A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

GitHub Security Lab to make open source more secure (Help Net Security, Nov 15 2019)
When a researchers identifies a vulnerability in an open source project and shares the discovery with the GitHub Security Lab team, the team reports it to the publicly-listed security contact for the project or the project maintainers.

Official Monero website is hacked to deliver currency-stealing malware (Ars Technica, Nov 19 2019)
GetMonero.com delivers Linux and Windows binaries that steal users’ funds.

Macy’s online store compromised in Magecart-style attack (Help Net Security, Nov 19 2019)
The webshop of noted U.S. department store company Macy’s has been compromised and equipped with an information-stealing JavaScript, which ended up collecting users’ personal and payment card information for a week.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Amazon Says It Didn’t Get a $10 Billion Contract Because Trump Hates Bezos (VICE, Nov 15 2019)
After ignoring its own worker’s protests, Amazon is now launching one over the Pentagon awarding the JEDI contract to Microsoft.

Researchers Publish PoC for Docker Escape Bug (, Nov 20 2019)
Flaw is patched in Docker version 19.03.1

IT professionals deem hybrid cloud as most secure (Help Net Security, Nov 15 2019)
Enterprises plan to aggressively shift investment to hybrid cloud architectures, with respondents reporting steady and substantial hybrid deployment plans over the next five years, according to a Nutanix survey

Study on public cloud performance: AWS, GCP, Azure, Alibaba and IBM Cloud (Help Net Security, Nov 18 2019)
There are notable network performance and connectivity differences between the five major public cloud providers – Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Alibaba Cloud and IBM Cloud, ThousandEyes reveals.

Fall 2019 SOC 2 Type I Privacy report now available (AWS Security Blog, Nov 18 2019)
“The Fall 2019 SOC 2 Type I Privacy report provides you with a third-party attestation of our systems and the suitability of the design of our privacy controls. The scope of the privacy report includes information about how we handle the content that you upload to AWS and how it is protected in all of the services and locations that are in scope for the latest AWS SOC reports.”

DevSecOps: The Answer to the Cloud Security Skills Gap (Dark Reading, Nov 15 2019)
There’s a skills and resources gap industrywide, but a DevSecOps approach can go a long way toward closing that gap.

BSIMM10 Shows Industry Vertical Maturity (Dark Reading, Nov 14 2019)
The Building Security In Maturity Model is the only detailed measuring stick for software security initiatives, and it continues to evolve.

UK Government Brexit App Riddled with Security Issues (Infosecurity Magazine, Nov 15 2019)
A Home Office app intended for EU citizens to apply for UK residency lacks basic security, potentially exposing the passport and biometric information of over one million users, according to experts.

Japan’s Largest Messaging App Launches Bug Bounty Hunt (Infosecurity Magazine, Nov 15 2019)
LINE Corporation launched a public bug bounty program (BBP), offering hackers financial rewards for identifying glitches throughout LINE’s web domains and core messenger application.

Cyber Attack Methods: How Code Injection Works (IT Pro, Nov 18 2019)
The code injection cyber attack method can be a serious threat to the business. Here’s what you need to know about heading off a code injection attack.

Google outlines plans for mainline Linux kernel support in Android (Ars Technica, Nov 19 2019)
Google wants less forking, more modularization for Android’s Linux kernel.

XSS security hole in Gmail’s dynamic email (Naked Security – Sophos, Nov 20 2019)
The bug was fixed at least a month ago so users receiving dynamic email content have one less thing to worry about.