A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
FBI: Don’t Trust HTTPS or Padlock on Websites (Infosecurity Magazine, Jun 12 2019)
Feds warn that hackers are increasingly using certs to ‘secure’ their phishing sites
Cross-Site Scripting Errors Continue to Be Most Common Web App Flaw (Dark Reading, Jun 11 2019)
In vulnerability disclosure programs, organizations are paying more in total for XSS issues than any other vulnerability type, HackerOne says.
Facebook Quietly Changes Search Tool Used by Investigators, Abused By Companies (VICE, Jun 10 2019)
Facebook’s Graph Search allowed anyone to search a wealth of public data on Facebook in very specific ways, such as searching content for keywords in a particular point in time.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
The Google Cloud Catch-22 That Broke the Internet (Wired, Jun 07 2019)
A Google Cloud outage that knocked huge portions of the internet offline also blocked access to the tools Google needed to fix it.
Google continues to preach multi-cloud approach with Looker acquisition (TechCrunch, Jun 07 2019)
When Google announced it was buying Looker yesterday morning for $2.6 billion, you couldn’t blame some of the company’s 1,600 customers if they worried a bit if Looker would continue its multi-cloud approach. But Google Cloud chief Thomas Kurian made clear the company will continue to support an open approach to its latest purchase when it joins the fold later this year.
How to securely provide database credentials to Lambda functions by using AWS Secrets Manager (AWS Security Blog, Jun 06 2019)
“As a solutions architect at AWS, I often assist customers in architecting and deploying business applications using APIs and microservices that rely on serverless services such as AWS Lambda and database services such as Amazon Relational Database Service (Amazon RDS). Customers can take advantage of these fully managed AWS services to unburden their teams from infrastructure operations and other undifferentiated heavy lifting, such as patching, software maintenance, and capacity planning.”
Google Cloud named a leader in the Forrester Wave: Data Security Portfolio Vendors, Q2 2019 report (Google Cloud Blog, Jun 11 2019)
The report evaluates a vendor’s portfolio of offerings specific to data security and includes both cloud and on-premise offerings.
2019 State of DevOps (Dark Reading, Jun 06 2019)
DevOps is needed in today’s business environment, where improved application security is essential and users demand more applications, services, and features – fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings.
There’s a significant disconnect between DevOps capabilities and DevSecOps readiness (Help Net Security, Jun 10 2019)
To support retailers in adopting a DevSecOps approach to app development, Hayes-Warren believes that in-house development teams should be provided with regularly updated security training courses. These should include continuous monitoring and analytics throughout the DevOps lifecycle
Firefox aims at Google with Enhanced Tracking Prevention (Naked Security – Sophos, Jun 06 2019)
The latest version of Firefox, 67.0.1, features a fully-fledged version of Mozilla’s Enhanced Tracking Protection (ETP) privacy system.
UChicago Medicine secures database after publicly exposing info on donors and patients (SC Magazine, Jun 05 2019)
The University of Chicago Medicine scrambled to secure a database containing information on patients as well as existing and potential financial donors, after a researcher discovered that a misconfiguration left nearly 1.68 million records exposed to the public.
Cryptocurrency wallet GateHub hacked, nearly $10 million worth of Ripple (XRP) stolen (Graham Cluley, Jun 07 2019)
Cryptocurrency wallet service GateHub has warned that over 100 customers have had their ledger wallets hacked and funds stolen.
Chinese Uni Exposes 8TB+ of Email Metadata (Infosecurity Magazine, Jun 11 2019)
Misconfigured Elasticsearch database again to blame