A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Attackers breached Docker Hub, grabbed keys and tokens (Help Net Security, Apr 29 2019)
Docker, the company behing the popular virtualization tool bearing the same name, has announced late on Friday that it has suffered a security breach. There was no official public announcement. Instead, the company sent an alert to potentially affected customers and urged them to change their passwords check their security logs. What happened? “On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,” the company shared. “During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

NIST tool boosts chances of finding dangerous software flaws (Naked Security – Sophos, Apr 29 2019)
NIST thinks it has reached an important milestone in complex software testing with something called Combinatorial Coverage Measurement (CCM).

Ransomware disables Cleveland airport’s email systems, information screens (SC Magazine, Apr 25 2019)
A ransomware attack reportedly has affected email, payroll and record-keeping systems at Cleveland Hopkins International Airport this week and also darkened the transportation facility’s information screens And according to a report from local news outlet WKYC, the attackers may have also accessed airport employee payroll records containing personal information.

8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How to Build a Cloud Security Model (Dark Reading, Apr 26 2019)
Security experts point to seven crucial steps companies should be taking as they move data and processes to cloud environments.

AWS re:Inforce 2019 – Security, Identity, and Compliance (AWS News Blog, Apr 24 2019)
“AWS re:Inforce, our new conference dedicated to cloud security, opens in Boston on June 25th. We’re expecting about 8,000 attendees, making this bigger than the first re:Invent! Just like re:Invent, re:Inforce is a learning conference for builders.”

AWS Security Profiles: Paul Hawkins, Security Solutions Architect (AWS Security Blog, Apr 24 2019)
“Leading up to AWS Summit Sydney, we’re sharing our conversation with Paul Hawkins, who helped put together the summit’s “Secure” track, so you can learn more about him and some of the interesting work that he’s doing.”

Securing Azure SQL Databases with managed identities just got easier (Microsoft Azure Blog, Apr 25 2019)
This release enables simple and seamless authentication to Azure SQL Database for existing .NET applications with no code changes – only configuration changes! Up until this release, developers who wanted their existing SQL applications to use managed identities and AAD-based authentication were required to make code changes to retrieve and set the access token used for authentication.

‘DevOoops’ Moves: Unforeseen Lock-Outs (DevOps, Apr 30 2019)
When you’re automating deployments using configuration as code, make sure you have the right protections in place (i.e., validation of configuration). Otherwise, it’s easy to lock yourself out, forcing yourself to manually log in to each machine to fix it when a bad change is pushed and deployed to all the machines.

How We Keep Our WordPress Site Safe from Vulnerabilities That Have No Fix or are Undisclosed (WhiteHat Security, Apr 26 2019)
After some investigation, it turns out that WhiteHat’s production WordPress site is not actually WordPress. What we have is a site that runs WordPress in development. When changes are ready to deploy to production, they are run through a static generator first, and the static pages are pushed to production. Because our website is not actually WordPress but a “copy” of the pages, this makes us safe against almost every attack out there – WordPress specific or not. Imagine that WhiteHat’s live website is not actually a WordPress site, but a collection of screenshots – and you can’t hack a screenshot.