A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Exploring container security: the shared responsibility model in GKE (Google, Mar 29 2019)
This post is part of our blog post series on container security at Google. As newer infrastructure models emerge, though, it’s not always easy to figure out what you’re responsible for versus what’s the responsibility of the provider. In this blog post, we aim to clarify for Google Kubernetes Engine (GKE) what we do and don’t do—and where to look for resources to lock down the rest.
UK Watchdog Criticizes Huawei for Lax Software Security, Development (Dark Reading, Mar 29 2019)
Calling the company’s software development practices chaotic and unsustainable, a UK government oversight group calls on the company to make measurable progress toward more secure and sustainable code.
AWS releases new S3 storage for long-term data retention (Help Net Security, Mar 31 2019)
At just $0.00099 per GB-month (less than one-tenth of one cent, or $1 per TB-month), S3 Glacier Deep Archive offers the lowest cost storage in the cloud, at prices significantly lower than storing and maintaining data in on-premises magnetic tape libraries or archiving data off-site.
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
Next Generation Firewalls are Old News in the Cloud (Infosec Island, Mar 27 2019)
As users start to change the way they deploy infrastructure to the cloud, they will also need to find security solutions that are built by using the cloud in order to secure the cloud.
Security and privacy still the top inhibitors of cloud adoption (Help Net Security, Apr 01 2019)
Cloud adoption is gaining momentum, as 36 percent of organizations are currently in the process of migrating to the cloud while close to 20 percent consider themselves to be in the advanced stages of implementation.
AWS launches Concurrency Scaling, a new Amazon Redshift feature (Help Net Security, Mar 28 2019)
Amazon Web Services, an Amazon.com company, announced the general availability of Concurrency Scaling, a new Amazon Redshift feature that automatically adds and removes capacity to handle unpredictable demand from thousands of concurrent users.
Financial sector recognizes the benefits of hybrid cloud but still struggles to enable IT transformation (Help Net Security, Apr 02 2019)
The financial sector outpaces other industries in the adoption of hybrid cloud, with the deployment of hybrid cloud reaching 21% penetration today, compared to the global average of 18.5%.
How to run AWS CloudHSM workloads on Docker containers (AWS Security Blog, Apr 02 2019)
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. Your HSMs are part of a CloudHSM cluster. CloudHSM automatically manages synchronization, high availability, and failover within a cluster.
Enabling serverless security analytics using AWS WAF full logs, Amazon Athena, and Amazon QuickSight (AWS Security Blog, Mar 28 2019)
This blog post will show you how to analyze AWS Web Application Firewall (AWS WAF) logs and quickly build multiple dashboards, without booting up any servers. With the new AWS WAF full logs feature, you can now log all traffic inspected by AWS WAF into Amazon Simple Storage Service (Amazon S3) buckets by configuring Amazon Kinesis Data Firehose.
Taking charge of your data: Understanding re-identification risk and quasi-identifiers with Cloud DLP (Google, Mar 29 2019)
“In previous “Taking charge of your data” posts, we talked about how to use Cloud DLP to gain visibility into your data and how to protect sensitive data with de-identification, obfuscation, and minimization techniques. In this post, we’re going to talk about another kind of risk: re-identification, and how to measure and reduce it.”
Thoughts on OSSEC Con 2019 (Tao Security, Apr 01 2019)
Docker and containers had made software testing and deployment a lot easier for everyone. However, those who provide containers have effectively become Linux distribution maintainers. In other words, who is responsible when a security or configuration vulnerability in a Linux component is discovered? Will the container maintainers be responsive?
Programmers Who Don’t Understand Security Are Poor at Security (Schneier on Security, Mar 27 2019)
“A university study confirmed the obvious: if you pay a random bunch of freelance programmers a small amount of money to write security software, they’re not going to do a very good job at it.”
The CIO’s greatest roadblock to Agile development: Security governance (Help Net Security, Apr 02 2019)
Hence, the challenge for CIOs now is to start thinking at a much higher level. Regardless of the methodology chosen (Agile, Waterfall, or Hybrid), CIOs must now consider what essential services are needed by the business.
Integration of C-STAT Code Analysis with Automated Jenkins CI Build (DevOps Zone, Apr 02 2019)
“In this article, we are going to see one such embedded development tool (IAR Embedded workbench) and how we can integrate C-STAT static code analysis with a continuous integration build (Jenkins), as well as how to set some quality gates with an automated build.”
Facebook’s Whitehat Settings lets bug-hunters dial back app security (Naked Security – Sophos, Mar 27 2019)
What if the security controls added by Facebook to make it harder for snoopers and ne’er-do-wells to attack the company’s servers makes things harder for researchers who are trying to hunt for bugs legitimately? That’s what’s been happening, bug hunters have told Facebook via its Whitehat survey.
Attackers Store Malware in Hidden Directories of Compromised HTTPS Sites (SecurityWeek, Apr 01 2019)
Cybercriminals are utilizing hidden “well-known” directories of HTTPS sites to store and serve malicious payloads, Zscaler security researchers have discovered.
Application Security Management Firm Sqreen Raises $14 Million (SecurityWeek, Apr 02 2019)
Sqreen’s solution uses a hybrid security-as-a-service (SaaS) architecture and it relies on several modules — each of them can be enabled with one click — to provide deep security and risk visibility. Modules include the runtime application self-protection (RASP) module, which the company says is the most widely used, an in-app web application firewall, and an account takeover protection module.