Even if you use third-party cloud services, security is still your responsibilityView in browser »
The New Stack Update

ISSUE 178: Cloud Security is Your Responsibility

Talk Talk Talk

“There is, in fact, evidence that the structure of the Linux kernel is problematic for a number of today’s key use cases.”

Add It Up
Network security controls currently used to secure public cloud deployment
Developers and IT decision-makers should not be surprised by the recent Capital One data breach: Misconfigurations have long been the top cloud security concern. A new StackRox survey of IT decision-makers supports this finding as 60% of respondents are more worried about misconfigurations or exposures, as compared to attacks and generic vulnerabilities.

While details of the Capital One data breach are still coming to light, Security Boulevard explains that the attacker most likely identified a misconfigured firewall and pulled the identity and access management (IAM) credentials associated with the web application firewall (WAF) role. Then, those credentials were used to access to Amazon Simple Storage Service (S3) buckets where the stolen files were located.
What's Happening

The Cloud Foundry Foundation has matured well beyond the initial phases of a startup, and with this maturity comes inherent challenges. Now, more than ever, the organization must be true to its core mission to never “break the user,” Abby Kearns, executive director at the Cloud Foundry Foundation, said.

During a podcast from the recently held from KubeCon + CloudNativeCon and Open Source Summit China, Kearns spoke with host Alex Williams, founder and editor in chief of The New Stack, about how the foundation continues to serve the developer open source community and what its missions continue to be. Kearns also revealed some especially interesting observations about China-based developers and their approach to the Cloud Foundry and open source community.

Cloud Foundry Sees Challenges Worldwide, Exciting Differences in China

Cloud Security Is Your Responsibility

It was another all-too-dispiriting headline: U.S. banking giant Capital One leaked personal information of 100 million credit card applicants. The actual breach could have taken as far back as March, though was only discovered in July, when someone found the leaked data on a GitHub page(!).

Although the FBI had arrested the (alleged) perpetrator, Capital One took responsibility for the misconfiguration that led to the theft. In fact, it was shocking how big of a hole the bank left for anyone to come through: An unsecured S3 storage bucket on Amazon Web Services. As regular readers know, The New Stack has posted dozens of posts (most recent) about the dangers of cloud security over the past few years. And they all have the same basic underlying message: even if you use third-party cloud services, it is still your responsibility to secure your sh*t (excuse the profanity, but we couldn’t help but to be reminded of the hilarious and all-too-appropriate line from 2008 movie “Burn After Reading”)!

As TNS analyst Lawrence Hecht pointed out this week, this sort of cloud breach has been an ongoing fear of IT professionals for a while now. Instead of piling on Capital One, perhaps we should a look at our practices (or lack thereof), as security expert Chenxi Wang has pointed out on Twitter. Security experts are routinely fired for these types of breaches, but no one seems to get fired for not implementing multi-factor authentication, password management, or even failing to do basic patching.

“The industry needs to have a basic competency building block list for Cyber. If you are not doing that, you deserve to be fired, regardless of the presence of a breach,” she wrote.

In other words, it is time for CEOs to start caring about the security of their sh*t.

4 Reasons Not to Use Programming Loops (and a Few Ways to Avoid Them)

Although they are one of the first constructs that junior programmers learn, loops can pose many potential issues the in software development process, and could be avoided in many cases, according to Marco Emrich of IT consulting firm Codecentric, speaking at this year’s OSCON conference, held earlier this month in Portland. “If you are still writing loops, you’re not a bad person. Just think about whether you need to write loops or if there’s a better alternative,” he advised the crowd.

Why the Unikernel Is More Relevant Today than Ever

Unikernels are back! We saw a flurry of activity around unikernels a few years back, but recently, as a group of researchers have found, they have many benefits for today’s cloud-intensive workloads, including a minimal codebase and near-instant boot times. They can answer many of the performance issues lurking in Linux, a group of researchers from Red Hat and Boston University has found.

Kentik Turns AIOps Spotlight on Network Data, Workflows

San Francisco-based startup Kentik, which has focused on real-time data for network traffic intelligence, is jumping on the bandwagon for artificial intelligence-aided operations (AIOps), touting capabilities specifically for network professionals. AI-enabled capabilities include support for network operations and security, as well as for edge computing.

Simone Van Cleve, Zibby Keaton and TNS Founder Alex Williams met at the Puppet headquarters in Portland, Oregon this week.

On The Road
DevOps World | Jenkins World // AUG. 12-15 // SAN FRANCISCO, CALIFORNIA @ MOSCONE WEST


DevOps World | Jenkins World
DevOps World | Jenkins World brings together DevOps teams, CI/CD practitioners, IT executives and the Jenkins ecosystem, providing attendees with the opportunity to learn, explore, network and help shape the next evolution of DevOps and Jenkins. 20% off with code TNS20Register now!
The New Stack Makers podcast is available on: — Pocket CastsStitcher — Apple PodcastsOvercastSpotifyTuneIn

Technologists building and managing new stack architectures join us for short conversations at conferences out on the tech conference circuit. These are the people defining how applications are developed and managed at scale.
Free Guide to Cloud Native DevOps Ebook

Cloud native technologies — containers, microservices and serverless functions that run in multicloud environments and are managed through automated CI/CD pipelines — are built on DevOps principles. You cannot have one without the other. However, the interdepencies between DevOps culture and practices and cloud native software architectures are not always clearly defined.

This ebook helps practitioners, architects and business managers identify these emerging patterns and implement them within an organization. It informs organizational thinking around cloud native architectures by providing original research, context and insight around the evolution of DevOps as a profession, as a culture, and as an ecosystem of supporting tools and services. 

Download The Ebook
We are grateful for the support of our ebook sponsors:

Copyright © 2019 The New Stack, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list