A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Google Releases Open Source Tool for Finding File Access Vulns (SecurityWeek, Dec 09 2019)
Google on Monday announced that it has released the source code of a tool designed to help developers identify vulnerabilities related to file access.

Top 11 posts during 2019 (AWS Security Blog, Dec 09 2019)
The top 11 posts during 2019 based on page views
– How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory
– How to securely provide database credentials to Lambda functions by using AWS Secrets Manager
– How to set up an outbound VPC proxy with domain whitelisting and content filtering
– How to centralize and automate IAM policy creation in sandbox, development, and test environments
– Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service
– Simplify DNS management in a multi-account environment with Route 53 Resolver
– How to use service control policies to set permission guardrails across accounts in your AWS Organization
– How to share encrypted AMIs across accounts to launch encrypted EC2 instances
– AWS and the CLOUD Act
– Guidelines for protecting your AWS account while using programmatic access
– How to use AWS Secrets Manager to securely store and rotate SSH key pairs

Google Cloud Platform is now FedRAMP High authorized (Google Cloud Blog, Dec 04 2019)
Google Cloud Platform (GCP) has received FedRAMP High authorization to operate (ATO) for 17 products in five cloud regions, and we’ve expanded our existing FedRAMP Moderate authorization to 64 products in 17 cloud regions. This means that public sector agencies now have the ability to run compliant workloads at the highest level of civilian classification.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Exploring container security: Performing forensics on your GKE environment (Google Cloud Blog, Dec 10 2019)
Running workloads in containers can be much easier to manage and more flexible for developers than running them in VMs, but what happens if a container gets attacked? It can be bad news. We recently published some guidance for how to collect and analyze forensic data in Google Kubernetes Engine (GKE), and how best to investigate and respond to an incident.

AWS launches three new services and capabilities to help customers build and operate securely (Help Net Security, Dec 04 2019)
Three new services and capabilities that make it easier for customers to build and operate securely:
Amazon Detective is a new security service that makes it easy for customers to conduct faster and more efficient investigations into security issues across their workloads (available in preview).
AWS IAM Access Analyzer is a new AWS Identity and Access Management (IAM) capability that makes it simple for security teams and administrators to audit resource policies for unintended access.
AWS Nitro Enclaves is a new Amazon EC2 capability that makes it easy for customers to process highly sensitive data by partitioning compute and memory resources within an instance to create an isolated compute environment (available in preview early next year).

OAuth vulnerability threatens Azure accounts (SC Magazine, Dec 04 2019)
There is a vulnerability in specific Microsoft OAuth 2.0 applications that could let an attacker gain access and control of a victim’s Azure account.

The Four Pillars of CASB: Visibility (Cloud Security Alliance, Dec 04 2019)
Due to the potential for data leakage in the cloud, the use of CASBs (cloud access security brokers) is needed in order to maintain visibility over data that has gone beyond the reach of on-premises tools.

HackerOne pays $20,000 bounty after breach of own systems (Naked Security – Sophos, Dec 09 2019)
In an embarrassing twist, bug bounty platform HackerOne has paid a $20,000 reward to a researcher who reported a security flaw inadvertently caused by one of its staff during… a bug submission.

NordVPN Launches Bug Bounty Program (SecurityWeek, Dec 09 2019)
Virtual private network (VPN) services provider NordVPN on Monday announced the launch of a public bug bounty program on the HackerOne platform.

Cisco Talos Releases Open Source Dependency Build Automation Tool (SecurityWeek, Dec 05 2019)
Cisco Talos this week released a new tool designed to make it easier to create complex applications that have lengthy dependency chains.

Injection Vulnerabilities – 20 Years and Counting (Checkmarx, Dec 04 2019)
What will it take to finally get developers to stop writing injection vulnerabilities into their code, and / or organizations releasing code with injection vulnerabilities?