NSA Offers Guidance on Mitigating Cloud Flaws (Dark Reading, Jan 23 2020)
A new document separates cloud vulnerabilities into four classes and offers mitigations to help businesses protect cloud resources.
Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks (ZDNet, Jan 27 2020)
Mozilla’s security staff is cracking down on malicious Firefox add-ons.
Prevent security misconfigurations in a multi-cloud environment (Cloud Security Alliance, Jan 20 2020)
Here are some of the common ways a cloud can be misconfigured:
– Lack of access restrictions – unsecured AWS S3 storage buckets are perhaps the most frequently breached resources
– Lack of data protection – personal information (PII, PCI, social security numbers) uploaded in plain-text form in the cloud
– Lack of audit and validation – no regular audits of resources and configurations can lead to a security flaw ready to be pounced upon by malicious exploiters
– Lack of logging and monitoring – timely checking of data and access logs is vital to identify and flag security-related events
– Over entitlement of access to users – user access should be restricted to only the applications and data that he is permitted to use
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Microsoft Releases Azure Security Benchmark (SecurityWeek, Jan 24 2020)
Microsoft this week announced the availability of Azure Security Benchmark v1 (ASB), a collection of more than 90 security best practices recommendations for Azure customers.
Techniques and strategies to overcome Kubernetes security challenges (Help Net Security, Jan 27 2020)
Portshift shows how to tackle Kubernetes security challenges by introducing five security best practices for DevOps and development professionals.
52% of companies use cloud services that have experienced a breach (Help Net Security, Jan 27 2020)
Seventy-nine percent of companies store sensitive data in the public cloud, according to a McAfee survey. Anonymized cloud event data showing percentage of files in the cloud with sensitive data While these companies approve an average of 41 cloud services each, up 33 percent from last year, thousands of other services are used ad-hoc without vetting.
Securing Containers with Zero Trust (Dark Reading, Jan 29 2020)
A software identity-based approach should become a standard security measure for protecting workloads in all enterprise networks.
How Do I Get My Team Started with Container Security and Kubernetes? (Dark Reading, Jan 28 2020)
The trick is to give your technical staff enough time to learn the new technology but also keep the pressure on to deliver. Here’s a smart way to begin.
IT pros need to weigh in on that ‘sassy’ security model (Network World Security, Jan 29 2020)
The secure-access service edge (SASE) model developed by Gartner ties into SD-WAN, edge computing and SD-Branch, so it warrants attention from networking teams.
Automated Response and Remediation with AWS Security Hub (AWS Security Blog, Jan 29 2020)
“In this blog post, I’ll show you how to build custom actions, CloudWatch Event rules, and Lambda functions for a dozen targeted actions that can help you remediate CIS AWS Foundations Benchmark-related compliance findings. I’ll also cover use cases for sending findings to an issue management system and for automating security patching.”
Correlating and Remediating Security Risks at Scale is Vital to DevOps (Checkmarx, Jan 29 2020)
The idea behind correlation is to increase the level of confidence and priority of the high-risk findings (vulnerabilities detected) as a result of the AST scans being performed—especially when you’re able to correlate the same findings from different scanning solutions.
9 Things Application Security Champions Need to Succeed (Dark Reading, Jan 29 2020)
Common elements to highly effective security champion programs that take DevSecOps to the next level.