A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Malicious Code Planted in ‘strong_password’ Ruby Gem (SecurityWeek, Jul 08 2019)
A developer discovered that an update released for the ‘strong_password’ Ruby gem contained malicious code that allowed an attacker to remotely execute arbitrary code.

Canonical GitHub Account Hijacked (SecurityWeek, Jul 08 2019)
Canonical, the company behind the Ubuntu operating system, confirmed over the weekend that one of its GitHub accounts was hacked.

At the AWS Security Conference, Experts Address Cloud Concerns (IT Pro, Jul 05 2019)
The new AWS security conference brought together experts across the industry to reflect on challenges and best practices in securing public and multi-cloud environments. AWS has used canaries for years now, Shinn said. “Once you state the security intent of how something should or shouldn’t exist in production, we have a set of canaries around making sure that state doesn’t change.”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Organizations Are Adapting Authentication for Cloud Applications (Dark Reading, Jul 09 2019)
Companies see the changing demands of cloud identity management but are mixed in their responses to those demands.

Cloud Security and Risk Mitigation (Dark Reading, Jul 09 2019)
Just because your data isn’t on-premises doesn’t mean you’re not responsible for security.

Announcing HTTP targets for Cloud Tasks, with OAuth/OpenID connect authentication (Google Cloud Blog, Jul 08 2019)
“Microservices enable you to break up large monolithic applications into smaller chunks that are easy to build, maintain and upgrade. With a microservices architecture, individual services can now offload work to the background and be consumed later by another service. This gives users quicker response times as well as smoother interactions across a mesh of services. 

At Google Cloud Next 2019, we announced Cloud Tasks, a fully managed, asynchronous task execution service that lets you offload long-running asynchronous operations, facilitating point-to-point collaboration and interaction across these microservices. It is already generally available for App Engine targets (tasks that originate from App Engine) and today, we are announcing new HTTP targets in beta that securely reach Google Kubernetes Engine (GKE), Compute Engine, Cloud Run or on-prem systems using industry-standard OAuth/OpenID Connect authentication.”

DevOps’ Inevitable Disruption of Security Strategy (Dark Reading, Jul 09 2019)
Black Hat USA programming will dive into the ways DevOps-driven shifts in practices and tools are introducing both new vulnerabilities and new ways of securing enterprises.

Uber pays out $375K in bug bounties during challenge in London (SC Magazine, Jul 03 2019)
The bounties, which ranged from $500 to $50,000 each, were handed out in real-time during the eight-hour event that brought more than 50 hackers together to hunt for vulnerabilities.

What the AppSec Penetration Test Found (Dark Reading, Jul 09 2019)
New data drills down on the types of security misconfigurations and challenges dogging application developers.