A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

What I learned from doing 1000 code reviews (Hacker Noon, Dec 11 2017)
After reviewing tens of thousands of lines of code, I noticed certain suggestions kept coming up over and over again, here are the top 3.

Securing communications between Google services with Application Layer Transport Security (Google Online Security Blog, Dec 13 2017)
A whitepaper, “Application Layer Transport Security,” that goes into detail about what ALTS is, how it protects data, and how it’s implemented at Google.

AWS Introduces Single Sign-On (AWS Security Blog, Dec 07 2017)
AWS introduced AWS Single Sign-On (AWS SSO), a service that makes it easy for you to centrally manage SSO access to multiple AWS accounts and business applications. AWS SSO provides a user portal so that your users can find and access all of their assigned accounts and applications from one place, using their existing corporate credentials.


Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report


OWASP – The Superhero of AppSec (WhiteHat Security, Dec 07 2017)
The security industry needs unbiased sources of information who share best practices with an active membership body who advocates for open standards. In the AppSec world, one of the best is the Open Web Application Security Project (or OWASP).

Tune into the Cloud – 24 posts on cloud computing in one playlist (Gartner Blog Network, Dec 12 2017)
With the recent keynote of cloud pioneer AWS annual Reinvent event also being music themed it seemed a good idea to make this playlist of 25 columns (since 2014) available for easy reading, either directly from the links below or more conveniently as an eBook for e-readers.

How to Manage Amazon GuardDuty Security Findings Across Multiple Accounts (AWS Security Blog, Dec 13 2017)
Introduced at AWS re:Invent 2017, Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

AWS Cloud: Proactive Security and Forensic Readiness – Part 1 (Cloud Security Alliance Blog, Dec 11 2017)
This is the first in a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment. This post relates to identity and access management in AWS.

How Google protects your data in transit (Google Cloud Platform Blog, Dec 13 2017)
By default, when a user connects to Google Cloud, the connection between the user and Google is encrypted.

How to get real-time, actionable insights from your Fastly logs with Looker and BigQuery (Google Cloud Platform Blog, Dec 07 2017)
Fastly, whose edge cloud platform offers content delivery, streaming, security and load-balancing, recently integrated its platform with Looker, a business intelligence tool. Using Google BigQuery as its analytics engine, you can use Fastly plus Looker to do things like improve your operations, analyze the effectiveness of marketing programs — even identify attack trends.

How Blockchain Tech Can Make DevOps Better (DevOps.com, Dec 12 2017)
What if, instead of relying on tools such as continuous integration servers and automated test suites to determine that code is moving down the pipeline successfully, you instead recorded that data on the blockchain?

Chrome 63 offers even more protection from malicious sites, using even more memory (Ars Technica, Dec 07 2017)
Google gives Administrators new ways to lock down the browser.

What Slugs in a Garden Can Teach Us About Security (Dark Reading, Dec 08 2017)
Think about the challenges of protecting an enterprise: lack of resources (people, technology, budget, or any combination thereof), competing priorities, balancing compliance requirements and business needs, awareness and training, enforcing policies and standards.

DAST vs SAST – Dynamic Application Security Testing vs Static (Darknet, Dec 08 2017)
Dynamic testing relying on a black-box external approach, attacking the application in its running state as a regular malicious attacker would. Static testing is more white-box looking at the source-code of the application for potential flaws.

The Mutiny Fuzzing Framework and Decept Proxy (Cisco Blog, Dec 07 2017)
This blog post is authored by James Spadaro of Cisco ASIG and Lilith Wyatt of Cisco Talos. Imagine a scenario where you, as a vulnerability researcher, are tasked with auditing a network application to identify vulnerabilities. By itself, the task may not seem too daunting until you learn of a couple conditions and constraints…

19-Year-Old TLS Vulnerability Weakens Modern Website Crypto (Threatpost, Dec 13 2017)
New research shows how an old vulnerability called ROBOT can be exploited using an adaptive chosen-ciphertext attack to reveal the plaintext for a given TLS session.

The Forrester SAST Wave: A Tale of Customer Betrayal (Checkmarx, Dec 12 2017)
Is this another case of the vendor marketing department responding to a dot on a chart not being in the spot they wanted? Read for yourself and see their arguments about why Forrester misunderstood…

Is source code inspection a security risk? Maybe not, experts say (CSO Online, Dec 11 2017)
Some information security insiders raised a red flag when Russian requests to review security software code became known. The controversy may be a tempest in a teapot.