A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The State of Web Application Vulnerabilities in 2018 (Imperva, Jan 09 2019)
“As we did last year, we took a look back at 2018 to understand the changes and trends in web application security over the past year…The dominant category this year was by far injections, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 588% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.”

Rise of DevOps exposes organizations to risk via container vulnerabilities (Help Net Security, Jan 08 2019)
60 percent of respondents to a Tripwire and Dimensional Research study reported their organizations have experienced container security incidents in the past year. Yet, of the 269 respondents who currently have containers in production, 47 percent said they deployed containers known to have vulnerabilities, while 46 percent admitted they deployed containers without knowing whether or not they had vulnerabilities.

GitHub Free users now get unlimited private repositories (TechCrunch, Jan 07 2019)
If you’re a GitHub user, but you don’t pay, this is a good week. Historically, GitHub always offered free accounts but the caveat was that your code had to be public. To get private repositories, you had to pay. Starting tomorrow, that limitation is gone. Free GitHub users now get unlimited private projects with up […]

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Protego Labs Boosts Serverless Security With Open-Source Project (eWEEK, Jan 07 2019)
Serverless computing offers new opportunities for cloud efficiency, but it also comes with new risks that Protego Labs is looking to help enterprises better understand.

Radware to acquire ShieldSquare for expansion of its cloud security portfolio (Help Net Security, Jan 07 2019)
“This acquisition allows us to expand our portfolio with robust bot management solutions that strongly fit our strategic goal to continue and deepen our integrated portfolio, organically and inorganically. Bot management can stand alone as product offerings as well as integrate into our suite of attack mitigation solutions,” said Roy Zisapel, Radware CEO.

Sophos Acquires Avid Secure, Expands Cloud Security (Infosecurity Magazine, Jan 08 2019)
Sophos moves to augment cloud business strategy with acquisition of next-gen cloud infrastructure security company

How to use AWS WAF to filter incoming traffic from embargoed countries (AWS Security Blog, Jan 09 2019)
AWS WAF provides inline inspection of inbound traffic at the application layer to detect and filter against critical web application security flaws from common web exploits that could affect application availability, compromise security, or consume excessive resources. The inbound traffic is inspected against web access control list (web ACL) rules that you can create manually or programmatically—either through AWS WAF Security Automations or through the AWS Marketplace.

IAST Technology Is Revolutionizing Sensitive Data Security (Infosec Island, Jan 08 2019)
IAST is the most optimal way to test for application security, sensitive data leakage, and prevent breaches.

Singapore Airlines Software Bug Results in Breach (Infosecurity Magazine, Jan 07 2019)
285 KrisFlyer accounts exposed because of software glitch

EU Offering Bug Bounties on Critical Open-Source Software (Schneier on Security, Jan 09 2019)
The EU is offering “bug bounties on Free Software projects that the EU institutions rely on.”