A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Supply Chain Hackers Snuck Malware Into Videogames (Wired, Apr 23 2019)
…evidence that the same hackers who targeted Asus with that sort of supply chain hack earlier this year have also targeted three different videogame developers—this time aiming even higher upstream, corrupting the programming tools relied on by game developers.

Facebook: we logged 100x more Instagram plaintext passwords than we thought (Naked Security – Sophos, Apr 19 2019)
Facebook has updated ‘tens of thousands of plaintext Instagram passwords ended up in logfile’ to say it was more like a million.

Hotspot finder app blabs 2 million Wi-Fi network passwords (Naked Security – Sophos, Apr 23 2019)
If you used WiFi Finder, your passwords to both public and private networks have been left online in an unprotected database.


8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Getting started with Cloud Security Command Center (Google Cloud Blog, Apr 18 2019)
“Last week at Google Cloud Next ‘19, we announced the general availability of Cloud Security Command Center (Cloud SCC), a security management and data risk tool for GCP resources that helps you prevent, detect, and respond to threats from a single pane of glass…Let’s take a deeper look at how to use Cloud SCC to prevent, detect, and respond to threats.”

Cloud Security Spend Set to Reach $12.6B by 2023 (Dark Reading, Apr 18 2019)
Growth corresponds with a greater reliance on public cloud services.

AWS Organizations now available in the AWS GovCloud (US) Regions for central governance and management of AWS accounts (AWS Security Blog, Apr 18 2019)
“AWS GovCloud (US) organizations are completely separate from commercial organizations and are managed independently of one another. The two most common models used to structure your AWS GovCloud (US) organization in relation to an existing commercial organization are a single company model or a reseller/partner model.”

Pentagon’s Designer of $10 Billion JEDI Cloud Is Stepping Down (IT Pro, Apr 23 2019)
The Pentagon official who developed a controversial $10 billion cloud-computing project is stepping down after four years of efforts to upgrade the Defense Department’s information technology systems.

Detecting threats targeting containers with Azure Security Center (Microsoft Azure Blog, Apr 22 2019)
“More and more services are moving to the cloud and they bring their security challenges with them. In this blog post, we will focus on the security concerns of container environments.”

DevSecOps: Fast development without sacrificing safety (Help Net Security, Apr 19 2019)
The key tenets of DevOps—automation, continuous improvement, adopting microservice-based architecture—are all part of an organization’s competitiveness in the marketplace. But moving fast within the context of the cloud—and developing and deploying applications and services across cloud or a hybrid of on-premise and cloud has practically become the norm—means more opportunities for attackers to get through.

Shifting to DevSecOps Is as Much About Culture as Technology and Methodology (SecurityWeek, Apr 23 2019)
As more companies go through this cycle of shifting left, it’s only natural to see the business get ahead of security. And as everyone goes through this transition, we’re going to see more exposure as a result of that gap, with the business developing apps at a rate that the security organization is still trying to match.

Ad blocker firms rush to fix security bug (Naked Security – Sophos, Apr 17 2019)
If you’re using an ad blocker to filter out online commercials, then beware: You might be vulnerable to a new attack that enables hackers to compromise your browser.

Flashpoint: Our site was not dishing malware (SC Magazine, Apr 23 2019)
In what Flashpoint called an “after action report,” the company denied the website was itself infected with malware, but did admit that on April 12-13 the WordPress Yuzo Related Posts plugin used on the site was susceptible to a zero day flaw that was being exploited. However, the company flatly denied Dancho Danchev’s statement that Flashpoint was delivering malware to its site’s visitors.