A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Apple Kicks Off Public Bug Bounty Program (SecurityWeek, Dec 20 2019)
Apple this week kicked off its public bug bounty program, just over four months after announcing it officially at the Black Hat cybersecurity conference in Las Vegas.
Google Promises Upfront Financial Help for Securing Open Source Projects (SecurityWeek, Dec 20 2019)
Six years into running the Patch Rewards Program to help improve the security of open source projects, Google has decided to provide upfront financial support for such initiatives.
Google Details Its Zero-Trust Architecture. Can Enterprises Use It? (IT Pro, Dec 18 2019)
While large enterprises will already have many of the needed security tools, copying Google’s approach can be very complicated, Hatch said. “The complexities of large-scale infrastructure and applications can’t be resolved with a magic Band-Aid in short order.” A unified platform is needed to bring all the pieces together.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
5 Common Container Mistakes to Avoid (Container Journal, Dec 24 2019)
User misconfiguration of containers or applications in those containers.
Overcommitment of resources because of a lack of capacity management and planning around containers.
Lack of consideration for Day 2 operations.
Attempting to port workloads to containers that are not suitable for containers or microservice architecture.
Underestimating the possibility of container incompatibility.
Google Cloud External Key Manager Now in Beta (Dark Reading, Dec 19 2019)
Cloud EKM is designed to separate data at rest from encryption keys stored in a third-party management system.
Year in Review: Cloud Security (Infosecurity Magazine, Dec 18 2019)
AWS and Google have both introduced network traffic mirroring in their respective cloud platforms, with Microsoft Azure soon to follow…Now that cloud traffic can be monitored and analyzed at the same rate and level of detail as on-premises traffic, cutting edge security tools like network detection and response (NDR) platforms can operate natively in AWS, Google Cloud, and Microsoft Azure.
How to import AWS Config rules evaluations as findings in Security Hub (AWS Security Blog, Dec 23 2019)
In June at re:Inforce 2019, AWS announced the general availability of AWS Security Hub, a security service that enables customers to centrally view and manage compliance checks and security findings across their AWS accounts. AWS Security Hub imports security findings from AWS Guard Duty, Amazon Inspector, Amazon Macie, and over 30 AWS partner security solutions.
Security and compliance insights from Puppetize PDX (Puppet, Dec 04 2019)
“During our recent Puppetize PDX user conference, experts shared their perspectives on ways you can ensure systems continuously remain secure, meet compliance requirements, and most importantly, give you some valuable time back. Here are some of their insights.”