A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Boris Johnson deepfake endorses Jeremy Corbyn for PM (Business Insider, Nov 12 2019)
Boris Johnson appeared to endorse Jeremy Corbyn for prime minister in a convincing deepfake video  Business Insider

Bugcrowd breaks its weekly bounty payout record (SC Magazine, Nov 08 2019)
For the first time in Bugcrowd’s seven-year history it paid out more than $500,000 in bounty fees to its white hats in a one-week period. For all of October more than 550 white-hat hacker working with Bugcrowd earned $1.6 million with the top recipient taking home $40,000.

New Azure Security Center and Azure platform security capabilities (Microsoft Azure Blog, Nov 06 2019)
“At Microsoft Ignite we’re sharing the many new capabilities our teams have built to improve security with Azure Security Center and the Azure Platform. We have a long list of new innovations, and this blog provides our general direction and summarizes some of our favorite new features.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

The cloud security capers (SC Magazine, Nov 06 2019)
…three, semi-fictional cloud adoption horror stories that will make you rethink your current cloud strategies.

Researchers Find New Approach to Attacking Cloud Infrastructure (Dark Reading, Nov 11 2019)
Cloud APIs’ accessibility over the Internet opens a new window for adversaries to gain highly privileged access to cloud assets.

As more companies deploy cloud apps, they must also implement security tools (Help Net Security, Nov 06 2019)
86% of enterprises have deployed cloud-based tools, but only 34% have implemented single sign-on (SSO), one of the most basic and critically important cloud security tools, according to Bitglass.

Cloud Covers Up Insider Threats (Infosecurity Magazine, Nov 06 2019)
A new study has found that more than half of organizations believe detecting insider threats is harder following migration to the cloud.

SIEM complexity and cloud visibility put companies at risk (Help Net Security, Nov 08 2019)
Nearly half of companies are unable to remediate insider threats until after data loss has occurred, a Gurucul survey reveals.

Should You Trust Your Cloud Storage Provider? (Infosecurity Magazine, Nov 08 2019)
There are many misconceptions when it comes to how most file sync and sharing services handle business-critical information

Speeding MTTR when a third-party cloud service is attacked (Help Net Security, Nov 11 2019)
“We had an early view of this outage which allowed us to reverse engineer the incident. This analysis offered clues on optimal approaches to speed mean time to resolve (MTTR), minimizing the impact of cloud-based service outages on your business.”

The leading challenge facing cloud migration projects is security (Help Net Security, Nov 13 2019)
60% of organizations misunderstand the shared responsibility model for cloud security and incorrectly believe the cloud provider is responsible for securing privileged access, according to Centrify.

AWS Artifact is now available in AWS GovCloud (US) Regions (AWS Security Blog, Nov 06 2019)
AWS Artifact is now available in the AWS GovCloud (US) Regions, where you’ll now have on-demand access to AWS compliance reports and select online AWS agreements with a single-click in the AWS Management Console.

How to enable encryption in a browser with the AWS Encryption SDK for JavaScript and Node.js (AWS Security Blog, Nov 11 2019)
how to use the AWS Encryption SDK (“ESDK”) for JavaScript to handle an in-browser encryption workload for a hypothetical application.

Secure software supply chain with Azure Pipelines artifact policies (Azure DevOps Blog, Nov 06 2019)
a preview capability for Azure Pipelines allowing you to define artifact policies that are enforced before deploying to critical environments such as production. You will be able to define custom policies that are evaluated against all the deployable artifacts in a given pipeline run and block the deployment if the artifacts don’t comply.

Apple to fix Siri bug that exposed parts of encrypted emails (Naked Security – Sophos, Nov 12 2019)
Apple may care about your privacy but that doesn’t mean it gets it right all the time, especially when it comes to training its Siri AI assistant.

Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin (Krebs on Security, Nov 11 2019)
“Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Orvis says the exposure was inadvertent, and that many of the credentials were already expired.”