A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Facebook open-sources a static analyzer for Python code (Help Net Security, Aug 10 2020)
Need a tool to check your Python-based applications for security issues? Facebook has open-sourced Pysa (Python Static Analyzer), a tool that looks at how data flows through the code and helps developers prevent data flowing into places it shouldn’t.
How to secure DevOps (Cloud Security Alliance, Aug 12 2020)
Last month, IT news websites reported that RubyGems, the official channel for distributing libraries for the Ruby programming language, had been poisoned. An attacker uploaded fake packages containing a malicious script, so all programmers who used the code in their projects unwittingly infected users’ computers with malware that changed cryptocurrency wallet addresses.
Introducing the Google Cloud Security Showcase (Google Cloud Blog, Aug 07 2020)
The Google Cloud Security Showcase is a video resource that’s focused on solving security problems and helping you create a safer cloud deployment. The showcase currently has almost 50 step-by-step videos on specific security challenges or use cases—complete with actionable information to help you solve that specific issue—so there’s sure to be something for every security professional. In this blog we’ll highlight some of these use cases and example videos across major security domains to show what the Google Cloud Security Showcase is and how it can help you.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
What are the benefits of automated, cloud-native patch management? (Help Net Security, Aug 06 2020)
Could organizations recoup their share of more than $1 billion per quarter by moving away from legacy solutions to cloud-native patch management and endpoint hardening? A new report from Sedulo Group says yes.
Holding public cloud security to account (Infosec Island, Aug 10 2020)
The public cloud provides great flexibility and cost management for organizations, but what about security?
Half of IT teams can’t fully utilize cloud security solutions due to understaffing (Help Net Security, Aug 11 2020)
There are unrealized gaps between the rate of implementation or operation and the effective use of cloud security access brokers (CASB) within the enterprise, according to a global Cloud Security Alliance survey of more than 200 IT and security professionals from a variety of organization sizes and locations.
Microsoft Office 365—Do you have a false sense of cloud security? (Microsoft Security, Aug 11 2020)
Security is not just flipping the switch of security features to “on” and think you are done. DART explores the concept of having a false sense of security when securing your cloud environments.
Why the rapid transition to cloud demands that DevOps shift left (Help Net Security, Aug 10 2020)
To accommodate remote work policies amid COVID-19, companies have increasingly adopted the public cloud to support off-site business continuity. A MarketsandMarkets analysis found that due to the impact of the current crisis, the cloud market is expected to grow from $233 billion in 2019 to $295 billion by 2021.
DevOps and Security in a Cloud-Native World (DevOps, Aug 11 2020)
When asked for the No. 1 threat, no single answer stood out. Instead, 10 ranked about equally in frequency:
Data exposure (13.2%)
Application vulnerabilities (10.9%)
Weak and broken authentication (10%)
Insider threats (9.7%)
Credential leakage (9.1%)
Insecure APIs (9%)
Infrastructure misconfigurations (9%)
Application misconfigurations (8.7%)
Over-permissioned access and misconfigurations (7.7%)
DevSecOps Using Container and Microservices Security (DevOps Zone, Aug 12 2020)
Responsibility for security is shifting in the direction of DevOps engineers, as they have a view into the processes and systems used to deploy microservices.
3 Tips for Securing Open Source Software (Dark Reading, Aug 05 2020)
Maintaining myriad open source components can be tough. Here’s how teams can begin to address open source security and continue to innovate.
Threats vs. Thrift: Running Effective AppSec During a Global Crisis (Dark Reading, Aug 12 2020)
By looking at security testing capacity, staff expertise, and risks throughout the software supply chain, application security teams can improve their overall effectiveness.
Developers Need More Usable Static Code Scanners to Head Off Security Bugs (Dark Reading, Aug 11 2020)
As companies “shift left” — pushing more responsibility for security onto developers — the tools that are available are falling short, usability researchers say.