A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

MIT Report: Fixing a Hole: The Labor Market for Bugs (Infosecurity Magazine, Jan 15 2019)
The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.

More .gov Domains Hit by Government Shutdown (SecurityWeek, Jan 16 2019)
The number of US government domains for which TLS certificates were left to expire due to the government shutdown has now exceeded 130, UK-based cybersecurity solutions provider Netcraft reported on Wednesday.

New AWS services launch with HIPAA, PCI, ISO, and SOC – a company first (AWS Security Blog, Jan 10 2019)
“For the first time, we’ve launched new Generally Available services with PCI DSS, ISO 9001/27001/27017/27018, SOC 2, and HIPAA eligibility. That means customers who rely on or require these compliance programs can select from 10 brand new services right away, without having to wait for one or more trailing audit cycles.”

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Security Expectations and Mis-Conceptions in Migrating ERP to the Cloud (SecurityWeek, Jan 14 2019)
Compliance challenges are the third most concerning issue for all companies in the survey at 54.29%. The biggest concern is over the practical issues around migrating sensitive data (64.76%), with general security concerns second at 59.05%.

Researchers Reveal Play With Docker Security Vulnerability (eWEEK, Jan 14 2019)
Researchers from CyberArk discovered a way to hack the popular Play-with-Docker training site, escaping the confines of the container isolation boundary, revealing misconfigurations that have now been fixed.

Former IBM Security Execs Launch Cloud Data Security Startup (Dark Reading, Jan 15 2019)
Sonrai Security, the brainchild of two execs from IBM Security and Q1 Labs, debuts with $18.5 million in Series A funding.

Container Deployments Bring Security Woes at DevOps Speed (Dark Reading, Jan 09 2019)
Nearly half of all companies know that they’re deploying containers with security flaws, according to a new survey.

Security at the Speed of DevOps: Maturity, Orchestration, and Detection (Dark Reading, Jan 09 2019)
Container and microservices technologies, including the orchestrator Kubernetes, create an extraordinary opportunity to build infrastructure and applications that are secure by design.

Threat modelling joins DevSecOps processes through automation (Help Net Security, Jan 10 2019)
Created by Continuum Security, IriusRisk 2.0 is a tool that enables threat modelling at scale and provides follow-up throughout the development process via integration with developer workflows and security testing tools. As the security industry makes a move towards DevSecOps – where secure development processes are largely automated – there is an increased desire to shift security left into the design phase along with a focus to automate as much as possible.

Why Hyatt Is Launching a Public Bug Bounty Program (eWEEK, Jan 10 2019)
Weeks after Marriott disclosed a massive data breach at its Starwood Hotels division, rival hotel chain Hyatt announces a new effort to help improve cyber-security.

Scapy-Sploit, Plugin Problems and the Year of Drupal (Infosecurity Magazine, Jan 09 2019)
Attackers target WordPress plugins and Drupal vulnerabilities, says Imperva.

Trading site data leak sprayed out keys to users’ accounts (Naked Security – Sophos, Jan 11 2019)
A trader believes he could easily have obtained admin access to the site and potentially have stolen the funds of its 600,000 users.

Firefox 69 to Disable Adobe Flash by Default (SecurityWeek, Jan 14 2019)
Mozilla will soon disable Adobe Flash by default in Firefox, the first step toward completely removing support for the plugin in the browser. 

UK Banks Finally Issue New Cards After Ticketmaster Breach (Infosecurity Magazine, Jan 15 2019)
Suspicious activity was first reported to ticketing firm in April

ICANN housecleaning revokes old DNS security key (Network World Security, Jan 15 2019)
The Internet Corporation for Assigned Names and Numbers (ICANN) this week will do some important housecleaning from its successful, first-ever cryptographic key change performed last October.

Fake Movie injects malicious content into high profile sites (SC Magazine, Jan 14 2019)
A malicious Windows shortcut file disguised as a movie on The Pirate Bay torrent tracker is capable of injecting malicious content from the attacker into high-profile websites as well as for stealing cryptocurrency. A security researcher who goes by the twitter handle 0xffff0800 discovered the malware masquerading as a video file for the movie.

Hack a Tesla Model 3, get cash and the car (Help Net Security, Jan 15 2019)
For this year’s edition of the Pwn2Own hacking contest at CanSecWest, security researchers are invited to attempt to exploit a Tesla Model 3.

Online Fraud: Now a Major Application Layer Security Problem (Dark Reading, Jan 15 2019)
The explosion of consumer-facing online services and applications is making it easier and cheaper for cybercriminals to host malicious content and launch attacks.

Bluehost and other popular web hosting sites found to be full of flaws (SC Magazine, Jan 15 2019)
The web-hosting platform Bluehost was found to contain multiple account takeover and information leak vulnerabilities. Independent researcher and bug-hunter Paulos Yibelo has identified four vulnerabilities, one of which is a “High” severity information leak through CORS misconfigurations that could allow attackers to steal personally identifiable information, partial payment details and tokens…

Amadeus booking system flaw could have exposed info on millions of travelers (SC Magazine, Jan 15 2019)
A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number.