A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Chrome extension devs must drop deceptive install tactics (Help Net Security, May 31 2019)
After announcing its intention to limit third-party developers’ access to Chrome’s webRequest API, which is used by many ad-blocking extensions to filter out content, Google has followed up with announcements for a few more changes meant “to create stronger security, privacy, and performance guarantees”: Chrome extension developers must ditch any deceptive installation tactic they have been using Extensions must only request access to the appropriate data needed to implement their features…

LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach (Krebs on Security, Jun 04 2019)
“Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.”

Growing reliance on open source libraries leaves many companies vulnerable (Help Net Security, Jun 03 2019)
Organizations are becoming increasingly dependent on open source libraries (OSLs) to develop code for software and websites. However, Jing Xie, senior threat intelligence researcher for Venafi, warns that the growing reliance on OSLs for software development leaves many companies vulnerable to trust-based attacks. Cybercriminals use trust attacks to maliciously manipulate and insert code into open source libraries, taking advantage of organizations’ dependence on them.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Docker Vulnerability Opens Servers to Container Code (Dark Reading, May 29 2019)
Under very specific conditions, code running in a Docker container could access files anywhere on a server, according to a new CVE.

Palo Alto Networks Said to Buy Twistlock (Dark Reading, May 29 2019)
Reports in Israel-based business publications say Palo Alto Networks has reached a deal to purchase the container security startup, as well as another Israeli security startup.

Docker race condition flaw could grant attackers root access to host file system (SC Magazine, May 29 2019)
All versions of Docker container software contain an unpatched race condition vulnerability that could grant attackers read-write access to the host file system with root privileges.

Vulnerability Leaves Container Images Without Passwords (Dark Reading, May 30 2019)
A old vulnerability in Alpine Linux containers has spread and propagated to as much as 20% of the containers on the Docker Store.

Cloud migration journey is more complex than anticipated for innovation and efficiency (Help Net Security, Jun 03 2019)
Two-thirds of large enterprises are not realizing the full benefits of their cloud migration journeys identifying security and the complexity of business and operational change as barriers, according to Accenture.

Threat actors host malware, C2 servers on Microsoft Azure (SC Magazine, Jun 03 2019)
Cybercriminals are storing malicious content, including malware and C2 servers, on Microsoft’s Azure cloud services. In one incident nearly 200 websites showing tech support scams were hosted on the platform, according to a Bleeping Computer blog post. In another incident, threat actors used Azure to host a phishing template for Office 365…

How to use AWS Secrets Manager client-side caching in .NET (AWS Security Blog, May 30 2019)
AWS Secrets Manager now has a client-side caching library for.NET that makes it easier to access secrets from .NET applications. This is in addition to client-side caching libraries for Java, JDBC, Python, and Go.

An update on Sunday’s service disruption (Google Cloud Blog, Jun 03 2019)
A disruption in Google’s network in parts of the United States caused slow performance and elevated error rates on several Google services, including Google Cloud Platform, YouTube, Gmail, Google Drive and others. Because the disruption reduced regional network capacity, the worldwide user impact varied widely. For most Google users there was little or no visible change to their services—search queries might have been a fraction of a second slower than usual for a few minutes but…

Why FedRAMP Matters to Non-Federal Organizations (Dark Reading, Jun 04 2019)
Commercial companies should explore how FedRAMP can help mitigate risk as they move to the cloud.

Embrace chaos to improve cloud infrastructure resilience (Help Net Security, Jun 05 2019)
Netflix is a champion of using chaos engineering to improve the resilience of its cloud infrastructure. That’s how it ensures its customers don’t have their Stranger Things binge watching sessions interrupted. Netflix is one of a growing number of companies including Nike, Amazon and Microsoft that leverage chaos engineering as a means of stress testing their cloud infrastructures against a variety of unpredictable cloud events, such as a loss of cloud resources or entire regions.

Get Cross-Functional: Learn to Let Go and Embrace DevSecOps (SecurityWeek, May 29 2019)
In many organizations, building and securing apps has typically been a siloed affair. The product owner, the network engineer, the developer and the security engineer all come from different teams. And all too often, these teams become fiefdoms that believe their focus is the company’s primary objective. 

10 DevSecOps Implementation Principles (DevOps Zone, Jun 05 2019)
“In response to my question about the keys to successful DevSecOps implementation, Javed provided the following principles I thought you might find valuable…”

WordPress Slick Popup plugin could leave backdoor open to hackers (SC Magazine, May 29 2019)
A vulnerability in the plugin Slick Popup lets hackers get into a WordPress website through a backdoor administrator account.

Chinese Dating Apps Leak US User Data (Infosecurity Magazine, May 31 2019)
A database full of easily identifiable user data has been found by a security researcher.

Theta360 leak exposes 11 million photos, user data (SC Magazine, May 31 2019)
An open database exposed at least 11 million photographs after the Theta360 photo sharing system run by Ricoh was breached.

What the heck is IAST? (Checkmarx, Jun 04 2019)
The application security testing (AST) world is made up of different solutions, all with one ultimate goal – to protect software from hackers, and their attacks.  SAST and DAST are perhaps the two most common and well-known solutions. In the last few years, a newcomer has gradually received more-and-more attention – IAST.