A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Online casino group leaks information on 108 million bets, user details (ZDNet, Jan 23 2019)
Server is now down but is unclear if the cloud provider took it down and if the parent company knows it leaked users details in the first place.

Protecting privileged access in DevOps and cloud environments (Help Net Security, Jan 18 2019)
While security strategies should address privileged access and the risk of unsecured secrets and credentials, they should also closely align with DevOps culture and methods to avoid negatively impacting developer velocity and slowing the release of new services.

Microsoft launches Azure DevOps bug bounty program (Help Net Security, Jan 21 2019)
Microsoft has launched yet another bug bounty program and is urging security researchers to look into the security of Azure DevOps, its cloud service for collaborating on code development.

Tell Your Friends
If you’re enjoying Mosaic’s independent news curation, forward it to a friend today. “Hey, instead of sifting through vendor marketing and duplicate news, I found this curated news feed from Mosaic Security Research. Check it out.”
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Beware the man in the cloud: How to protect against a new breed of cyberattack (Help Net Security, Jan 21 2019)
To gain access to cloud accounts, MitC attacks take advantage of the OAuth synchronisation token system used by cloud applications. The majority of popular cloud services – Dropbox, Microsoft OneDrive, Google Drive, and more – each save one of these tokens on a user’s device after initial authentication is completed. This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token.

The Rx for HIPAA Compliance in the Cloud (Dark Reading, Jan 18 2019)
For medical entities, simply following HIPAA cloud service provider guidelines is no longer enough to ensure that your practice is protected from cyber threats, government investigations, and fines.

Agents of disruption: Four testing topics argue the case for agentless security (Help Net Security, Jan 22 2019)
Agentless solutions allow for faster deployments, decreased asset management and testing requirements, leading to less resource requirements and an overall lower Total Cost of Ownership (TCO). Here are four questions to ask yourself regarding agent-based solutions

Add a layer of security for AWS SSO user portal sign-in with context-aware email-based verification (AWS Security Blog, Jan 16 2019)
“You can use AWS Single Sign-On (AWS SSO) to create and manage users centrally and grant access to AWS accounts and business applications, such as such Salesforce, Box, and Slack. When you use AWS SSO, your users sign in to a central portal to access all of their AWS accounts and applications. Today, we launched email-based verification that provides an additional layer of security for users signing in to the AWS SSO user portal.”

PCI Council Releases New Software Framework for DevOps Era (Dark Reading, Jan 18 2019)
The PCI Software Security Framework will eventually replace PCI DA-DSS when it expires in 2022.

How to Turn Your DevSecOps Shift into Your ‘Pixar Moment’ (DevOps, Jan 21 2019)
“Moving to DevSecOps is often more about changing an organization’s cultural identity than any technical changes. I’ve have seen it happen successfully in several places. Here’s what they had in common:”

Click2Gov breach threatens credit card data of Hanover County residents (SC Magazine, Jan 16 2019)
A data breach of an third-party online payment system has compromised the personal information of Hanover County, Virginia, residents.

Downloads of cracked software distribute ransomware via adware bundles (SC Magazine, Jan 22 2019)
Websites offering cracked versions of popular software programs have recently been serving up adware bundles that secretly deliver a variant of STOP ransomware. According to a pair of reports from Bleeping Computer founder Lawrence Abrams, the scheme came to light in December 2018 with the appearance of the malicious encryptor “Djvu”…