Cloud Security, DevOps, AppSec – The Week’s Best News – 2020.09.23

A Review of the Best News of the Week on Cloud Security, DevOps, AppSec Get ready for upcoming changes in the AWS SSO user sign-in process (AWS Blog, Sep 18 2020) To improve security, enhance user experience, and address compatibility with future AWS Identity changes, AWS Single Sign-On (SSO) is making changes to the sign-in process that will affect some AWS SSO customers. The changes will go into effect globally in early October 2020. 12 Bare-Minimum Benchmarks for AppSec Initiatives (Dark Reading, Sep 23 2020) The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers. HackerOne Paid Out Over $107 Million in Bug Bounties (SecurityWeek, Sep 22 2020) Hacker-powered bug hunting platform HackerOne on Tuesday announced that it paid more than $44.75 million in bounty rewards over the past 12 months, with the total payouts to date surpassing $107 million.

Filter Out the Noise Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy. Thanks! – Lucas Samaras Share today’s post on Twitter Facebook LinkedIn

Three ways cloud security posture management helps security teams (SC Media, Sep 17 2020) It comes as no surprise to enterprises when an otherwise productive employee unknowingly opens the organization to risk or even causes a breach. The knee-jerk culpability typically gets attributed to the cloud provider, yet Gartner warns that through 2025, at least 99 percent of cloud security failures are the cutomer’s fault.

Microsoft Extends Data Loss Prevention to Cloud App Security (Dark Reading, Sep 22 2020) The update, one of several announced today, is intended to help employees remain compliant when handling data across cloud applications.

Improving security as part of accelerated data center migrations (AWS Security Blog, Sep 22 2020) Approached correctly, cloud migrations are a great opportunity to improve the security and stability of your applications. Many organizations are looking for guidance on how to meet their security requirements while moving at the speed that the cloud enables.

How Security Operation Centers can use Amazon GuardDuty to detect malicious behavior (AWS Security Blog, Sep 17 2020) The Security Operations Center (SOC) has a tough job. As customers modernize and shift to cloud architectures, the ability to monitor, detect, and respond to risks poses different challenges. In this post we address how Amazon GuardDuty can address some common concerns of the SOC regarding the number of security tools and the overhead…

Modern detection for modern threats: Changing the game on today’s threat actors (Google Cloud Blog, Sep 23 2020) 2020 has introduced complex challenges for enterprise IT environments. Data volumes have grown, attacker techniques have become complex yet more subtle, and existing detection and analytics tools struggle to keep up.

Building a Secure Amazon S3 Bucket (Cloud Security Alliance, Sep 23 2020) “In this post (and our two Cloud Security Masterclass sessions devoted to Amazon S3), I provide a pragmatic approach to understanding S3 security. You’ll be able to reason about securing your specific S3 use cases and build a secure S3 bucket that meets your particular needs. If you go solely on what you read in the press, you might make the mistake of thinking that the only thing you need to do to ensure the security of your S3 bucket is Block Public Access. While getting this setting right is important (and AWS has taken needed steps to warn you if you have it wrong), it can also lead to a false sense of security if that’s all you do.”

Cloud Security Alliance Releases Top Threats to Cloud Computing: Egregious 11 Deep Dive; Articulates Cloud Computing’s Most Significant Issues (Container Journal, Sep 23 2020) Using nine actual attacks and breaches, including a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain for its foundation, the paper connects the dots between the CSA Top Threats in terms of security analysis.

Protect multi-cloud workloads with new Azure security innovations (Microsoft Azure Blog, Sep 22 2020) …a broad set of innovations to help you protect multi-cloud and Azure workloads.

To improve DevSecOps, set application security priorities (SC Media, Sep 23 2020) The 18th-century philosopher Voltaire once said, “Perfect is the enemy of good.” If you try to make software perfect, not only will you fail, but you’ll never bring a product to market. In the world of application security, this means setting priorities. Fix the biggest problems. Eliminate the worst threats.

Most AppSec pros see a growing divide between them and developers (Help Net Security, Sep 22 2020) 75% of AppSec practitioners and 49% of developers believe there is a cultural divide between their respective teams, according to ZeroNorth. As digital transformation takes hold, it is increasingly vital that AppSec teams and developers work well together. With DevOps methodology seeing more adoption, teams are delivering software at continually higher velocities. Speed is the culture of DevOps, which often runs counter to the culture of Security – risk adverse and rigid.