A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Google throws bug bounty bucks at 3rd-party apps (Naked Security – Sophos, Sep 02 2019)
If an app has more than 100 million installs, Google will pay for bugs, even if the app makers already have their own bounty programs.

Cloud Security Boom Creates New Crop of Tech Darlings (Bloomberg, Aug 28 2019)
Global security spending is expected to reach $103.1 billion in 2019, up 9.4% from 2018, according to IDC. And more of the software is running in the cloud as characteristics such as greater processing power and real-time updates combine for better protection. Cloud is expected to account for 38% of security budgets in 2020, up from 18% in 2018

Phishers are Angling for Your Cloud Providers (Krebs on Security, Aug 30 2019)
“Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals.”

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Knowing what’s on your hybrid-IT environment is fundamental to security (Help Net Security, Aug 29 2019)
So, I’ve talked to multiple CISOs across the enterprises and virtually everybody’s asking the same question: “How do I get to a 100% visibility, real-time visibility of my environment across all of these different heterogeneous infrastructure and architecture?”

CISOs: Cloud is Now Safer Than On-Premises (Infosecurity Magazine, Sep 03 2019)
71% were moderately, very or extremely concerned about malicious activity in the cloud. Over half (56%) cited regulatory fines as their biggest concern, whilst a similar number (54%) pointed to the increasing sophistication of cyber-criminals.

Kubernetes security audit: What GKE and Anthos users need to know (Google Cloud Blog, Aug 30 2019)
While every audit will uncover something, this report only found a relatively small number of significant vulnerabilities that need to be addressed. “Despite many important findings, we did not see fundamental architectural design flaws, or critical vulnerabilities that should cause pause when adopting Kubernetes for high-security workloads or critical business functions,” said Aaron Small, Product Manager, Google Cloud and member of the Security Audit Working Group.

From DevOps to DevSecOps: Owning Cloud Security (DevOps, Sep 03 2019)
DevOps has become part of C-suite and board-level discussions, attesting to the growing critical value of web applications and digital transformation as part of the broader business strategy. However, if the frequency of breaches and the growing concerns of CISOs are any indication, executives aggressively pushing for cloud solutions often have a mistaken understanding of the nature of the security risks that cloud adoption and careless DevOps programs can introduce into their organization.

Facebook Patches Second Account-Takeover Flaw in Instagram (Dark Reading, Aug 28 2019)
The password-recovery mechanism once again puts users of the photo- and video-sharing platform at risk.

Fuzzing 101: Why Bug-Finders Still Love It After All These Years (Dark Reading, Aug 28 2019)
Fuzzing is one of the basic tools in a researcher’s arsenal. Here are the things you should know about this security research foundational tool.

HackerOne Announces Five New $1m White Hats (Infosecurity Magazine, Aug 30 2019)
Talented researchers benefit from bug bounty pay-outs

PDF Reader Biz Breached: Foxit Forces Password Reset (Infosecurity Magazine, Sep 02 2019)
Unknown number of customers had personal data compromised

562,000 Impacted in XKCD Forum Data Breach (SecurityWeek, Sep 03 2019)
The XKCD forum has been taken offline after suffering a data breach that impacted 562,000 subscribers.