A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
DevSecOps: Recreating Cybersecurity Culture (Dark Reading, Sep 18 2019)
Bringing developers and security teams together guided by a common goal requires some risk-taking. With patience and confidence, it will pay off. Here’s how.
How data breaches forced Amazon to update S3 bucket security (Help Net Security, Sep 23 2019)
Amazon launched its Simple Storage Service (better known as S3) back in 2006 as a platform for storing just about any type of data under the sun…Amazon took this issue head on in November 2018, when they added an option to block all public access globally to every S3 bucket in an account.
Older vulnerabilities and those with lower severity scores still being exploited by ransomware (Help Net Security, Sep 25 2019)
Almost 65% of top vulnerabilities used in enterprise ransomware attacks targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the vulnerabilities used in WannaCry are still being used today, according to RiskSense.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Lion Air the Latest to Get Tripped Up by Misconfigured AWS S3 (Dark Reading, Sep 19 2019)
The breach, which reportedly exposed data on millions of passengers, is one of many that have resulted from organizations leaving data publicly accessible in cloud storage buckets.
Some IT teams move to the cloud without business oversight or direction (Help Net Security, Sep 20 2019)
27% of IT teams in the financial industry migrated data to the cloud for no specific reason, and none of them received financial support from management for their cloud initiatives
99% of misconfiguration incidents in the cloud go unnoticed (Help Net Security, Sep 25 2019)
This research sheds light on the need for security tools to keep up with IaaS-native issues, especially the ability to continuously audit IaaS deployments for initial misconfiguration and configuration drift over time.
How to use AWS Secrets Manager to securely store and rotate SSH key pairs (AWS Security Blog, Sep 18 2019)
AWS Secrets Manager provides full lifecycle management for secrets within your environment. In this post, Maitreya and I will show you how to use Secrets Manager to store, deliver, and rotate SSH keypairs used for communication within compute clusters. Rotation of these keypairs is a security best practice, and sometimes a regulatory requirement. Traditionally, these keypairs have been associated with a number of tough challenges. For example, synchronizing key rotation across all compute nodes, enable detailed logging and auditing, and manage access to users in order to modify secrets.
Google Cloud Firewall Rules Logging: How and why you should use it (Google Cloud Blog, Sep 18 2019)
Google Cloud Platform (GCP) firewall rules are a great tool for securing applications. Firewall rules are customizable software-defined networking constructs that let you allow or deny traffic to and from your virtual machine (VM) instances.
10 Questions To Assess Your Container and Kubernetes Security (Container Journal, Sep 18 2019)
There are many security considerations to be aware of when using Kubernetes—are your images, deployments, nodes and clusters properly locked down? Here are 10 questions you should ask your DevOps and security teams to help ensure your containers and Kubernetes clusters are secure throughout the container life cycle.
BSIMM10 Emphasizes DevOps’ Role in Software Security (Dark Reading, Sep 19 2019)
The latest model, with insights from 122 firms, shows DevOps adoption is far enough along to influence how companies approach software security.
The use of open source software in DevOps has become strategic for organizations of all sizes (Help Net Security, Sep 19 2019)
A higher percentage of top performing teams in enterprise organizations are using open source software, according to a survey conducted by DevOps Research and Assessment (DORA) and Google Cloud. Additionally, the proportion of Elite performers (highest performing teams) nearly tripled from last year, showing that DevOps capabilities are driving performance.
Playing Around’ with Code Keeps Security, DevOps Skills Sharp (Dark Reading, Sep 23 2019)
A project intended to move a small robot around a hazardous board teaches some solid security lessons.
Bridging the Gap Between Security & DevOps (Dark Reading, Sep 24 2019)
An inside look into the engineering mindset of DevOps from the vantage of a career security professional.
Implementing DevSecOps Goes Beyond Technology (DevOps, Sep 25 2019)
…a recurring theme–education, training and support for developers and security teams are as critical as modern application security solutions in implementing DevSecOps.
Google pulls more fake adblockers from Chrome Web Store (Naked Security – Sophos, Sep 23 2019)
Google has again been reprimanded for not spotting fake extensions impersonating popular brands in its Chrome Web Store.
Google Awards $40,000 for Chrome Sandbox Escape Vulnerabilities (SecurityWeek, Sep 23 2019)
Google has paid out a total of $40,000 for a couple of vulnerabilities that can be exploited to escape Chrome’s sandbox.
Revisiting Software Vulnerabilities in the Boeing 787 (Schneier on Security, Sep 19 2019)
“I previously blogged about a Black Hat talk that disclosed security vulnerabilities in the Boeing 787 software. Ben Rothke concludes that the vulnerabilities are real, but not practical.”
Jira development and ticketing software hit by critical flaws (Naked Security – Sophos, Sep 24 2019)
Atlassian admins have a spot of patching work on their hands after the company released updates addressing two critical flaws.
Malware Attack Prompts US Transport Authority to Axe Online Store (Infosecurity Magazine, Sep 24 2019)
SEPTA closes online shop to prevent more cyber-attacks
Understanding and Selecting RASP 2019: Selection Guide (Securosis Blog, Sep 13 2019)
“I can hear the groans from small to medium-sized business looking at this process and thinking this is a ridiculous amount of detail. We developed created a granular selection process, for you to pare down to suit your organization’s requirements. We want to make sure we captured all the gory details some organizations need to go through for successful procurement. Our process is appropriate for a large enterprise, but a little pruning can make it manageable a good fit for a small group. That’s the great thing about process: you can change it however you see fit, at no expense.”