A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

HackerOne breach lets outsider read customers’ bug reports (Ars Technica, Dec 04 2019)
Company security analyst sent session cookie allowing account take-over.

The Next Evolution in AWS Single Sign-On (AWS News Blog, Nov 27 2019)
“Today we announced the next evolution of AWS Single Sign-On, enabling enterprises that use Azure AD to leverage their existing identity store with AWS Single Sign-On. Additionally, automatic synchronization of user identities, and groups, from Azure AD is also supported. Users can now sign into the multiple accounts and applications that make up their AWS environments using their existing Azure AD identity – no need to remember additional usernames and passwords – and they will use the sign-in experience they are familiar with.”

Understanding and Selecting RASP 2019: New Paper (Securosis Blog, Nov 19 2019)
“2019 updated research paper from our recent series, Understanding and Selecting RASP (Runtime Application Self-Protection). RASP was part of the discussion on application security in just about every one of the hundreds of calls we have taken, and it’s clear that there is a lot of interest – and confusion – on the subject, so it was time to publish a new take on this category.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

FireEye’s cloud security capabilities now available on AWS (Help Net Security, Dec 03 2019)
FireEye announced the availability of several new cloud security capabilities on Amazon Web Services (AWS).

Control access and permissions to AWS services and resources (Help Net Security, Dec 03 2019)
AWS IAM Access Analyzer is a new feature that makes it simple for security teams and administrators to check that their policies provide only the intended access to resources. Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment.

Exploring container security: Day one Kubernetes decisions (Cloud Blog, Nov 27 2019)
“Your first order of business is to familiarize yourself with Kubernetes architecture, functionality and security principles. Then, as you get ready to install and configure your Kubernetes environment (on so-called day one), here are some security questions to ask yourself, to help guide your thinking.”

Cloud Infrastructure IAM Lessons from the Capital One Breach (SC Media, Dec 03 2019)
Cloud infrastructure is the foundation of more companies than ever. As with any foundation, any crack can lead to significant damage to the infrastructure. One potential crack is a trusted identity with unnecessary and excessive privileges.

What steps should agencies take to better prepare for a multi-cloud future? (Help Net Security, Dec 04 2019)
Agencies do not feel prepared to manage current multi-cloud environments. While most Federal IT decision makers say their agency already uses multiple cloud platforms (81 percent), the majority – 75 percent – also say managing a multi-cloud environment will be one of their top challenges over the next five years, a MeriTalk report reveals.

DevSecOps Requires Teamwork for Success (DevOps.com, Dec 02 2019)
“While the manifestos surrounding the current development pipelines may differ, there is one concept that remains constant: teamwork. All the various frameworks populating the development landscape bring together teams of people to build and deliver applications. This is especially true of DevOps, which focuses on a technical culture with defined roles on a quest for responsiveness.”

Mixcloud Breach Hits Millions of Users (, Dec 02 2019)
British streaming service the latest to suffer major security incident

Uncle Sam opens arms to friendly hackers (Naked Security – Sophos, Dec 02 2019)
All you bug hunters out there are about to get a nice Christmas gift – the US federal government finally wants to hear from you.