A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Top 10 Security Blog posts in 2019 so far (AWS Security Blog, Jul 01 2019)
The top 10 posts from 2019 based on page views
– How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory
– How to centralize and automate IAM policy creation in sandbox, development, and test environments
– AWS awarded PROTECTED certification in Australia
– Setting permissions to enable accounts for upcoming AWS Regions
– How to use service control policies to set permission guardrails across accounts in your AWS Organization
– Alerting, monitoring, and reporting for PCI-DSS awareness with Amazon Elasticsearch Service and AWS Lambda
– Updated whitepaper now available: Aligning to the NIST Cybersecurity Framework in the AWS Cloud
– How to visualize Amazon GuardDuty findings: serverless edition
– Guidelines for protecting your AWS account while using programmatic access
– How to quickly find and update your access keys, password, and MFA setting using the AWS Management Console

Provider of Data Integration Services for Fortune 100 Firms Exposed Sensitive Files (SecurityWeek, Jun 28 2019)
Attunity, a Qlik-owned data integration and big data management company whose solutions are used by over 2,000 enterprises and half of the Fortune 100 firms, exposed a significant amount of sensitive data through unprotected Amazon S3 buckets.

How Hackers Infiltrate Open Source Projects (Dark Reading, Jun 27 2019)
The dependency trees of modern software-development make smaller open-source projects vulnerable to hackers sabotaging code.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

AWS Launches Mirroring Feature for Inspecting Network Traffic (SecurityWeek, Jun 26 2019)
Amazon Web Services (AWS) on Tuesday announced the launch of VPC Traffic Mirroring, a new feature that allows users to capture and inspect network traffic from their Amazon EC2 instances.

Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers (Krebs on Security, Jun 28 2019)
“It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Microsoft Azure and Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.”

Over reliance on public cloud vendor security puts data and companies at risk of breach (Help Net Security, Jun 28 2019)
A majority of organizations (62 percent) are unaware that credentials, secrets and privileged accounts exist in IaaS and PaaS environments. Only 49 percent currently have a privileged access security strategy in place for cloud infrastructure and workloads

Seven Considerations for Doing Secure Cloud Migration (eWEEK, Jun 28 2019)
Three out of every four organizations on the planet have some sort of cloud presence. According to a 2018 IDG survey, 77 percent of enterprises now have at least one application or some portion of their enterprise computing infrastructure in the cloud. Enterprises also revealed in that same report that they planned to invest an average of $3.5M on cloud apps, platforms, and services.

Eliminating fragmentation unlocks opportunities to realize the promise of the cloud (Help Net Security, Jul 02 2019)
Additionally, data copies can increase fragmentation challenges. A third of respondents (33 percent) have four or more copies of the same data in public cloud environments, which can not only increase storage costs but create data compliance challenges.

Disaster recovery readiness is essential for hybrid and multi-cloud strategies (Help Net Security, Jul 03 2019)
87% considered it to be an important part of their disaster recovery readiness. The ability to shift workloads from one cloud to another was a key factor, with 34% of those who have done so citing disaster recovery as the motivation.

Risk Analysis: Unikernels vs. Containers, et al. (IT Pro, Jul 01 2019)
Unikernels boast limited attack surface and fast execution, but they can be inflexible and challenging to maintain.

A Security-First Approach to DevOps (Dark Reading, Jul 01 2019)
A lack of a security mandate in the development process has given rise to the recognized need for application security.

To benefit from DevOps implementation, security and dev teams must communicate better (Help Net Security, Jul 03 2019)
Part of the challenge is believed to be — despite enthusiasm for DevOps, which has seen 81% of organizations already implement or currently work on projects — nearly half of respondents (46%) have only partially developed their DevOps strategy. IT leaders polled confirmed that enhancing IT security is more of a priority (46%) in DevOps than any other factor.

5 Ways DevSecOps Can Manage Software Supply Chains (DevOps, Jul 01 2019)
The unbridled use of open source components within the software supply chain is on a major uptick, according to new research. Even as this surge in open source dependencies fuels faster innovation, the study shows that it comes with high cybersecurity costs, as the number of breaches related to these components is similarly on the rise.

Handling Manual Tests in Serenity BDD (DevOps Zone, Jul 03 2019)
One of the principles of BDD is to have a single source of truth for both the requirements that describe a feature and the automated tests that verify them. And it is a natural step to want to include both automated and manual tests in this single source of truth.

DevSecOps and Developers (DevOps Zone, Jul 03 2019)
Developers need to consider their productivity, the OWASP Top 10, education, processes, and best practices.

Secure and Scalable CI/CD Pipeline With AWS (DevOps Zone, Jul 02 2019)
Amazon and DevOps go hand-in-hand with a number of tools and processes that enable an efficient CI/CD pipeline.

DevSecOps Concerns (DevOps Zone, Jul 02 2019)
Amazon and DevOps go hand-in-hand with a number of tools and processes that enable an efficient CI/CD pipeline.

Pair of vulnerabilities could have enabled takeover of EA gamer accounts (SC Magazine, Jun 26 2019)
The subdomain hijack was made possible because the EA Games subdomain eaplayinvite.ea.com was observed connecting via CNAME (Canonical Name) record to an obsolete Microsoft Azure web address, ea-invite-reg.azurewebsites.net, that at one time hosted cloud-based services for the gaming company. Because ea-invite-reg.azurewebsites.net was no longer active, the researchers were able to register that web address with their own private Microsoft Azure account, claiming it as their own.

Chrome OS 75 Adds More Mitigations for Intel MDS Flaws (SecurityWeek, Jun 27 2019)
Chrome OS version 75, which Google released on Wednesday in the stable channel, adds more mitigations for recently disclosed Microarchitectural Data Sampling (MDS) vulnerabilities affecting most Intel processors made in the last decade.

Four in 10 North American Banks Don’t Use EV Certificates (Infosecurity Magazine, Jul 01 2019)
Banks in Europe and North America use some form of SSL but are still vulnerable to phishing, says Sectigo