A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Wikipedia fights off huge DDoS attack (Naked Security – Sophos, Sep 11 2019) Wikipedia has suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.Court Rules That ‘Scraping’ Public Website Data Isn’t Hacking (VICE, Sep 11 2019) The Ninth Circuit Court of Appeals shot down LinkedIn’s claim that a company that was using its public facing data was violating the Computer Fraud and Abuse Act.
Chrome bumps ineffective EV certificates off the omnibar (Naked Security – Sophos, Sep 10 2019) Ever notice a missing company name next to the URL address bar? Ever change behavior because of it? Likely not, so bye-bye, useless badge.
One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Share today’s post on Twitter Facebook LinkedIn
70% of educational orgs don’t have an appropriate cloud security budget (Help Net Security, Sep 10 2019) 53% of educational organizations are ready to start deploying a cloud-first strategy for all new services and technologies, up from 40% last year. However, every third organization in this sector experienced a cloud breach in the previous year.
Snyk grabs $70M more to detect security vulnerabilities in open source code and containers (TechCrunch, Sep 10 2019) Open source — Snyk works as an integration into existing developer workflows, compatible with the likes of GitHub, Bitbucket and GitLab, as well as CI/CD pipelines — was an easy target to hit. It’s used in 95% of all enterprises, with up to 77% of open-source components liable to have vulnerabilities, by Snyk’s estimates. Containers are a different issue.. “The security concerns around containers are almost more about ownership than technology,”
How to Secure Authorization in the Cloud (eWEEK, Sep 10 2019) In the cloud environment, it is all the more important to define strong privileges. Each entity, machine or storage space should have its own specific purpose, and communication between services should be according to need and use.
AWS and the European Banking Authority Guidelines on Outsourcing (AWS Security Blog, Sep 09 2019) The European Banking Authority (EBA), an EU financial supervisory authority, recently provided EU financial institutions (which includes credit institutions, certain investment firms, and payment institutions) with new outsourcing guidelines (PDF), which also apply to the use of cloud services.
How to add DNS filtering to your NAT instance with Squid (AWS Security Blog, Sep 04 2019) Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources on a virtual private network that you’ve defined. On an Amazon VPC, many people use network address translation (NAT) instances and NAT gateways to enable instances in a private subnet to initiate outbound traffic to the Internet, while preventing the instances from receiving inbound traffic initiated by someone on the Internet.
Exploring container security: Bringing Shielded VMs to GKE with Shielded GKE Nodes (Google Cloud Blog, Sep 09 2019) “Where workloads go, attackers follow. As more organizations adopt containers and deploy sensitive workloads with Kubernetes, there are new container-specific surface areas that need to be hardened. Today, we are announcing Shielded GKE Nodes in beta, which provides strong, verifiable node identity and integrity to increase the protection of your Google Kubernetes Engine (GKE) nodes.”
How to engage continuous oversight in the cloud (SC Magazine, Sep 10 2019) A common oversight in many organizations is failing to formally assign responsibilities for continuous oversight of information security, privacy and compliance requirements and risks. Key responsibilities need to be identified and documented to be effective. For continuous oversight, management and improvement, these responsibilities fall under four primary activities…
DNS-over-HTTPS Coming to Firefox (SecurityWeek, Sep 09 2019) Mozilla this week announced plans to gradually roll-out DNS-over-HTTPS (DoH) in Firefox starting this month, though only users in the United States will receive it in the beginning.