A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

AWS re:Invent Security Recap: Launches, Enhancements, & Takeaways (AWS Blog, Dec 10 2018)
Here are the top Security, Identity and Compliance releases from re:invent 2018…

Google+ to shut earlier as new bug exposed data of 52.5 million users (WeLiveSecurity, Dec 11 2018)
There is no evidence that the flaw was misused during the six days it was alive, said the tech giant.

Forget Shifting Security Left; It’s Time to Race Left (Dark Reading, Dec 12 2018)
Once DevOps teams decide to shift left, they can finally look forward instead of backward.

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

AWS Inferentia Could Reduce Cost of ML, to Further Democratize AI (Gartner Blog Network, Dec 10 2018)
The major cloud providers are launching fabless semiconductor business units to drive AI ecosystems, from the cloud to the edge and back…The AWS chip strategy is different from Google’s end-to-end chipset strategy. Inferentia chips will run in cloud datacenters, where AWS claims customer can achieve cost efficiencies around inferencing (which, according to AWS, eats up around 90% of the compute costs of ML, with only 10% being consumed by training).

49% of Cloud Databases Left Unencrypted (Dark Reading, Dec 11 2018)
Businesses also leave information vulnerable in the cloud by failing to implement MFA and configure Kubernetes settings, new research reveals.

New Relic introduces Kubernetes cluster explorer (Help Net Security, Dec 11 2018)
New Relic introduced the Kubernetes cluster explorer, a new way for DevOps teams to understand the health and performance of their Kubernetes environments.

Exploring container security: This year, it’s all about security. Again. (Cloud Blog, Dec 10 2018)
In general, Kubernetes has made huge security strides this year, and giant strides on Google Cloud. Let’s take a look at what changed this year for Kubernetes security.

Third-Party Investigator Says No Evidence of ‘Spy Chips’ on Supermicro Motherboards (IT Pro, Dec 12 2018)
The hardware vendor hired an investigations firm to help it mend reputation damaged by allegations of a supply chain breach.

6 Cloud Security Predictions for 2019 (Dark Reading, Dec 10 2018)
How the fast pace of cloud computing adoption in 2018 will dramatically change the security landscape next year.

Creating an opportunistic IPSec mesh between EC2 instances (AWS Security Blog, Dec 12 2018)
IPSec (IP Security) is a protocol for in-transit data protection between hosts. Configuration of site-to-site IPSec between multiple hosts can be an error-prone and intensive task. If you need to protect N EC2 instances, then you need a full mesh of N*(N-1)IPSec tunnels. You must manually propagate every IP change to all instances, configure credentials and configuration changes, and integrate monitoring and metrics into the operation. The efforts to keep the full-mesh parameters in sync are enormous.

Automate analyzing your permissions using IAM access advisor APIs (AWS Security Blog, Dec 10 2018)
As an administrator that grants access to AWS, you might want to enable your developers to get started with AWS quickly by granting them broad access. However, as your developers gain experience and your applications stabilize, you want to limit permissions to only what they need. To do this, access advisor will determine the permissions your developers have used by analyzing…

Detect Kubernetes Vulnerabilities with InSpec (Chef Blog, Dec 07 2018)
Last week, a critical security vulnerability was uncovered in the Kubernetes API server. The vulnerability, CVE-2018-1002105, uncovers an attack vector that would allow an unprivileged or unauthenticated user to escalate their privileges and run arbitrary commands with cluster-admin level access. The severity of this vulnerability is compounded by the fact that because these unauthorized requests are made over established connections to the API, there is no easy way to determine whether systems have been exploited by examining audit and server logs.

Adventures in Video Conferencing Part 2: Fun with FaceTime (Project Zero, Dec 05 2018)
“FaceTime is Apple’s video conferencing application for iOS and Mac. It is closed source, and does not appear to use any third-party libraries for its core functionality. I wondered whether fuzzing the contents of FaceTime’s audio and video streams would lead to similar results as WebRTC.”

Cryptography failure leads to easy hacking for PlayStation Classic (Ars Technica, Dec 10 2018)
Plug-and-play hardware lacks even basic functional security for crucial bootrom.

Grammarly Takes Bug Bounty Program Public (Dark Reading, Dec 11 2018)
The private bug bounty program has nearly 1,500 participants and is ready for a public rollout with HackerOne.

How can businesses get the most out of pentesting? (Help Net Security, Dec 10 2018)
For organizations not knowing where to start when it comes to selecting a pentester, let’s take a look at a few guidelines to follow when starting a project.

Tackling ads abuse in apps and SDKs (Google Online Security Blog, Dec 07 2018)
Google Play has been working to minimize app install attribution fraud for several years. In 2017 Google Play made available the Google Play Install Referrer API, which allows ad attribution providers, publishers and advertisers to determine which referrer was responsible for sending the user to Google Play for a given app install.

6.8% of the top 100,000 websites still accept old, insecure SSL versions (Help Net Security, Dec 12 2018)
Mac-based malware has appeared on the list of the top ten most common types of malware for the first time in WatchGuard’s quarterly Internet security report.