A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

How Facebook Catches Bugs in Its 100 Million Lines of Code (Wired, Aug 15 2019)
For the past four years, Facebook has quietly used a homegrown tool called Zoncolan to find bugs in its massive codebase.

AWS: No Significant Issues at Other Alleged Targets of Capital One Hacker (SecurityWeek, Aug 19 2019)
Amazon Web Services (AWS) has reached out to customers allegedly targeted by Paige Thompson, the individual accused of hacking Capital One Financial, but says none of them reported any significant issues.

Multiple HTTP/2 DoS flaws found by Netflix (Naked Security – Sophos, Aug 19 2019)
Netflix has identified several denial of service (DoS) flaws in HTTP/2, a popular network protocol that underpins large parts of the web. Exploiting them could bring servers grinding to a halt.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

A compendium of container escapes (Help Net Security, Aug 15 2019)
In this Help Net Security podcast recorded at Black Hat USA 2019, Brandon Edwards, Chief Scientist at Capsule8, talks about about a compendium of container escapes, and the RunC vulnerability in particular.

Securing the cloud: Visibility, compliance and vulnerability management (Help Net Security, Aug 21 2019)
In this Help Net Security podcast recorded at Black Hat USA 2019, Hari Srinivasan, Director of Product Management for Qualys, talks about the basics of securing your cloud.

Tough Love: Debunking Myths about DevOps & Security (Dark Reading, Aug 19 2019)
It’s time to move past trivial ‘shift left’ conceptions of DevSecOps and take a hard look at how security work actually gets accomplished.

Firefox fixes “master password” security bypass bug (Naked Security – Sophos, Aug 15 2019)
The bug’s in Firefox, but our advice is worth reading whether you use Firefox or not.

Software Vulnerabilities in the Boeing 787 (Schneier on Security, Aug 16 2019)
Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities: “At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System.”

GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens (SecurityWeek, Aug 20 2019)
Microsoft-owned GitHub on Monday announced that its token scanning service will also check commits for Atlassian, Dropbox, Discord, Proctorio and Pulumi tokens that have been accidentally shared.

Facebook Adds Instagram to Data Abuse Bug Bounty Program (Infosecurity Magazine, Aug 20 2019)
Social network wants reports on third-party apps abusing privacy

Backdoored Ruby gems stole credentials, injected cryptomining code (Help Net Security, Aug 21 2019)
The compromise of several older versions of a popular Ruby software package (aka a Ruby “gem”) has led to the discovery of a more widespread effort to inject malware and mining software through Trojanized gems.

Google and Mozilla Block Kazakhstan’s Browser Spying Tool (VICE, Aug 21 2019)
Two of the main browser makers announced they would block the Kazakhstan government’s root certificate, which was designed to spy on citizens’ internet usage.