A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
How industries are evolving their DevOps & security (Help Net Security, Jan 30 2020)
There’s significant variation in DevOps maturation and security integration across the financial services, government, retail, telecom, and technology industries, according to Puppet’s report based on nearly 3,000 responses.
State-sponsored actors may have abused Twitter API to de-anonymize users (Help Net Security, Feb 04 2020)
A Twitter API that’s intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users.
New Azure blueprint for CIS Benchmark (Microsoft Azure Blog, Jan 15 2020)
We’ve released our newest Azure blueprint that maps to another key industry-standard, the Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark. This follows the recent announcement of our Azure blueprint for FedRAMP moderate and adds to the growing list of Azure blueprints for regulatory compliance, which now includes ISO 27001, NIST SP 800-53, PCI-DSS, UK OFFICIAL, UK NHS, and IRS 1075.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Kubernetes Shows Built-in Weakness (Dark Reading, Feb 04 2020)
A Shmoocon presentation points out several weaknesses built in to Kubernetes configurations and how a researcher can exploit them.
IBM’s New CEO Is Mastermind Behind Cloud Strategy (IT Pro, Feb 03 2020)
IBM has a lot of catching up to do in the trillion-dollar cloud market where Amazon and Microsoft are far out in front, followed by Alphabet Inc.’s Google. They are all developing similar software in the hybrid-cloud market too. While IBM gained ground with the Red Hat purchase, the fierce competition with such formidable rivals won’t leave much room for error.
Two Vulnerabilities Found in Microsoft Azure Infrastructure (Dark Reading, Jan 30 2020)
Researchers detail the process of finding two flaws in the Azure Stack architecture and Azure App Service, both of which have been patched.
7 best practices for managing a multi-cloud environment (Network World Security, Feb 04 2020)
Multi-cloud strategies and hybrid IT environments bring a set of challenges that technology leaders might not have expected.
Bringing a passion for privacy to Cloud (Google Cloud Blog, Feb 04 2020)
“Michee Smith is a product manager within Google Cloud…We sat down with Michee to talk about her career path, her tech passions, why representation matters, and why staying true to yourself is a winning formula.”
Adding “Sec” Into the DevOps Mix (DZone, Jan 28 2020)
Just when we thought we knew what we were doing with DevOps, it’s time for an even longer — and more challenging — term, DevSecOps. DevSecOps is scaled, enterprise-level DevOps where security is baked into every step of the process, shifting the entire SDLC left and creating a culture where everyone has a stake in quality and security.
AppSec Concerns Drove 61% of Businesses to Change Applications (Dark Reading, Jan 31 2020)
Some have even left behind commercial software and migrated to open source or in-house homegrown applications. Continue for synopsis or read full research report.
Google launches open-source security key project, OpenSK (Naked Security – Sophos, Feb 03 2020)
OpenSK is a piece of firmware that you can install on a USB dongle of your own, turning it into a usable FIDO or U2F key.
Hackers Can Earn $20,000 for Xbox Vulnerabilities (SecurityWeek, Jan 30 2020)
Microsoft on Thursday announced the launch of an Xbox bug bounty program with rewards of up to $20,000 for critical remote code execution vulnerabilities.
How Enterprises Are Developing and Maintaining Secure Applications (Dark Reading, Feb 03 2020)
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all.
Nightmare Google Photos bug sent private videos to the wrong people (Ars Technica, Feb 04 2020)
Google’s data export service exported the wrong data.
Dropbox Paid Out Over $1 Million Through Bug Bounty Program (SecurityWeek, Feb 04 2020)
File hosting company Dropbox says it has awarded researchers over $1 million for vulnerabilities reported through its bug bounty program