A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Apple Offers Up to $1 Million in Public Bug Bounty Program (SecurityWeek, Aug 12 2019)
Apple last week announced that it’s making some significant changes to its bug bounty program, making it public and expanding the list of covered products.
The Fundamentals of Developing Effective DevSecOps (SecurityWeek, Aug 07 2019)
The argument for including security within DevOps has largely been won. It is the basis of security by design, and the most effective way of minimizing dormant app vulnerabilities from the huge number of software developments generated in the modern containerized cloud world.
How Apple Pay Buttons Can Make Websites Less Safe (Wired, Aug 08 2019)
Apple Pay itself is safe. But the way websites implement it can cause serious problems….the connection between a site and the Apple Pay infrastructure, and the validation mechanism meant to broker this connection, can be established in a number of different ways, all at the host site’s discretion. An attacker could swap the URL a target site uses to talk to Apple Pay, for instance, with a malicious URL that can send queries or commands to the target site’s infrastructure.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Kubernetes security matures: Inside the project’s first audit (Help Net Security, Aug 12 2019)
The research yielded 37 findings, five of which were considered “high severity.” All of these findings have been officially reported to the Kubernetes Product Security Committee and will be, and have already begun to be addressed in the open.
Vulnerability in Kubernetes Allows Access to Custom Resources (SecurityWeek, Aug 08 2019)
A vulnerability addressed this week in the Kubernetes container orchestration system could allow users to read, modify or delete cluster-wide custom resources.
Vulnerability Exposed Microsoft Azure Users to Cyberattack (VICE, Aug 07 2019)
New report says flaw with common remote desktop access protocol left millions of users and researchers open to attack.
How to deploy CloudHSM to securely share your keys with your SaaS provider (AWS Security Blog, Aug 05 2019)
“If your organization is using software as a service (SaaS), your data is likely stored and protected by the SaaS provider. However, depending on the type of data that your organization stores and the compliance requirements that it must meet, you might need more control over how the encryption keys are stored, protected, and used. In this post, I’ll show you two options for deploying and managing your own CloudHSM cluster to secure your keys, while still allowing trusted third-party SaaS providers to securely access your HSM cluster in order to perform cryptographic operations. You can also use this architecture when you want to share your keys with another business unit or with an application that’s running in a separate AWS account.”
Six critical areas to focus on when integrating DevSecOps into an organization (Help Net Security, Aug 09 2019)
While this creates significant increases in overall security risk, organizations that build security into the software lifecycle have better outcomes. To facilitate this, CSA’s DevSecOps Working Group defined the following six areas of focus that are critical to integrating DevSecOps into an organization
Is My Development Environment at Risk? (Dark Reading, Aug 12 2019)
Development environments pose a few unique risks to the organization.
US Air Force Bug Bounty Program Nets 54 Flaws for $123,000 (Dark Reading, Aug 06 2019)
The Air Force brought together 50 vetted hackers to find the vulnerabilities in the latest bug-bounty program hosted by a branch of the US military.
#BHUSA : Open Source is Key to Solving Cyber Skills Gap (Infosecurity Magazine, Aug 07 2019)
At Black Hat USA in Las Vegas, Anomali threat research team manager Joakim Kennedy explained to Eleanor Dallaway why he believes the open source movement in the cybersecurity industry will help to address the skills gap in the industry
How to set up Edge Chromium security options (Network World Security, Aug 07 2019)
Edge Chromium can provide more protection for organizations that use older versions of Windows.
GM Cruise Releases Automated Firmware Security Analyzer to Open Source (SecurityWeek, Aug 08 2019)
The growth of IoT devices has highlighted the difficulties in ensuring firmware security — especially where the device and software are initially sourced from third parties, or developed under time pressures in-house. Now a new firmware analyzer has been released to open source on GitHub.
SQL Injection Vulnerability Exposed Starbucks Financial Records (SecurityWeek, Aug 07 2019)
A critical SQL injection vulnerability exposed nearly one million financial records stored in a Starbucks enterprise database, a researcher revealed this week.
Teen Security Researcher Suspended for Exposing Vulnerabilities in His School’s Software (VICE, Aug 09 2019)
Another vulnerability that Bill Demirkapi found impacted 5,000 schools.
More Focus on Security as Payment Technologies Proliferate (Dark Reading, Aug 12 2019)
Banks and merchants are expanding their payment offerings but continue to be wary of the potential fraud risk.
Pitfalls to avoid when improving your software development skills (Help Net Security, Aug 12 2019)
“It won’t come as a surprise to anyone who works in software development that one of Beattie’s pivotal career experiences is the first (and so far the only) time he accidentally dropped a production database.”
Certificate Giant Slams Plan to Shorten HTTPS Lifespans (Infosecurity Magazine, Aug 13 2019)
Digicert claims no security benefit from proposal for 13-month lifecycles
#DEFCON: Hackers Can Use Netflix Account to Steal Banking Info (Infosecurity Magazine, Aug 12 2019)
One way a financial institution verifies an account holder when they try to gain access is to verify a recent transaction, which is where subscription services come into play. Murdock observed that there are only so many plans that a subscription service offers and the payments typically recur at the same time every month.
Extended Validation Certificates are (Really, Really) Dead (Troy Hunt, Aug 12 2019)
Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren’t