A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
In App Development, Does No-Code Mean No Security? (Dark Reading, Jan 08 2020)
No-code and low-code development platforms are part of application development, but there are keys to making sure that they don’t leave security behind with traditional coding.
Learning from cryptocurrency mining attack scripts on Linux (Microsoft Azure Blog, Jan 14 2020)
Cryptocurrency mining attacks continue to represent a threat to many of our Azure Linux customers.
DevSecOps: 10 Best Practices to Embed Security into DevOps (DevOps, Jan 14 2020)
Steps to a Typical DevSecOps Workflow
– A developer starts by writing code within a version control system.
– Any required change is committed to the version control system.
– Another developer analyzes the code to identify any security defect that may weaken code quality.
– An environment is created to deploy and apply security configurations to the system.
– Next, a test automation suite is executed to evaluate the newly deployed application.
– After it passes the automation test, the application is deployed to a production environment.
– This new production environment is actively monitored for security threats.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
AWS Issues ‘Urgent’ Warning for Database Users to Update Certs (Dark Reading, Jan 09 2020)
Users of AWS Aurora, DocumentDB, and RDS databases must download and install a fresh certificate and rotate the certificate authority.
Cloud Adoption & Technology Change Create Gaps in Enterprise Security (Dark Reading, Jan 14 2020)
Many companies are struggling to get a handle on risk exposure because of visibility issues, Radware survey shows.
The Changing Face of Cloud Threat Intelligence (SecurityWeek, Jan 14 2020)
As public cloud providers continue to elevate their platforms’ default enterprise protection and compliance capabilities to close gaps in their portfolio or suites of in-house integrated security products, CISOs are increasingly looking to the use and integration of threat intelligence as the next differentiator within cloud security platforms.
New for Amazon EFS – IAM Authorization and Access Points (AWS News Blog, Jan 13 2020)
When building or migrating applications, we often need to share data across multiple compute nodes. Many applications use file APIs and Amazon Elastic File System (EFS) makes it easy to use those applications on AWS, providing a scalable, fully managed Network File System (NFS) that you can access from other AWS services and on-premises resources.
Exploring container security: Navigate the security seas with ease in GKE v1.15 (Google Cloud Blog, Jan 10 2020)
Your container fleet, like a flotilla, needs ongoing maintenance and attention to stay afloat—and stay secure. In the olden days of seafaring, you grounded your ship at high tide and turned it on its side to clean and repair the hull, essentially taking it “offline.” We know that isn’t practical for your container environment however, as uptime is as important as security for most applications.
CNCF Funds Cybersecurity Bug Bounty Initiative for Kubernetes (Container Journal, Jan 14 2020)
The Cloud Native Computing Foundation (CNCF) has announced it is funding a bounty program for discovering security bugs in any distribution of Kubernetes. Maya Kaczorowski, product manager for container security at Google, says the program will pay researchers a bounty of $100 to $10,000 for each bug validated by HackerOne…
PayPal Patches Vulnerability That Exposed User Passwords (SecurityWeek, Jan 09 2020)
A researcher has earned over $15,000 from PayPal for reporting a critical vulnerability that could have been exploited by hackers to obtain user email addresses and passwords.
Facebook Rushes to Patch Bug Exposing Page Admins (SecurityWeek, Jan 13 2020)
Facebook last week rushed to patch a bug that exposed the accounts of individuals who manage pages, after the weakness was exploited against several high-profile pages.
How to Keep Security on Life Support After Software End-of-Life (Dark Reading, Jan 14 2020)
It’s the end of support this week for Windows 7 and Server 2008. But what if you truly can’t migrate off software, even after security updates stop coming?
App Leaks Thousands of Baby Photos and Videos Online (Infosecurity Magazine, Jan 14 2020)
Peekaboo Moments failed to secure a database containing images of thousands of babies