A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Google increases bounties for Chrome, Google Play bugs (Help Net Security, Jul 22 2019)
Bug hunters searching for security flaws in Google’s offerings are now vying for higher bounties. Microsoft has launched a new bug bounty program. Google’s changes Since 2010, when Google started the Chrome Vulnerability Reward Program to reward security researchers who invest their time and effort to discover bugs in Chrome and Chrome OS, the company has raised the offered bounty amounts a number of times.
Google Chrome is ditching its XSS detection tool (Naked Security – Sophos, Jul 18 2019)
Google’s throwing in the towel on XSS Auditor and putting its trust in Trusted Types instead.
QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack (Krebs on Security, Jul 19 2019)
“Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident.”
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
New open source solution reduces the risks associated with cloud deployments (Help Net Security, Jul 19 2019)
An open source user computer environment (UCE) for the Amazon Cloud, called Galahad, has been launched by the University of Texas at San Antonio (UTSA). The technology will fight to protect people using desktop applications running on digital platforms such as Amazon Web Services (AWS). Galahad will leverage nested virtualization, layered sensing and logging to mitigate cloud threats.
93% of Orgs Worry About Cloud Security (Infosecurity Magazine, Jul 17 2019)
Two cloud security reports show data leaking in the cloud is a major concern.
How Cybercriminals Break into the Microsoft Cloud (Dark Reading, Jul 22 2019)
Microsoft and Trimarc researchers explore the most common attacks against the cloud and effective defenses and mitigation.
DisruptOps: Build Your Own Multi-Cloud Security Monitoring in 30 Minutes or Less with StreamAlert (Securosis Blog, Jul 19 2019)
“One of the most difficult problems in cloud security is building comprehensive multi-account/multi-cloud security monitoring and alerting. I’d say maybe 1 out of 10 organizations I assess or work with have something effective in place when I first show up.”
Don’t Leave Your S3 Buckets Wide Open (Chef Blog, Jul 19 2019)
In this article from UpGuard, their research team talks about finding unsecured S3 buckets containing information that really shouldn’t have been out in the wild, like passwords and system information. Digging around in the AWS GUI to ensure your S3 buckets aren’t available to the world is one way to ensure you’re ok, but you can also programmatically add your buckets to your Chef InSpec profiles to prevent inadvertently losing control of your data.
Security Lessons From a New Programming Language (Dark Reading, Jul 18 2019)
A security professional needed a secure language for IoT development. So he wrote his own, applying learned lessons about memory and resources in the process.
Still not using HTTPS? Firefox is about to shame you (Naked Security – Sophos, Jul 18 2019)
Two years after promising to report all HTTP-based web pages as insecure, Mozilla is about to deliver.
Securing modern web apps: A case for framework-aware SAST (Help Net Security, Jul 22 2019)
Static analysis tools use a variety of techniques to analyze both framework and application code for vulnerabilities. For example, cross-module data flow tracking follows data as it originates from web requests and flows into the application’s functions, which helps identify sources and sinks for cross-site scripting (XSS) and injection scenarios. Look for a tool that detects issues with authorization, hardcoded passwords, certificate usage, insecure (non-SSL) communication, and issues relating to leakage of sensitive data.