A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Apple fighting pirate app developers, will insist on 2FA for coders (Sophos, Feb 15 2019)
Are you an Apple developer? Care about security? Using 2FA? You will be soon…

Switzerland offers cash for finding security holes in its e-voting system (WeLiveSecurity, Feb 19 2019)
The ‘public intrusion test’ is starting on February 25 and will run until March 24, when the would-be ballot box will be decrypted and opened, according to this announcement on the blog of Swiss Post, which operates the system.

Chef Habitat and the runC vulnerability (CVE-2019-5736) (Chef Blog, Feb 13 2019)
“An article was shared yesterday detailing a runC vulnerability that affects Docker and Kubernetes where a malicious container can overwrite a host system’s runC binary, thus allowing root-level code execution on the host. This is an operations nightmare and it made me think of how Chef Habitat can help in these situations. I’d like to give a high-level overview of how to apply defense-in-depth philosophy with Habitat and help you prevent or address these kinds of vulnerabilities in the future.”


8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Exploit Code Published for Recent Container Escape Vulnerability (SecurityWeek, Feb 18 2019)
Proof-of-concept (PoC) code is now publicly available for a recently disclosed container escape vulnerability impacting popular cloud platforms, including AWS, Google Cloud, and numerous Linux distributions.

How to visualize Amazon GuardDuty findings: serverless edition (AWS Security Blog, Feb 18 2019)
Amazon GuardDuty is a managed threat detection service powered by machine learning that can monitor your AWS environment with just a few clicks. This blog provides an alternate solution to Visualizing Amazon GuardDuty Findings, in which the authors describe how to build an Amazon Elasticsearch Service-powered Kibana dashboard to ingest and visualize Amazon GuardDuty findings.

How Azure Security Center helps you protect your environment from new vulnerabilities (Microsoft Azure Blog, Feb 14 2019)
Recently the disclosure of a vulnerability (CVE-2019-5736) was announced in the open-source software (OSS) container runtime, runc. This vulnerability can allow an attacker to gain root-level code execution on a host. Runc is the underlying container runtime underneath many popular containers. Azure Security Center also offers several methods that can be applied to mitigate or detect malicious behavior

Google’s managed hybrid cloud platform is now in beta (TechCrunch, Feb 20 2019)
Last July, at its Cloud Next conference, Google announced the Cloud Services Platform, its first real foray into bringing its own cloud services into the enterprise data center as a managed service. Now, the Cloud Services Platform (CSP) is launching into beta.

Building security into cloud native apps with NGINX (Help Net Security, Feb 19 2019)
Companies like Airbnb, Uber and DoorDash, which have a cloud-based software infrastructure as one of their main enablers, are disrupting the hospitality, transportation and food delivery sector. Why do all these new companies use the cloud and what advantages does it give them?

Google paid out $3.4m in bug bounties last year (Naked Security – Sophos, Feb 14 2019)
317 researchers from 78 countries turned 2018 into a worldwide bug-crunching spree.

Cryptojacking Applications Land in Microsoft Store (SecurityWeek, Feb 15 2019)
Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered.

CSRF Vulnerability in Facebook Earns Researcher $25,000 (SecurityWeek, Feb 15 2019)
A researcher says he received a $25,000 bounty from Facebook after he discovered a critical cross-site request forgery (CSRF) vulnerability that could have been exploited to hijack accounts simply by getting the targeted user to click on a link.

White-Hat Bug Bounty Programs Draw Inspiration from the Old West (Dark Reading, Feb 15 2019)
These programs are now an essential strategy in keeping the digital desperados at bay.

Web Application Security Poses Greatest Risk (Infosecurity Magazine, Feb 19 2019)
The average time to fix a web app vulnerability is 77.5 days, says Edgescan.

Virus attack! Hackers unleash social media worm after bug report ignored (Naked Security – Sophos, Feb 20 2019)
Is it ok to launch a benign proof of concept that you know will go wide, to bring a flaw to people’s attention, or should you stay quiet?

Google’s working on stopping sites from blocking Incognito mode (Naked Security – Sophos, Feb 20 2019)
Google Chrome’s Incognito mode hasn’t been an impenetrable privacy shield: For years, it’s been a snap for web developers to detect when Chrome users are browsing in private mode and to block site visitors who use it. Now it looks like Google plans to close that loophole.

GitHub Increases Bug Bounty Program Rewards, Expands Scope (SecurityWeek, Feb 19 2019)
After paying out $250,000 in bug bounties in 2018, GitHub has decided to increase rewards and expand the scope of its bug bounty program.