A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
How to get started with security response automation on AWS (AWS Security Blog, Nov 26 2019)
Security response automation is a planned and programmed action taken to achieve a desired state for an application or resource based on a condition or event. When you implement security response automation, you should adopt an approach that draws from existing security frameworks. Frameworks are published materials which consist of standards, guidelines, and best practices in order help organizations manage cybersecurity-related risk. Using frameworks helps you achieve consistency and scalability and enables you to focus more on the strategic aspects of your security program.
The Likely Reason Disney\+ Accounts Are Getting ‘Hacked’ (Wired, Nov 20 2019)
Credential stuffing, where names and passwords leaked in previous breaches are reused, strikes again.
Developers worry about security, still half of teams lack an expert (Help Net Security, Nov 25 2019)
While nearly 75% of developers worry about the security of their applications and 85% rank security as very important in the coding and development process, nearly half of their teams lack a dedicated cybersecurity expert, according to WhiteHat Security.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Announcing AWS Managed Rules for AWS WAF (AWS News Blog, Nov 25 2019)
“a new capability called AWS Managed Rules for AWS WAF that helps you protect your applications without needing to create or manage the rules directly. We’ve also made multiple improvements to AWS WAF with the launch of a new, improved console and API that makes it easier to keep your applications safe.”
re:Invent 2019 guide to AWS Cryptography sessions, workshops, and chalk talks at AWS (AWS Security Blog, Nov 22 2019)
AWS re:Invent 2019 is just over a week away! We have many Security, Identity, and Compliance sessions, and this is a post about AWS Cryptography-related breakout sessions, workshops, builders sessions, and chalk talks at AWS re:Invent 2019.
Google Cloud Update Gives Users Greater Data Control (Dark Reading, Nov 20 2019)
External Key Manager and Key Access Justification are intended to give organizations greater visibility into requests for data access.
Analysis of Jira Bug Stresses Impact of SSRF in Public Cloud (Dark Reading, Nov 27 2019)
More than 3,100 Jira instances are still vulnerable to a server-side request forgery vulnerability patched in August.
Key Access Justifications: a new level of control and visibility (Google Cloud Blog, Nov 20 2019)
“we’re excited to announce Key Access Justifications, a new capability that works with our External Key Manager to allow our customers to be the ultimate arbiters of access to their data on Google Cloud Platform (GCP).”
Securing Docker Containers: A Primer (Container Journal, Nov 27 2019)
Here are some tips to help secure Docker containers—or any other containers, for that matter There are many challenges when building an application, but one of the most crucial is making sure it’s secure.
DevOps, Cloud and Remote Workers Dominate 2020 Risks (Infosecurity Magazine, Nov 26 2019)
Trend Micro report highlights supply chain dangers of the coming decade
XSS Flaw in Gmail’s Dynamic Email Feature Earns Researcher $5,000 (SecurityWeek, Nov 20 2019)
A researcher has earned $5,000 from Google for an interesting cross-site scripting (XSS) vulnerability found in the dynamic email feature added a few months ago to Gmail.
Build Your Immunity Across All App-Security Insertion Points (SecurityWeek, Nov 27 2019)
“Years ago, I worked on a consulting project for a large financial services company, which had recently invested $20 million into their core offering, a managed services platform for financials that was used by hundreds of customers. We did a Failure Mode Effect Analysis for them, looking at every component making up the major service—every app, every piece of infrastructure supporting each app, every business process, every development and IT process—and every permutation of interactions across that entire stack.”