those without said the same thing.
– Training – Organizations with elite DevSecOps practices are 3x more likely to provide application security training to developers than those organizations without DevOps practices.
– Preparedness – 81% of those with elite practices have a cybersecurity response plan in place compared to 62% of those without DevOps practices.

Two White Hats Earn Over $1 Million via Bug Bounty Programs (SecurityWeek, Mar 01 2019)
Bug bounty platform HackerOne says two of its members have each earned more than $1 million by helping organizations find and fix vulnerabilities in their systems. (Note: Go back to the MIT Review report from Jan 15, which said “The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.”)

Google reveals BuggyCow macOS security flaw (Naked Security – Sophos, Mar 06 2019)
Google’s Project Zero researchers have revealed a “high severity” macOS security flaw nicknamed ‘BuggyCow’ that Apple appears to be in no rush to patch.

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Cloud business initiatives accelerating faster than security teams’ ability to secure them (Help Net Security, Feb 28 2019)
Only 56% of respondents indicated that network security, security operations or security compliance teams are responsible for cloud security. In the remaining 44% of cases, IT/cloud teams, application owners or other teams outside the security organization are responsible for cloud security.

Security Pros Agree: Cloud Adoption Outpaces Security (Dark Reading, Mar 01 2019)
Oftentimes, responsibility for securing the cloud falls to IT instead of the security organization, researchers report.

IT teams are struggling with network infrastructure challenges caused by the cloud (Help Net Security, Mar 04 2019)
“Public cloud deployments are rapidly growing but IT teams do not have the proper visibility to see infrastructure in public cloud environments, which frequently causes costly problems”

#CSASummit: Ten Years of Cloud Brought Risk, Regulations and Reliability (Infosecurity Magazine, Mar 04 2019)
Ten years of cloud computing have brought about a change in understanding, DevOps, new risk strategies and regulations

Docker API vulnerability allows hackers to mine Monero (SC Magazine, Mar 05 2019)
The flaw, CVE-2019-5736, allows an attacker to gain host root access from the Docker container through the remote Docker API. Normally, the Docker API allows admins to control a remote Docker host, including automating the deployment process, control and get the state of your containers, but if this is accessed by an attacker a network can be compromised

Announcing new Azure Security Center capabilities at RSA 2019 (Microsoft Azure Blog, Mar 04 2019)
“With this blog post, we wanted to share with you what we have been working on for Azure Security Center. Azure Security Center now leverages machine learning to reduce the attack surface of internet facing virtual machines. Its adaptive application controls have been extended to Linux and on-premises servers, and extends the network map support to peered virtual network (VNet) configurations.”

Introducing Microsoft Azure Sentinel, intelligent security analytics for your entire enterprise (Microsoft Azure Blog, Feb 28 2019)
“That’s why we reimagined the SIEM tool as a new cloud-native solution called Microsoft Azure Sentinel. Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, to users, to apps, to servers on any cloud.”

Embracing DevSecOps: 5 Processes to Improve DevOps Security (Dark Reading, Feb 27 2019)
In the cyber threat climate of the 21st century, sticking with DevOps is no longer an option.

DevOps Mar 2019 (Gartner Blog Network, Mar 01 2019)
Open-source tools are critical to building the DevOps toolchain. I&O leaders responsible for DevOps must build technical and people skills, implement governance policies, determine the need for commercial support, and integrate open-source tools with the rest of the toolchain.

Application Security Firm Contrast Security Raises $65 Million (SecurityWeek, Feb 28 2019)
California-based application security company Contrast Security on Thursday announced that it raised $65 million in a Series D funding round, which brings the total raised by the firm to $122 million.

Bug in Cobalt Strike pentesting tool used to identify malicious servers (Help Net Security, Mar 01 2019)
An extraneous space in the HTTP responses of webservers run by a variety of malicious actors allowed Fox-IT researchers to identify them pretty easily for the past year and a half.

Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018 (Dark Reading, Mar 04 2019)
Organizations signed up with the vulnerability disclosure platform shelled out a record $19 million for bug discoveries in their systems.

Flaws in visitor management systems could roll out welcome mat for attackers (SC Magazine, Mar 04 2019)
Five kiosk-based visitor management systems designed to securely check guests into business facilities or industrial buildings were found to contain vulnerabilities that could potentially allow attackers to physically intrude into spaces, break into private networks or steal information.