A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Apple, Google, GoDaddy misissued TLS certs with weak serial numbers (ZDNet, Mar 20 2019)
Multiple CAs have misissued over 1.2 million TLS certs with weak 63-bit serial numbers, instead of the standard of 64 bits.

Cloudflare Launches New HTTPS Interception Detection Tools (SecurityWeek, Mar 19 2019)
Security services provider Cloudflare on Monday announced the release of two new tools related to HTTPS interception detection. 

Thoughts on Cloud Security (TaoSecurity, Mar 13 2019)
“The book described how cloud security is a big change from enterprise security because it relies less on IP-address-centric controls and more on users and groups. The book talked about creating security groups, and adding users to those groups in order to control their access and capabilities. As I read that passage, it reminded me of a time long ago, in the late 1990s…”

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Enterprise Cloud Infrastructure a Big Target for Cryptomining Attacks (Dark Reading, Mar 13 2019)
Despite the declining values of cryptocurrencies, criminals continue to hammer away at container management platforms, cloud APIs, and control panels.

Putting AWS security services to work for you (AWS News Blog, Mar 14 2019)
“At its heart, cybersecurity is simple. It’s a set of processes and controls that work to make sure that whatever I’ve built works as intended… and only as intended. How do I make that happen in the AWS Cloud?”

Moving from traditional on-premise solutions to cloud-based security (Help Net Security, Mar 14 2019)
…a simple way of point clicking, deploying that HSM…you point and you click, and ask you some very simple questions that just about anybody could answer. You don’t need a degree in computer science to do it. It will deploy that HSM in approximately five minutes, rather than having to be a crypto ninja, having to buy all of the equipment up front, build the infrastructure, implement it, maintain it, support it. It’s all done for you.

How to rotate Amazon DocumentDB and Amazon Redshift credentials in AWS Secrets Manager (AWS Security Blog, Mar 15 2019)
Using temporary credentials is an AWS Identity and Access Management (IAM) best practice. Even Dilbert is learning to set up temporary credentials. Today, AWS Secrets Manager made it easier to follow this best practice by launching support for rotating credentials for Amazon DocumentDB and Amazon Redshift automatically. Now, with a few clicks, you can configure Secrets Manager to rotate these credentials automatically, turning a typical, long-term credential into a temporary credential.

Help stop data leaks with the Forseti External Project Access Scanner (Cloud Blog, Mar 13 2019)
Consider the following scenario: a GCP user has permissions in projects across different organizations, the root note in a GCP resource hierarchy. As a member of Organization A, they have permissions in a project under Organization A’s GCP organization node. This user also has permissions in a project under Organization B’s GCP organization node.

Meet the new generation of white hats (Help Net Security, Mar 18 2019)
“What we can say though is that even as this still goes on, the opportunity to get paid legally and not get arrested seems to have drawn many former Black Hats over to the other side of the line.”

Google Open Sources Sandboxed API (SecurityWeek, Mar 19 2019)
Google on Monday announced that it has made available its Sandboxed API as open source in an effort to make it easier for software developers to create secure products.

Glitch exposes Sprint customer data to other users (SC Magzine, Mar 19 2019)
A bug has allowed some Sprint customers to see the personal data of other customers from their online accounts. The information visible includes names, cell phone numbers as well as calls made by other users and, and a Tech Crunch report cited one customer saying, “I was able to click each one individually and see…