From the report, “DOur objective was to (1) summarize unclassified and classified reports issued and testimonies made from the DoD oversight community and the Government Accountability Office (GAO) between July 1, 2017, and June 30, 2018, that included DoD cybersecurity issues; (2) identify cybersecurity risk areas for DoD management to address based on the five functions of the National Institute of Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity,” April 16, 2018 (Cybersecurity Framework); and (3) identify the open DoD cybersecurity recommendations. This summary report also addresses the Federal Information Security Modernization Act of 2014 (FISMA) requirement to provide an annual independent evaluation of the agency’s information security program by using the identified findings to support the responses made in our assessment.”

This is a threat focus report on Drupalgeddon2

In this report, you’ll learn how many DevOps servers may be exposed based on a study done by the IntSights research team, how cyber criminals typically access open DevOps servers, and what you can do to protect yourself and your data from a DevOps cyber attack.

A first hand account of using open source intelligence techniques to discover publicly exposed data stores of healthcare information.

From the report, “Much like DevOps itself, pervasive automation is equal parts process, tooling, and culture. Taking the journey represents a collective commitment by the entire organization, one where the goal is realizing the competitive advantage offered by software automation. Leadership builds the strategy, managers plan how to get there, and then it’s up to the teams to sustain an ongoing effort. New challenges will arise as new technologies are released: cloud services, containers, and server-less computing for example. Automating processes to adapt to tomorrow’s technology means staying on the path toward pervasive automation. Then, deliver the business value and agility it promises. While it’s impossible to get to an “absolutely” automated state, this journey keeps you as close as possible by continuously leveraging the latest DevOps and automation practices across your organization.”

From the report, “With data drawn from our ThreatCloud World Cyber Threat Map and our experience within the cyber research community, we will give a comprehensive overview of the trends observed in the categories of Cryptominers, Ransomware, Malware techniques, Data Breaches, Mobile and Nation State cyber attacks. We will then conclude with a review of the predictions made in our 2018 Security Report and assess to what extent these proved accurate. Along the way we will also provide cutting edge analysis from our in-house experts to arrive at a better understanding of today’s threat landscape.”

From the report, “Without trust, the future of our digital economy and its nearly limitless potential is in peril. Piecemeal efforts to address cybersecurity issues—including the Internet’s inherent flaws, vulnerabilities from the Internet of Things (IoT), identity and data veracity and increasing digital fragmentation—have fallen short. Through their decisions above ground on industry-wide governance and their business architecture and technology infrastructure below ground, however, CEOs can have the influence necessary to collaboratively address these overarching issues.”

This survey, the sixth in a series of annual studies by SANS on security practices in software development, is the first to explicitly focus on DevOps. The results of this study show that organizations are finding ways to keep up with rapid change through DevOp but they have a number of challenges they still need to deal with.

How to make threat intelligence relevant to executives, business stakeholders, security operations and incident responders

To provide insights into the complex challenges faced by organizations as they fight to protect their brands, Radware produces an annual Global Application & Network Security Report. This eighth annual version of the report combines Radware’s organic research, real attack data and analyses of developing trends and technologies with the findings from a global industry survey.

From the report, “As the report that follows describes, SophosLabs has been observing a small but growing number of criminals forced to resort to a variety of manual hacking techniques – previously the purview of esoteric, targeted attackers – just to maintain their dishonorable income streams. The downside is that it’s much more challenging to halt these hybridized threats using conventional methods, but it also means there are fewer criminals competent enough to conduct them, and we keep driving up the cost of their operations. It’s a Darwinian process, and the sort of shift in attacker/defender economics we’ve been striving to achieve for a long time. We consider that a victory, and the start of a trend of attacker disruption that we intend to continue driving.”

This report offers insight into the DevSecOps Community.

This survey, representing the voice of 2,076 IT professionals, demonstrates that DevSecOps practices continue to mature rapidly and that, once automated, security is difficult to ignore.

From the report, “In 2019 and beyond, the biggest trends expected to have an impact on technology and security are the advances in artificial intelligence and machine learning brought about by the ever-growing volume of data that can be processed and analyzed; the continued adoption of cloud computing by enterprises the world over; and the developments in smart devices, homes, and factories — to say nothing of the looming 2020 rollout of 5G, the latest phase of mobile communications geared toward further increasing internet speeds. Furthermore, 2019 will be an important year for political developments including the finalization of Brexit and the holding of landmark elections in several countries. These technological and sociopolitical changes will have a direct impact on security issues in 2019.”

This is the first in a series of books tracking changes and discoveries within the DevSecOps Community. The stories are by people who have been sloshing around in the swamps of software development for years, figuring out how things work, and most importantly, why things didn’t work.

This Morphisec Labs Threat Report is based on anonymized threat data collected from approximately 2,000,000 installed Morphisec endpoint agents as well as in-depth investigations conducted by Morphisec researchers. It includes observations about trends in the wider security landscape together with analyses of the tactics and techniques used by malicious actors.

Sonatype’s 4th annual report on managing open source components to accelerate innovation.

This 2017 report has similarities to previous years, but there are three differences worth noting. First, the analysis in this year’s report extends beyond Java and includes supply chain findings for JavaScript, NuGet, Python, and Docker. Second, this year’s paper includes a stronger emphasis on the emergence of DevOps and reflects on the evolution of modern IT organizations as they seek to transform from waterfall-native to DevOps-native software development. Lastly, this year’s research delves deeper into the rapidly evolving role of regulation, legislation, and litigation with respect to open source governance and software supply chain management.

This e-book offers insight into the entire subject of Cloud Security.

This report is part of a larger developing series, the aim of which is to apply a different approach to threat intelligence to identify a new threat actor and its previously unknown espionage campaigns; it also aims to link together campaigns that were assumed to be unrelated, or which were falsely attributed to other groups. We call this new project — and threat actor — The White Company in acknowledgement of the many elaborate measures the organization takes to whitewash all signs of its activity and evade attribution. The White Company consists of three reports. The first report tells the story of the overall campaign and presents forensic findings in a manner suitable for a general audience, including analyses of the technical and geopolitical considerations that enable readers to draw conclusions about the threat actors and understand the campaign in context. Two additional technical reports follow: One is focused on The White Company’s exploits, the other on its malware and infrastructure.

This report draws conclusions from the data to understand why organizations are struggling to take actions from lessons learned from a year of the WannaCry virus.