A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

A cybersecurity strategy to thwart advanced attackers (AWS Security Blog, Mar 21 2019)
AWS has released two new whitepapers to help customers plan and implement a strategy that has helped many organizations protect, detect, and respond to modern-day attacks.

Casino Screwup Royale: A tale of “ethical hacking” gone awry (Ars Technica, Mar 26 2019)
“Ethical hackers” tried to disclose problems to a casino software company—it got messy.

Best Practices for Implementing a Secure Application Container Architecture (Cloud Security Alliance, Mar 26 2019)
This document serves to identify recommendations and best practices to address the challenges in securing application containers in the engineering of trustworthy secure systems through the lens of the Developer, Operator and Architect.


8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Forming the Cloud Security Center of Excellence (DisruptOps, Mar 20 2019)
Giving up and waiting for your assessor to figure out the resulting anarchy is a bad answer. So in this series we map out a path from chaos to control using a concept we call the Cloud Security Center of Excellence, a group established to enable the organization to embrace fast-moving technologies like cloud and DevOps without putting corporate data at risk.

Psychoanalyzing Security Cloud Fears (Gartner Blog Network, Mar 20 2019)
Here is a funny one: why so many security professionals (and leaders) still hate the cloud? OK, OK, I get it, many of you want to respond to this with a WHAT YEAR IS THIS? meme right away, but let me finish… To set the context for this, I am not talking about business use of cloud, but cloud use by security tools. In essence, this is about SECURITY FROM THE CLOUD, not security for the cloud.

Less than 20% of IT pros have complete access to critical data in public clouds (Help Net Security, Mar 26 2019)
87% of respondents expressed fears that a lack of cloud visibility is obscuring security threats to their organization
95% of respondents said visibility problems had led them to experience an application or network performance issue
38% cited insufficient visibility as a key factor in application outages, and 31% in network outages

87% of Cloud Pros Say Visibility Masks Security (Dark Reading, Mar 26 2019)
The majority of cloud IT professionals find a direct link between network visibility and business value, new data shows.

How to use service control policies to set permission guardrails across accounts in your AWS Organization (AWS Security Blog, Mar 25 2019)
AWS Organizations provides central governance and management for multiple accounts. Central security administrators use service control policies (SCPs) with AWS Organizations to establish controls that all IAM principals (users and roles) adhere to. Now, you can use SCPs to set permission guardrails with the fine-grained control supported in the AWS Identity and Access Management (IAM) policy language. This makes it easier for you to fine-tune policies to meet the precise requirements of your organization’s governance rules.

Setting permissions to enable accounts for upcoming AWS Regions (AWS Security Blog, Mar 21 2019)
The AWS Cloud spans 61 Availability Zones within 20 geographic regions around the world, and has announced plans to expand to 12 more Availability Zones and four more Regions

Securely monitoring your Azure Database for PostgreSQL Query Store (Microsoft Azure Blog, Mar 19 2019)
“A few months ago, I shared best practices for alerting on metrics with Azure Database for PostgreSQL. Though I was able to cover how to monitor certain key metrics on Azure Database for PostgreSQL, I did not cover how to monitor and alert on the performance of queries that your application is heavily relying on. As a PostgreSQL database, from time to time you will need to investigate if there are any queries running indefinitely on a PostgreSQL database. These long running queries may interfere with the overall database performance and likely get stuck on some background process. This blog post covers how you can set up alerting on query performance related metrics using Azure Functions and Azure Key Vault.”

Secure workloads without slowing down your DevOps flows (Help Net Security, Mar 25 2019)
David Meltzer, CTO at Tripwire, and Lamar Bailey, Senior Director of Security Research at Tripwire, discuss the challenges of securing DevOps.

Quality Assurance and Testing is a bottleneck to implementing DevOps for many organizations (Help Net Security, Mar 22 2019)
The practice of Continuous Testing – the process of fast and efficient validation of software releases in agile developments through highly automated tests – is gaining ground in large enterprises, with almost a third of IT executives (32%) stating that their IT departments had ‘fully embraced Continuous Testing’.