A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Fastly Sets DevSecOps Strategy After Signal Sciences Buy (DevOps, Sep 02 2020)
In the wake of acquiring Signal Sciences for $770 million, Fastly is gearing up to expand the range of security services it offers as part of an effort to advance adoption of best DevSecOps practices. Artur Bergman, chief architect for Fastly, said a forthcoming wave of edge computing applications will require web applications firewalls (WAF) that can be deployed and managed remotely to protect them. As a provider of a content delivery network (CDN), Fastly will leverage the WAF platform developed by Signal Sciences to secure edge computing platforms within a forthcoming [email protected] service that promises to unified web application and application programming interface (API) security.
Five critical cloud security challenges and how to overcome them (Help Net Security, Aug 31 2020)
Fortunately, there’s no reason why cloud computing can’t be done securely. You need to recognize the most critical cloud security challenges and develop a strategy for minimizing these risks. By doing so, you can get ahead of problems before they start, and help ensure that your security posture is strong enough to keep your core assets safe in any environment.
Why Kubernetes Clusters Are Intrinsically Insecure (& What to Do About Them) (Dark Reading, Sep 02 2020)
By following best practices and prioritizing critical issues, you can reduce the chances of a security breach and constrain the blast radius of an attempted attack. Here’s how.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
It’s Not Just an Unusual Login: Why Pay Attention to Threats Facing SaaS and Cloud? (SecurityWeek, Aug 31 2020)
There is a whole category of cyber-attacks largely untouched by the media. With breaking threat discoveries usually focused on targeted spear-phishing campaigns or widespread ransomware, cyber-attacks targeting cloud and SaaS are often overlooked.
Essential features of security automation for the AWS platform (Help Net Security, Sep 02 2020)
DevSecOps tactics and tools are dramatically changing the way organizations bring their applications to fruition. Having a mindset that security must be incorporated into every stage of the software development lifecycle – and that everyone is responsible for security – can reduce the total cost of software development and ensure faster release of secure applications.
The ‘Shared Responsibility’ Misnomer: Why the Cloud Continues to Confound (Dark Reading, Aug 26 2020)
Under the “shared responsibility model,” the security management of cloud offerings is split equally between the vendor and the customer. Easy enough, right?
New third-party test compares Amazon GuardDuty to network intrusion detection systems (AWS Security Blog, Aug 31 2020)
A new whitepaper is available that summarizes the results of tests by Foregenix comparing Amazon GuardDuty with network intrusion detection systems (IDS) on threat detection of network layer attacks. GuardDuty is a cloud-centric IDS service that uses Amazon Web Services (AWS) data sources to detect a broad range of threat behaviors. Security engineers need to understand how Amazon GuardDuty compares to traditional solutions for network threat detection. Assessors have also asked for clarity on the effectiveness of GuardDuty for meeting compliance requirements, like Payment Card Industry (PCI) Data Security Standard (DSS) requirement 11.4, which requires intrusion detection techniques to be implemented at critical points within a network.
Discover sensitive data by using custom data identifiers with Amazon Macie (AWS Security Blog, Aug 26 2020)
As you put more and more data in the cloud, you need to rely on security automation to keep it secure at scale. AWS recently launched Amazon Macie, a fully managed service that uses machine learning and pattern matching to help you detect, classify, and better protect your sensitive data stored in the AWS Cloud
Testing & Automation Pay Off for NSA’s DevSecOps Project (Dark Reading, Aug 31 2020)
Communication with stakeholders, extensive testing, and robust automation pays dividends for military intelligence agency, one of several presenters at GitLab’s virtual Commit conference.
Slack Pays Bounty for Critical Vulnerability in Desktop App (SecurityWeek, Aug 31 2020)
A security researcher was awarded a $1,750 bug bounty reward for discovering a remote code execution vulnerability in the Slack desktop applications.
“Chrome considered harmful” – the Law of Unintended Consequences (Naked Security – Sophos, Aug 26 2020)
A well-written article on the APNIC blog has provoked a thoughtful response from the Chromium coders – and we can all learn from it!
Slack Patches Critical Desktop Vulnerability (Dark Reading, Aug 31 2020)
The remote code execution flaw could allow a successful attacker to fully control the Slack desktop app on a target machine.