A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

How S3 Buckets Become Public, and the Fastest Way to Find Yours (Disrupt:Ops, Oct 22 2018)
Eight (Yes, Eight) Ways Amazon S3 Data Becomes Public…The interplay between these can be a little confusing so we’ll walk through the interactions after we list them out.

In a tweet Monday Andy Jassy, CEO of Amazon Web Services…Bloomberg should retract it’s story… (Twitter, Oct 23 2018)
“@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract. https://t.co/RZzuUt9fBM”

“Davos in the Desert” website hack highlights Saudi terror links (Quartz, Oct 23 2018)
Screenshots show that the hack of the Future of Investment Initiative site also called out Saudi complicity in Jamal Khashoggi’s murder.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Why Everyone Automates in Cloud (Disrupt:Ops, Oct 19 2018)
“Clicking through a web based user interface for repetitive tasks is not overly efficient, and becomes more and more time-consuming and frustrating. This isn’t just due to bad user interfaces from the cloud providers (and let’s be honest, some of them are pretty terrible), if you think about it we are trying to manage effectively every aspect of a data center from a single web interface. Not. Going. To. Happen. Thus the next natural step…Is to move into using the command line interfaces, but these face equal complexity.”

Solving the cloud infrastructure misconfiguration problem (Help Net Security, Oct 18 2018)
“The threats to cloud infrastructure are automated, so automated remediation is a requirement to effectively manage misconfiguration risk. His advice to CISOs is to set up a team that includes developers who understand cloud APIs and can automate every repetitive aspect of cloud security, starting with cloud configuration.”

3 Public Cloud Security Myths Debunked (SecurityWeek, Oct 18 2018)
MYTH: “The public cloud is not safe.” MYTH: “The public cloud is easier to attack.” MYTH: “In the public cloud, anyone can access my data.”

Safeguarding hybrid-cloud infrastructures through identity privilege management (Help Net Security, Oct 22 2018)
“Who can touch the infrastructure? How many identities have access to the infrastructure? What privileges do they have? What can they do with those privileges? What privileges are they actually using? Not using? Which resources are they performing actions on?

How to create and manage users within AWS Single Sign-On (AWS Security Blog, Oct 17 2018)
AWS Single Sign-On (AWS SSO) is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts. By default, AWS SSO now provides a directory that you can use to create users, organize them in groups, and set permissions across those groups.

Firewall rules logging: a closer look at GCP’s new network compliance and security tool (Google Cloud Blog, Oct 19 2018)
…firewall rules logging let you audit, verify, and analyze the effects of your firewall rules. In other words, you can validate that every connection established in your workload matches the conditions in your allow-access firewall rules; and similarly, that every connection matching a deny-access firewall rule is blocked.

Oracle Doubles Down on Cloud Security With CASB, WAF, DDoS Protection (eWEEK, Oct 23 2018)
At OpenWorld 2018, Oracle announces a series of new security capabilities to help protect its cloud customers.

Introducing Private DNS Zones: resolve to keep internal networks concealed (Google Cloud Blog, Oct 23 2018)
Got private networks on Google Cloud Platform (GCP), but still want to use Google Cloud DNS, our fast, scalable, and reliable Domain Name System (DNS) service?

Protecting Cloud Storage with WORM, key management and more updates (Google Cloud Blog, Oct 23 2018)
“We’re excited to announce the general availability of Cloud Storage Bucket Lock, which enables you to prevent the deletion or modification of content for a period of time that you specify. This will be especially useful to those of you who need WORM (Write Once Read Many)-compliant or immutable storage.”

Tripwire for DevOps offers security configuration assessment of containers (Help Net Security, Oct 23 2018)
Tripwire unveiled that Tripwire for DevOps now offers security configuration assessment. Made generally available earlier this year as a software-as-a-service (SaaS) solution, Tripwire for DevOps now gives a view of security and compliance risk within DevOps application infrastructure by adding configuration assessment capabilities to the existing vulnerability management capabilities.

Repairnator bot finds software bugs, successfully submits patches (Help Net Security, Oct 22 2018)
Can a bot create valid, high-quality fixes for software bugs more rapidly than a human can, and get them accepted by human developers and permanently merged in the code base?

Tumblr Vulnerability Exposed User Account Information (SecurityWeek, Oct 18 2018)
Tumblr on Wednesday disclosed a vulnerability that could have been exploited to obtain user account information, including email addresses and protected passwords.

Mozilla Brings Encrypted SNI to Firefox Nightly (SecurityWeek, Oct 19 2018)
Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Wallarm Advances Application Security with FAST 2.0 (eWEEK, Oct 22 2018)
Wallarm has raised $8 million in a Series A round of funding that will be used to help the company further develop and expand the capabilities of its application security platform.

Popular website plugin harboured a serious 0-day for years (Naked Security – Sophos, Oct 22 2018)
The flaw in the popular file uploader allows an attacker to upload files and run their own command line shell on any affected server.

Adult websites shuttered after 1.2 million user details exposed (Naked Security – Sophos, Oct 23 2018)
It’s not even close to the number of users affected by the massive Ashley Madison breach, but the results could be just as devastating to those who are affected.