A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Facebook’s Bug Bounty Caught a Data-Stealing Spree (Wired, Feb 07 2020)
A few months ago, the company disclosed that apps were siphoning data from up to 9.5 million of its users. It only found out thanks to a bug bounty submission…In 2019, Facebook awarded about $2.2 million in bounties to researchers from more than 60 countries, double the $1.1 million the company paid out in 2018.

Cloud Companies Chase Future in Cybersecurity ‘Wild West’ (Bloomberg, Feb 10 2020)
Software makers say enterprise clients will demand products that protect data.

43% of cloud databases are currently unencrypted (Help Net Security, Feb 07 2020)
The Unit 42 Cloud Threat Report: Spring 2020 investigates why cloud misconfigurations happen so frequently. It finds that as organizations move to automate more of their cloud infrastructure build processes, they are adopting and creating new infrastructure as code (IaC) templates.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Google Cloud makes strides but still has a long way to go (TechCrunch, Feb 05 2020)
In earnings reported this week, Alphabet announced that Google Cloud generated a robust $2.61 billion for the quarter, a number that includes revenue from both Google Cloud Platform and G Suite. That puts the division on a nice little run rate of $10.44 billion. It feels like a lot until you consider that Microsoft…

Cloud Security Firm Netskope Raises $340 Million at $3 Billion Valuation (SecurityWeek, Feb 06 2020)
Cloud security company Netskope on Thursday announced that it has raised $340 million in a Series G funding round, valuing the firm at nearly $3 billion.

The evolution of shared responsibility in cloud security (SC Media, Feb 07 2020)
Businesses are conflicted about moving their data to the cloud. Some claim that one of the main reasons for moving data to the cloud is because it is more secure. Simultaneously, a top reason for not moving data to the cloud is due to concerns about security. Which opinion is right? The answer isn’t so simple.

Unlocked S3 Bucket Lets 36,077 Jail Files Escape (Dark Reading, Feb 10 2020)
The leaky repository belongs to JailCore, a cloud management and compliance platform used in several states’ correctional facilities.

12,000+ Jenkins servers can be exploited to launch, amplify DDoS attacks (Help Net Security, Feb 11 2020)
A vulnerability (CVE-2020-2100) in 12,000+ internet-facing Jenkins servers can be abused to mount and amplify reflective DDoS attacks against internet hosts, Radware researchers have discovered.

Why Ransomware Will Soon Target the Cloud (Dark Reading, Feb 11 2020)
As businesses’ daily operations become more dependent on cloud services, ransomware authors will follow to maximize profits. The good news: Many of the best practices for physical servers also apply to the cloud.

How to use KMS and IAM to enable independent security controls for encrypted data in S3 (AWS Security Blog, Feb 10 2020)
“However, many customers want to extend the value of encryption beyond basic protection against unauthorized access to the storage layer where the data resides. They want to enforce a separation of duties between which team manages access to the storage layer and which team manages access to the encryption keys.”

12 additional AWS services and 2 features authorized at DoD Impact Level 4 and 5 for AWS GovCloud (US) Regions (AWS Security Blog, Feb 07 2020)
“With these additional 12 services and 2 features, AWS now offers a total of 52 services authorized to process DoD mission critical data at Impact Levels (IL) 4 and 5 under the DoD’s Cloud Computing Security Requirements Guide (DoD CC SRG).”

Understanding data pipeline security in Cloud Data Fusion (Google Cloud Blog , Feb 06 2020)
For those of you working in data analytics, ETL and ELT pipelines are an important piece of your data foundation. Cloud Data Fusion is our fully managed data integration service for quickly building and managing data pipelines.

What Is DevSecOps and How to Enable It on Your SDLC? (DevOps, Feb 10 2020)
For the past three to four years, all the companies around the IT world have adopted agile and different application development methodologies that leverage the work for different departments or areas and helps them to develop new products and release new features to improve their processes and infrastructure.

DevSecOps: A Renewed Commitment to Secure Delivery, Part 1 (DevOps, Feb 05 2020)
Aim to justify everything that happens in the release pipeline. Examine the value-add of steps and align them with the security risks they are trying to mitigate. Here are some examples:
– Unit tests must pass in the build phase of the release pipeline to mitigate the risk of non-working code being pushed to the Development environment and entering the promotion path.
– Vulnerability scanning must occur on all Docker images prior to go live to mitigate the risk of a security flaw or vulnerability being introduced in production.
– All API interfaces must have a Swagger definition and a set of corresponding Pact/contract tests run in build phase to mitigate the risk of integration defects and corresponding outages.

Google’s Chrome 80 clamps down on cookies and notification spam (Naked Security – Sophos, Feb 06 2020)
Version 80 of the Chrome browser is out with some new features designed to save your security and your sanity.

Danes Blame Bug for ID Leak Affecting 1.3 Million (Infosecurity Magazine, Feb 11 2020)
Over a fifth of the population affected by CPR snafu

Microsoft Patches Exploited Internet Explorer Flaw (Dark Reading, Feb 11 2020)
This month’s Patch Tuesday brings fixes for 99 CVEs, including one IE flaw seen exploited in the wild.