A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

AWS CISO Talks Risk Reduction, Development, Recruitment (Dark Reading, Jun 25 2019)
Steve Schmidt says limiting access to data has dramatically changed the security posture across Amazon Web Services.

1 in 10 open source components downloaded in 2018 had a known security vulnerability (Help Net Security, Jun 26 2019)
Adversaries are increasingly targeting open source components
71% increase in open source related breaches over the past five years
24% of organisations confirmed or suspected an OSS related breach
15 events highlighting a new attack pattern for malicious code injection within open source software supply chains

AWS Security Hub Now Generally Available (AWS News Blog, Jun 24 2019)
“When systems enable frequent deploys and remove gatekeepers for experimentation, sometimes a non-compliant resource is going to sneak by. That’s why I love tools like AWS Security Hub, a service that enables automated compliance checks and aggregated insights from a variety of services. With guardrails like these in place to make sure things stay on track, I can experiment more confidently. And with a single place to view compliance findings from multiple systems, infosec feels better about letting me self-serve.”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Cloud security exacerbated by immature security practices (Help Net Security, Jun 26 2019)
Companies are struggling to modernize their security practices at the same pace that they adopt cloud – 73% experienced a security incident due to immature practices. Lack of visibility into cloud workloads is the leading cause – an overwhelming majority of survey respondents (93%) report issues with keeping tabs on all cloud workloads. For example, Symantec’s research found that while companies estimate they use 452 cloud apps on average, the actual number is nearly four times higher, at 1,807.

Organizations more likely to accelerate business when protecting their cloud data (Help Net Security, Jun 19 2019)
Most sensitive data is under the IT team’s control: Results showed that 65 percent of enterprise data lives in collaboration and business software-as-a-service (SaaS) applications, 25 percent in infrastructure-as-a-service (IaaS), and only 10 percent in “Shadow IT” unknown to the IT department.

Cloud Data Protection Firm Druva Raises $130 Million (SecurityWeek, Jun 21 2019)
Cloud data protection and management provider Druva on Thursday announced $130 million in new funding, which brings the total raised by the company to date to $328 million. 

Today’s Top Public Cloud Security Threats …And How to Thwart Them (Infosec Island, Jun 21 2019)
In order to thwart exposure, companies must have the capability to look at all cloud environments and perform assessments of how such resources are secured.

Incomplete Fix Leads to New Kubernetes Bug (Infosecurity Magazine, Jun 25 2019)
Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited.

AWS Security Profiles: Mark Ryland, Director, Office of the CISO (AWS Security Blog, Jun 24 2019)
What initiatives are you currently working on that you’re particularly excited about?

Scan your Cloud Storage buckets for sensitive data using Cloud DLP (Google Cloud Blog, Jun 21 2019)
A critical mission for businesses worldwide is to prevent the exposure of sensitive data—especially in highly regulated industries such as finance and healthcare, where meeting compliance requirements is a top priority.

DevOps And Security (DevOps Zone, Jun 24 2019)
DevOps has become so popular as a development approach that adoption rates saw a growth of 70% from 2017 to 2018. The methodology offers a number of advantages that benefit a comprehensive range of businesses or organizations in all different sectors, including faster development cycles and more iterations. However, the Agile nature of DevOps comes with its challenges.

The Value of Security Testing in QA (DevOps Zone, Jun 20 2019)
Unfortunately, shifting security left is easier said than done. Development and testing teams often lack application security expertise, and staffing and budgetary concerns limit IT security’s capacity to do more frequent testing and ability to embed security analysts in software development teams.