A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Magecart compromised 17,000+ sites via unsecured S3 buckets (Help Net Security, Jul 11 2019)
Tesla Awards Researcher $10,000 After Finding XSS Vulnerability (SecurityWeek, Jul 15 2019)
A researcher has earned $10,000 from Tesla after discovering a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain — and possibly modify — vehicle information.
New Analysis by Alcide Finds 89% of Kubernetes Deployments Not Leveraging Secrets Resources (Container Journal, Jul 15 2019)
To keep multi-cluster Kubernetes safe, Alcide announces its Alcide Advisor integration with Azure DevOps, automating Kubernetes hygiene drift detection and prevention for Azure customers
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
The Security of Cloud Applications (Dark Reading, Jul 11 2019)
Despite the great success of the cloud over the last decade, misconceptions continue to persist. Here’s why the naysayers are wrong.
Do cloud apps make you a target for cyber attacks? (Help Net Security, Jul 10 2019)
Surveying 1,050 IT decision makers globally, Thales’ 2019 Access Management Index revealed that cloud applications (49%) are listed in the top three reasons an organization might be attacked, just behind unprotected infrastructure such as IoT devices (54%) and web portals (50%).
How to set up Microsoft Cloud App Security (Network World Security, Jul 11 2019)
This new add-on will let you set up alerts about suspicious sign-on activity for Office 365 and other cloud apps.
Is Machine Learning the Future of Cloud-Native Security? (Dark Reading, Jul 15 2019)
The nature of containers and microservices makes them harder to protect. Machine learning might be the answer going forward.
Judge dismisses Oracle lawsuit over $10B Pentagon JEDI cloud contract (TechCrunch, Jul 12 2019)
Oracle has been complaining about the procurement process around the Pentagon’s $10 billion, decade-long JEDI cloud contract, even before the DoD opened requests for proposals last year. It went so far as to file a lawsuit in December, claiming a potential conflict of interest on the part of a procurement team member. Today, that case was dismissed in federal court.
Microsoft, Google and Apple clouds banned in Germany’s schools (Naked Security – Sophos, Jul 17 2019)
Citing privacy issues, Germany just banned its schools from using Microsoft Office 365, Google Docs, and Apple’s iWork cloud services.
How to get specific security information about AWS services (AWS Security Blog, Jul 15 2019)
“We’re excited to announce the launch of dedicated security chapters in the AWS documentation for over 40 services. Security is a key component of your decision to use the cloud. These chapters can help your organization get in-depth information about both the built-in and the configurable security of AWS services. “
Transforming the Security Team Into a DevOps Partner (DevOps, Jul 16 2019)
Securing DevOps environments is an increasingly important concern for chief information security officers (CISOs) and security teams. While developers often recognize security is important, it is not their top priority. More typically, the DevOps team prioritizes delivering new capabilities and features to the business and customers, often as part of a larger digital transformation initiative. And, developers often view security as something that will slow down deployments.
Software Developers Face Secure Coding Challenges (Dark Reading, Jul 15 2019)
Seven in ten developers are expected to write secure code, but less than half receive feedback on security, a survey finds.
Instagram Account Takeover Vulnerability Earns Hacker $30,000 (SecurityWeek, Jul 15 2019)
A researcher claims to have received $30,000 from Facebook after discovering a critical vulnerability that could have been exploited to easily hack Instagram accounts.
Critical WordPress plugin flaw leaves 200,000 sites at risk (SC Magazine, Jul 16 2019)
A critical security flaw in a WordPress plugin allows threat actors to remotely execute PHP code. The vulnerability is found in the Ad Inserter plugin, a plugin that is currently installed in more than 200,000 sites, and stems from the use of the check_admin_referer() for authorization.
Security Teams Often Struggle to Get Developers on Board: GitLab Study (SecurityWeek, Jul 16 2019)
A GitLab study based on responses from over 4,000 software professionals shows a disconnect between developer and security teams, and suggests that good DevOps can be the solution to security problems.
Best Practices in Identifying and Remediating Vulnerabilities (WhiteHat Security, Jul 16 2019)
It’s in the nature of cybersecurity that every technology vendor and service provider is vulnerable to security breaches and attacks in some form.