A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

880,000 payment cards, user info hit in Orbitz data breach (Help Net Security, Mar 21 2018)
Expedia subsidiary Orbitz has revealed that a legacy Orbitz travel booking platform had been compromised and personal user information and payment card data might have been accessed by unauthorized parties.

Introducing new ways to protect and control your GCP services and data (Google Cloud Platform Blog, Mar 21 2018)
“They say security is a process, not a destination, and that certainly rang true as we prepared for today’s CEO Security Forum in New York, where we’re making more than 20 security announcements across the Google Cloud portfolio.”

McKinsey research shows how to leverage the public cloud, securely (CSO Online, Mar 21 2018)
Recently, McKinsey released a 70 page report on “Making a secure transition to the public cloud” – where the authors conducted multiple interviews with ~100 organizations, 56 of which have revenues ranging from $4bn to upwards of $70bn. The study can help a CISO understand where they stand. And more importantly how they can plan the transition to public cloud.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Analysis of a Kubernetes hack — Backdooring through kubelet (Medium, Mar 16 2018)
Unless you’ve been living under a rock for the past three years, you’ve probably heard about Kubernetes. At Handy, our infrastructure is backed by a multi-cluster Kubernetes ecosystem that drives our development, CI/CD, and production environments. You could say we are big advocates and users of Kubernetes at Handy, which is why we were both surprised and intrigued to learn that our coworker’s personal Kubernetes cluster was hacked this past weekend.

AWS CloudTrail Log Search Using Amazon Athena (AWS Security Blog, Mar 16 2018)
AWS CloudTrail makes it easier to search CloudTrail log files using the power of Amazon Athena. Previously, you had to manually create a CloudTrail table using the Athena console or AWS CLI and ensure you had the proper configuration and data definitions to match the CloudTrail log format. Now, from within the CloudTrail console event history page…

An Open Letter to AWS CEO Andy Jassy on Cloud Security Innovation (Infosec Island, Mar 16 2018)
We are not threatened by the actions of AWS but instead are encouraged by it. – Brian Ahern, CEO & Chairman, Threat Stack

Cloud security startup Zscaler opens at $27.50, a pop of 72% on Nasdaq, raising $192M in its IPO (TechCrunch, Mar 16 2018)
The first post-billion, big tech IPO of the year has opened with a bang. Zscaler, a security startup that confidentially filed for an IPO last year, closed out its first day of trading at $33/share, up 106% from its opening price of $16.

Open AWS S3 bucket managed by Walmart jewelry partner exposes info on 1.3M customers (SC Magazine, Mar 16 2018)
Personal information belonging to 1.3 million customers of Walmart jewelry partner MBM Company has been exposed because yet another Amazon S3 bucket was left open on the internet.

Azure Guest Agent Design Enables Plaintext Password Theft (Dark Reading, Mar 20 2018)
Researchers find attackers can abuse the design of Microsoft Azure Guest Agent to recover plaintext administrator passwords.

AWS Key Management Service now offers FIPS 140-2 validated cryptographic modules enabling easier adoption of the service for regulated workloads (AWS Security Blog, Mar 19 2018)
Having additional third-party assurances about the keys you manage in AWS KMS can make it easier to use the service for regulated workloads.

Expanding our Google Cloud security partnerships (Google Cloud Platform Blog, Mar 21 2018)
“Today, we’re announcing new partnerships, new solutions by existing partners and new partner integrations in our Cloud Security Command Center (Cloud SCC), currently in alpha. Here’s a little more on what each of these partnerships will offer…”

Securing Azure Database for MySQL and Azure Database for PostgreSQL (Microsoft Azure Blog, Mar 20 2018)
Azure Database for PostgreSQL and Azure Database for MySQL share a common layered security model. Neither database service node is exposed directly to the Internet. The services sit behind Azure network protection and have their own gateway that securely establishes connections.

How Serverless Computing Reshapes Security (Dark Reading, Mar 21 2018)
The new division of responsibility moves some security concerns off a business’s plate while changing priorities for other risks.

DevSecOps Needs Less Hype, More Adoption in 2018 (SC Magazine, Mar 20 2018)
More than five years later, DevSecOps has become one of those trendy acronyms that gets a good deal of attention in the IT trade press and at conferences, but many enterprises are still working to find that balance between accelerated development cycles and a “security is everybody’s responsibility” mindset.

How DevOps Startups Can Deal with GDPR in 2018 (DevOps, Mar 16 2018)
GDPR is a big step up from the Data Protection Act, so you can’t sit around and wait for May 25 to come and go. It’s vital that you examine the GDPR in detail to see how and if it applies to your organization. If it does, you will need to make organizational changes to the way you deal with data.

15-Year-old Finds Flaw in Ledger Crypto Wallet (Krebs on Security, Mar 20 2018)
A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies.
Hardware wallets like those sold by Ledger are designed to protect the user’s private keys from malicious software that might try to harvest those credentials from the user’s computer.  The devices enable transactions via a connec

Why do the Vast Majority of Applications Still Not Undergo Security Testing? (SecurityWeek, Mar 15 2018)
Did you know that 84% of all cyber attacks target applications, not networks? What’s even more curious is that 80% of Internet of Things (IoT) applications aren’t even tested for security vulnerabilities.

Google Rolls Out New Security Features for Chrome Enterprise (Dark Reading, Mar 16 2018)
The business-friendly browser now includes new admin controls, EMM partnerships, and additions to help manage Active Directory.

Firefox Bug Goes Unfixed for Nine Years (Infosecurity Magazine, Mar 19 2018)
Software developer discovers flaw in Firefox and Thunderbird’s password manager

Apple burns the HSTS super cookie (Naked Security – Sophos, Mar 20 2018)
A few years ago I wrote about a theoretical super cookie that could defeat Incognito mode by abusing HSTS, a technology that’s designed to make your browsing more secure. Abusing HSTS would allow these imagined super cookies to hide in plain sight because removing them results in reduced security.