A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Microsoft Wins Pentagon’s $10 Billion JEDI Contract, Thwarting Amazon (NYTimes, Oct 25 2019)
Amazon was considered a front-runner for the cloud computing project before President Trump began criticizing the company’s founder, Jeff Bezos.

Skimming malware found on American Cancer Society’s online store (SC Magazine, Oct 28 2019)
One Magecart group decided that helping cancer victims is not enough of a reason to deter them from hitting the American Cancer Society’s online store with skimming malware.

2019 State of DevOps Report chat: Security is boring when it’s working (Puppet Blog, Oct 23 2019)
Puppet’s Nigel Kersten and CircleCI’s Mike Stahnke go behind-the-scenes of the 2019 report to talk about the shift to a security-focused report and where they see these challenges heading and evolving.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Your AWS re:Invent 2019 guide to AWS Identity sessions, workshops, and chalk talks (AWS Security Blog, Oct 23 2019)
AWS re:Invent 2019 is coming fast! You’ll soon need to prioritize your sessions. Here’s a list of AWS Identity sessions, workshops, and chalk talks at AWS re:Invent 2019. If you haven’t registered yet for re:Invent, here’s a template you can provide to your manager to help justify your trip.

Why Cloud-Native Applications Need Cloud-Native Security (Dark Reading, Oct 29 2019)
Today’s developers and the enterprises they work for must prioritize security in order to reap the speed and feature benefits these applications and new architectures provide.

Google Cloud Adds New Security Management Tools to G Suite (Dark Reading, Oct 29 2019)
Desktop devices that log into G Suite will have device management enabled by default, streamlining processes for IT admins.

Help secure your organization with new endpoint management, intelligent access controls (Google Cloud Blog, Oct 29 2019)
new updates that provide even deeper control. Some of these features will be turned on by default for G Suite and Cloud Identity so that we can reduce the burden on IT admins while ensuring that the right protections are in place for your organization.

Exploring Container Security: Vulnerability management in open-source Kubernetes (Google Cloud Blog, Oct 25 2019)
The Product Security Committee is a group of core maintainers, many with security-specific roles, nominated by other core maintainers and technical advisors within the community. The Committee’s role is to respond to any and all emails about a potential vulnerability, according to a documented response process. Here’s an overview.

Keeping your Cloud Dataflow pipelines safe with customer-managed encryption keys (Google Cloud Blog, Oct 23 2019)
…if you want to protect your data end-to-end while it is being processed by your Cloud Dataflow pipeline, this new feature in Cloud Dataflow allows you to encrypt the state of the pipeline by specifying the following pipeline parameter…

Top 10 Container and Kubernetes Security Questions to Ask Your Team (Container Journal, Oct 29 2019)
With the right questions, you can determine where your containers or Kubernetes are exposed to risk and what your options are to mitigate that risk and provide the best possible protection.

DevOps firewall: How pre-configuring your cloud deployment can ensure compliance (Help Net Security, Oct 28 2019)
Within the DevOps firewall approach, you can go a step further. By leveraging chosen patterns to configure infrastructure as code, a DevOps firewall approach uses the CI/CD pipeline to ensure secure deployments for both pre-provisioning and post-provisioning.

Five Tips to Approach DevSecOps Training (DevOps, Oct 30 2019)
..tips for security training to successfully implement a DevSecOps strategy…

Why DevOps and Security Should Go Hand in Hand? (DevOps Zone, Oct 29 2019)
…why we think DevOps and Security should go hand in hand…

Chance that flaws will ever be dealt with diminishes the longer they stick around (Help Net Security, Oct 23 2019)
More than half of all security findings (56%) are fixed, but a focus on fixing new findings while neglecting aging flaws leads to increasing security debt, according to Veracode research.

Database Error Exposes 7.5 Million Adobe Customer Records (Dark Reading, Oct 28 2019)
The database was open for approximately one week before the problem was discovered.

Slack Offers Bigger Rewards for Serious Vulnerabilities (SecurityWeek, Oct 29 2019)
Slack informed bug bounty hunters on Monday that it has increased the minimum rewards for serious vulnerabilities found in its products and websites.