A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
First American Financial Leaked Hundreds of Millions Records (KrebsonSecurity, May 24 2019)
“The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.”
GitHub introduces Dependabot-powered automated security fixes (Help Net Security, May 28 2019)
“With the help of Dependabot, GitHub will monitor your dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version,” Justin Hutchings, Senior Product Manager at GitHub, explained…
Millions of Canva users’ data stolen as GnosticPlayers strikes again (Naked Security – Sophos, May 28 2019)
The initial breach notification was topped with marketing fluff: an unfortunate choice, given what could be the resulting glazed eyeballs.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Companies increasingly investing in container adoption, security remains an issue (Help Net Security, May 23 2019)
87 percent of IT professionals are now running container technologies, with 90 percent of those running in production and 7 in 10 running at least 40 percent of their application portfolio in containers — an impressive increase from two years ago, when just 67 percent of teams were running container technologies in production, a Portworx and Aqua Security survey reveals.
The security challenges of managing complex cloud environments (Help Net Security, May 22 2019)
Cloud creates configuration and visibility problems: When asked to rank on a scale of 1 to 4 the aspects of managing security in public clouds they found challenging, respondents cited proactively detecting misconfigurations and security risks as the biggest challenge (3.35), closely followed by a lack of visibility into the entire cloud estate (3.21). Audit preparation and compliance (3.16), holistic management of cloud and on-prem environments (3.1), and managing multiple clouds (3.09) rounded out the top five.
Vulnerability management solution Tripwire IP360 released on AWS Marketplace (Help Net Security, May 28 2019)
Tripwire has joined the global partner program for Amazon Web Services (AWS). As a new Advanced Technology Partner of the AWS Partner Network (APN), Tripwire has now made its vulnerability management solution, Tripwire IP360, available on the AWS Marketplace.
AWS and the CLOUD Act (AWS Security Blog, May 28 2019)
…a few of the key misunderstandings about the CLOUD Act in order to help customers understand that this law should not change how they use cloud services.
AWS Security Profiles: Stephen Quigg, Principal Security Solutions Architect, Financial Services Industry (AWS Security Blog, May 23 2019)
“In the weeks leading up to re:Inforce, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.”
The DevSecOps Equilibrium (DevOps Zone, May 27 2019)
“The Sec in DevSecOps means the security folks are explicitly invited to the table. The dilemma is the fact that the invitation isn’t implied.”
Alphabet’s Chronicle Explores Code-Signing Abuse in the Wild (Dark Reading, May 22 2019)
A new analysis highlights the prevalence of malware signed by certificate authorities and the problems with trust-based security.
WhiteHat Security’s Approach to Detecting Cross-Site Request Forgery (CSRF) (WhiteHat Security, May 28 2019)
– What is CSRF?
– How do we decide which CSRF to report?
– How do software security tools find CSRF today?
– How do we test for CSRF?
– Why do we consider CSRF unresolved if there are XSS or HTTP Response Splitting vulnerabilities present in the website?
LinkedIn Allowed TLS Certificate to Expire—Again (SecurityWeek, May 22 2019)
Microsoft-owned social media giant LinkedIn has once again put user data and privacy at risk by allowing a TLS certificate to expire.
Twitch Flooded with Streams of ‘Game of Thrones’, Porn, and the Christchurch Attack Video (VICE, May 27 2019)
After no one watched streams for Valve-created game Artifact, some users started their own meme streams. Then other content seeped in.
Web App Vulnerabilities Flying Under Your Radar (Dark Reading, May 28 2019)
A penetration tester shows how low-severity Web application bugs can have a greater effect than businesses realize.