A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Stolen Cloud API Key to Blame for Imperva Breach (Infosecurity Magazine, Oct 14 2019)
A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed. The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.

Stay in control of your security with new product enhancements in Google Cloud (Google Cloud Blog, Oct 16 2019)
“we’re excited to announce the beta of Security Health Analytics, a security product that integrates into Cloud Security Command Center (Cloud SCC). Security Health Analytics helps you identify misconfigurations and compliance violations in your Google Cloud Platform (GCP) resources and take action.”

Facebook Sweetens Deal for Hackers to Catch Security Bugs (Wired, Oct 15 2019)
The company is turbocharging its bug bounty to try to stop the next data leak before it happens.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

AWS achieves FedRAMP JAB High and Moderate Provisional Authorization across 18 services in the AWS US East/West and AWS GovCloud (US) Regions (AWS Security Blog, Oct 14 2019)
“…expanded the number of AWS services that customers can use to run sensitive and highly regulated workloads in the federal government space. This expansion of our FedRAMP program marks a 28.6% increase in our number of FedRAMP authorizations.”

Cryptojacking Worm Targets and Infects 2,000 Docker Hosts (Dark Reading, Oct 16 2019)
Basic and ‘inept’ worm managed to compromise Docker hosts by exploiting misconfigurations.

Network Security Must Transition into the Cloud Era (Dark Reading, Oct 10 2019)
An integrated approach is the best way to provide organizations with the tools they need to decrease the attack surface and use strong security controls.

When Using Cloud, Paranoia Can Pay Off (Dark Reading, Oct 14 2019)
Journalists are increasingly concerned about what cloud providers may access or share with governments – and companies should worry as well.

AWS Firewall Manager Update – Support for VPC Security Groups (AWS News Blog, Oct 10 2019)
AWS Firewall Manager makes use of AWS Organizations, and lets you build policies and apply them across multiple AWS accounts in a consistent manner.

Common Cloud Security Mistakes and How to Avoid Them (DevOps, Oct 09 2019)
Here are increasingly common cloud security mistakes DevOps teams still make, and our suggestions for how you can stop them in your organization.

Trusted Cloud: security, privacy, compliance, resiliency, and IP (Microsoft Azure Blog, Oct 16 2019)
“Can you trust your cloud provider? That’s a question being asked a lot of these days, and with the newest version of our popular white paper Trusted Cloud: Microsoft Azure security, privacy, compliance, resiliency, and protected IP we’ve worked to provide you answers.”

CIS Azure Security Foundations Benchmark open for comment (Microsoft Azure Blog, Oct 10 2019)
One of the best ways to speed up securing your cloud deployments is to focus on the most impactful security best practices. Best practices for securing any service begins with a fundamental understanding of cybersecurity risk and how to manage it. As an Azure customer, you can leverage this understanding by using security recommendations from Microsoft to help guide your risk-based decisions as they’re applied to specific security configuration settings in your environment.

Securing All Cloud Deployments With a Single Strategy (SecurityWeek, Oct 15 2019)
Many organizations eager to reap the benefits of cloud networking have adopted a cloud first strategy. As a result, their DevOps teams are actively developing applications that enable them to compete more effectively in today’s digital marketplace. Cost savings, agility, responsiveness and scalability are all drivers of this growing transition.

DevSecOps role expansion has changed how companies address their security posture (Help Net Security, Oct 11 2019)
While organizations shift their applications to microservices environments, the responsibility for securing these environments shifts as well, Radware reveals.

DevSecOps and the Problem of Machine-Scale Data (DevOps Zone, Oct 15 2019)
Quadrillions of bytes of data are created every day. Can your DevSecOps process handle it?

A Code Glitch May Have Caused Errors In More Than 100 Published Studies (VICE, Oct 10 2019)
The discovery is a reminder that science is collaborative and ideally self-correcting, but that nothing can be taken for granted.

Mozilla Hardens Firefox Against Injection Attacks (SecurityWeek, Oct 14 2019)
Mozilla this week announced a reduced attack surface for code injection in Firefox through the removal of potentially dangerous artifacts such as occurrences of inline scripts and eval()-like functions.

Code dependency mapping’s role in securing enterprise software (Help Net Security, Oct 16 2019)
Enterprise software is only as good as its security. Today, a data breach costs $3.92 million on average. Organizations are expected to spend $124 billion on security in 2019 and will probably invest even more given the alarming rate at which cyberattacks are growing.

Pentagon ‘Hack the Proxy’ program uncovers 31 vulnerabilities, one critical (SC Magazine, Oct 15 2019)
Ethical hackers found 31 vulnerabilities – one rated critical while nine got a high severity rating – during the Pentagon’s Hack the Proxy program on the HackerOne platform.