A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Cisco Webex & Zoom Bug Lets Attackers Spy on Conference Calls (Dark Reading, Oct 01 2019)
The “Prying-Eye” vulnerability could let intruders scan for unprotected meeting IDs and snoop on conference calls.

60% of Major US Firms Have Been Hacked in Cloud: Study (SecurityWeek, Sep 25 2019)
Hackers have penetrated cloud computing networks of some 60 percent of top US companies, with virtually all industry sectors hit, security researchers said Tuesday.

Cloud Attacks Prove Effective Across Industries in the First Half of 2019 (Proofpoint, Oct 01 2019)
In a study encompassing the first half of 2019, Proofpoint researchers analyzed data from more than one thousand cloud service tenants with over 20 million user accounts.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Cloud Vulnerability Could Let One Server Compromise Thousands (Dark Reading, Sep 27 2019)
A flaw in the OnApp cloud management platform could let an attacker compromise a private cloud with access to a single server.

How to start achieving visibility in the cloud (Help Net Security, Sep 27 2019)
Applications and services in the cloud are accessed by numerous users in your organization. Connections and data flows are maintained between these domains. It is critical to establish a security architecture that meets the requirements of each domain and their interdependencies. To achieve this, your often-disparate teams must establish at least a few common interfaces, both organizationally and technically.

How to migrate symmetric exportable keys from AWS CloudHSM Classic to AWS CloudHSM (AWS Security Blog, Sep 25 2019)
The Luna 5 HSMs used for CloudHSM Classic are reaching end of life, and the CloudHSM Classic service is being subsequently decommissioned, so CloudHSM Classic users must migrate cryptographic key material to the New CloudHSM.

AWS Security Profile: Byron Cook, Director of the AWS Automated Reasoning Group (AWS Security Blog, Sep 30 2019)
Byron Cook leads the AWS Automated Reasoning Group, which automates proof search in mathematical logic and builds tools that provide AWS customers with provable security.

Adopting DevOps practices leads to improved security posture (Help Net Security, Sep 26 2019)
Twenty-two percent of the firms at the highest level of security integration having reached an advanced stage of DevOps maturity compared to only six percent of the firms with no security integration.

DevSecOps is emerging as the main methodology for securing cloud-native applications (Help Net Security, Sep 30 2019)
Only 8 percent of companies are securing 75 percent or more of their cloud-native applications with DevSecOps practices today, with that number jumping to 68 percent of companies securing 75 percent or more of their cloud-native applications with DevSecOps practices in two years, according to ESG.

Secure DevOps Practices Expected to Increase for Cloud Apps (Infosecurity Magazine, Sep 26 2019)
Cloud native apps rarely secured using DevOps strategies

Cloudflare now supports HTTP/3 (Help Net Security, Sep 29 2019)
Cloudflare, the security, performance, and reliability company helping to build a better Internet, announced support for HTTP/3, the new standard of the web that will make the Internet faster, more secure, and more reliable, for everyone.