A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
All About SASE: What It Is, Why It’s Here, How to Use It (Dark Reading, Feb 22 2020)
Secure Access Service Edge is a new name for a known and growing architecture designed to strengthen security in cloud environments.
Google Cloud Security: continuing to give good the advantage (Google Cloud Blog, Feb 24 2020)
New capabilities that offer security wherever our customers’ systems and data may reside, including threat detection and timeline capabilities in Chronicle, threat response integration between Chronicle and Palo Alto Networks’ Cortex XSOAR, and online fraud prevention services.
Defining the Journey—the Four Cloud Adoption Patterns (Securosis Blog, Feb 20 2020)
“This is the second post in our series, “Network Operations and Security Professionals’ Guide to Managing Public Cloud Journeys”…”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
5 Strategies to Secure Cloud Operations Against Today’s Cyber Threats (Dark Reading, Feb 20 2020)
With these fundamentals in mind, organizations can reduce their security and compliance risks as they reap the cloud’s many benefits:
44% of Security Threats Start in the Cloud (Dark Reading, Feb 19 2020)
Amazon Web Services is a top source of cyberattacks, responsible for 94% of all Web attacks originating in the public cloud.
Cloud misconfigurations surge, organizations need continuous controls (Help Net Security, Feb 20 2020)
Nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019, amounting to nearly $5 trillion in costs to enterprises globally, according to DivvyCloud research.
High-risk vulnerabilities and public cloud-based attacks on the rise (Help Net Security, Feb 21 2020)
A sharp increase (57%) in high-risk vulnerabilities drove the threat index score up 8% from December 2019 to January 2020, according to the Imperva Cyber Threat Index.
Solving the Cloud Data Security Conundrum (Dark Reading, Feb 24 2020)
Trusting the cloud involves a change in mindset. You must be ready to use runtime encryption in the cloud.
Enterprise Cloud Use Continues to Outpace Security (Dark Reading, Feb 24 2020)
Nearly 60% of IT and security pros say deployment of business services in the cloud has rushed past their ability to secure them.
Cloud-based collaboration tools are a major driver of data exfiltration (Help Net Security, Feb 25 2020)
Cloud-based collaboration technologies and workforce turnover have become major drivers of data exfiltration as insider threat programs fail to keep pace with today’s digital workplace, a Code42 survey reveals.
The “Cloud Snooper” malware that sneaks into your Linux servers (Naked Security – Sophos, Feb 25 2020)
Fascinating research from SophosLabs into a wolf-in-sheep’s-clothing malware sample.
Security perimeters in the cloud aren’t dead—They’re ephemeral (SC Media, Feb 25 2020)
Everyone should be considered hostile. No implicit trust should be attributed to the location of the user, the network or the device they are using.
Ensure Your Cloud Security Is as Modern as Your Business (Dark Reading, Feb 25 2020)
Take a comprehensive approach to better protect your organization. Security hygiene is a must, but also look at your risk posture through a data protection lens.
How to create certificates with custom extensions using AWS Certificate Manager Private CA (AWS Security Blog, Feb 20 2020)
“Digital certificates, also known as X.509 or TLS/SSL certificates, are used to prove the identity of entities like web servers or VPN users and to establish secure communication channels between them. In this blog post, I’ll discuss certificate extensions.”
Container Security Concerns Impacting Deployments (Container Journal, Feb 21 2020)
A survey of 540 IT and security professionals conducted by 451 Research on behalf of StackRox, a provider of a container security platform, finds nearly half the respondents (44%) admit to delaying or halting the deployment of a containerized application in a production environment because of cybersecurity concerns.
The DevSecOps Landscape is Maturing — We Want to Hear About Your Journey (DevOps, Feb 24 2020)
It was 2003 when Bruce Schneier penned, “Today there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.” Seventeen years later and it can sometimes feel like we haven’t grown enough.
DevSecOps: A Renewed Commitment to Secure Delivery, Part 2 (DevOps, Feb 20 2020)
If done right, DevSecOps eliminates the cultural roadblocks that often prevent organizations from getting IT security proactively involved with development and operations. Barriers are the last thing any organization should contend with when comprehensive security is an absolute priority at a time when data breaches, intellectual property theft and other cybercrimes can almost immediately cripple a business.
Apple chops Safari’s TLS certificate validity down to one year (Naked Security – Sophos, Feb 24 2020)
From 1 September 2020, Safari will no longer trust SSL/TLS certificates with more than a year on the clock.