A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Lessons from the Cryptojacking Attack at Tesla (RedLock Blog, Feb 21 2018)
The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.
Crypto-Miners Now Target Jenkins Servers (Check Point Blog, Feb 15 2018)
Used by DevOps teams around the world, Jenkins is the most popular open source automation server in use today. Indeed, with an estimated one million users, Jenkins is the ‘go to’ CI and DevOps orchestration tool. Unfortunately though, due to its incredible power, often hosted on large servers, this also makes it a prime target for crypto-mining attacks.
FedEx Customer Data Left Publicly Exposed on Cloud Storage Server (eWEEK, Feb 17 2018)
Yet another cloud data leak is discovered, this time it’s 119,000 documents with personally identifiable information from the FedEx-owned company Bongo International.
Why Chrome’s ad filter isn’t an adblocker (Naked Security – Sophos, Feb 16 2018)
Optimistic news coverage has described this as the arrival of adblocking in Chrome, it isn’t.
To prevent data breaches, AWS offers S3 bucket permissions check to all users (Help Net Security, Feb 21 2018)
Amazon Web Services (AWS) has announced that all customers can now freely check whether their S3 buckets are leaking stored data. “Previously available only to Business and Enterprise support customers, [the S3 bucket permissions check] identifies S3 buckets that are publicly accessible due to ACLs or policies that allow read/write access for any user,” the cloud computing giant noted.
Oracle to Acquire Cloud Security Firm Zenedge (SecurityWeek, Feb 16 2018)
Zenedge offers a suite of services to protect systems deployed in the cloud, on-premise or in hybrid hosting environments, with solutions including a Web Application Firewall (WAF), Distributed Denial of Service (DDoS) protection, and products to secure applications, networks, databases and APIs from attacks.
How Docker Containers Make Life Easy for Bitcoin-Mining Attackers (Container Journal, Feb 19 2018)
Crypto-mining script kiddies are coming to steal your Docker environment. That’s the warning from Aqua Security, which has published a report about attacks against containerized environments by people who want to mine cryptocurrency such as bitcoin.
The Era of Intelligent Testing (DevOps, Feb 21 2018)
“Development cycles are getting shorter and new features are coming faster than ever…There simply isn’t enough time to test.” – QA Leader at Fortune 250 company
From DevOps to DevSecOps: Structuring Communication for Better Security (Dark Reading, Feb 15 2018)
A solid approach to change management can help prevent problems downstream.
DevSecOps: Security at the Speed of Business (Cisco Blog, Feb 14 2018)
In Part One of this blog series DevSecOps – Win Win for All, we established a foundation for DevSecOps practices with our Cloud Security Manifesto. In Part 2 of this series, we will describe another key aspect of DevSecOps – developing security guardrails with a hands-on approach via Agile hackathons.
Google drops new Edge zero-day as Microsoft misses 90-day deadline (Naked Security – Sophos, Feb 19 2018)
Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn’t able to come up with a patch within Google’s non-negotiable “you have 90 days to do this” period.
How to Use New Advanced Security Features for Amazon Cognito User Pools (AWS Security Blog, Feb 19 2018)
Amazon Cognito lets you easily add user sign-up, sign-in, and access control to your mobile and web apps. You can use fully managed user directories, called Amazon Cognito user pools, to create accounts for your users, allow them to sign in, and update their profiles.
Several Vulnerabilities Patched in RubyGems (SecurityWeek, Feb 19 2018)
RubyGems 2.7.6 patches path traversal vulnerabilities that exist when writing to a symlinked basedir outside of the root and during gem installation. It also fixes a cross-site scripting (XSS) vulnerability in the homepage attribute when displayed via gem server, and a possible unsafe object deserialization flaw.