A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

To DevSecOps or not to DevSecOps? (Help Net Security, Apr 03 2019)
“Security teams must commit to cultural changes to be successful in a DevSecOps world – they need to gain a better understanding of the business environment impacting their organizations and re-imagine their own role as risk management consultants supporting aggressive innovation. Governance and compliance will still remain significant drivers in the role, but the primary focus has to be on support for their DevOps teams…”

A New Approach to Application Security Testing (Dark Reading, Apr 09 2019)
If the appsec industry were to develop a better AST solution from scratch, what would it look like?

Hackers Can Add, Remove Cancer From CT Scans: Researchers (SecurityWeek, Apr 05 2019)
A team of researchers has demonstrated that hackers can modify 3D medical scans to add or remove evidence of a serious illness, such as cancer.

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

The security challenges that come with serverless computing (Help Net Security, Apr 04 2019)
DevOps teams are the innovators and early adopters of serverless applications, and they do not need to ask permission to build applications with serverless. They are also, by default, the first responders of security issues found on serverless applications and APIs.

Microsoft rolls out new security capabilities for Azure customers (Help Net Security, Apr 04 2019)
They are a mix of features for storage and compute services:
-Advanced Threat Protection for Azure Storage
-A regulatory compliance dashboard in Azure Security Center
-Security assessments, recommendations and disk encryption for Virtual Machine Scale Sets
-Azure Dedicated Hardware Security Module (HSM) service availability in more regions.

Trimming AWS WAF logs with Amazon Kinesis Firehose transformations (AWS Security Blog, Apr 09 2019)
“In this post, I’ll show you how to create an Amazon Kinesis Data Firehose stream to filter out unneeded records, so that you only retain log records for requests that were blocked by AWS WAF. From here, the logs can be stored in Amazon S3 or directed to SIEM (Security information and event management) and log analysis tools.”

AWS Security Profiles: CJ Moses, Deputy CISO and VP of Security Engineering (AWS Security Blog, Apr 08 2019)
“We recently sat down with CJ Moses, Deputy, Chief Information Security Officer (CISO), to learn about his day-to-day as a cybersecurity executive. He also shared more about his passion for racecar driving and why AWS is partnering with the SRO GT World Challenge America series this year.”

How to Design DevSecOps Compliance Processes to Free Up Developer Resources (DevOps, Apr 03 2019)
Now that you know automation is crucial to the success of any system, here are a few basic steps you can take from day one to start building the security processes into your design…

Azure Security Center exposes crypto miner campaign (Microsoft Azure Blog, Apr 08 2019)
Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.

Web application firewall at Azure Front Door service (Microsoft Azure Blog, Apr 04 2019)
“We have heard from many of you that security is a top priority when moving web applications onto the cloud. Today, we are very excited to announce our public preview of the Web Application Firewall (WAF) for the Azure Front Door service. “

AWS Security Profiles: Olivier Klein, Head of Emerging Technologies in the APAC region (AWS Security Blog, Apr 04 2019)
Leading up to AWS Summit Singapore, we’re sharing our conversation with keynote speaker Olivier Klein about his work with emerging technology and about the overlap between “emerging technology” and “cloud security.”