A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Your Cloud Journeys is Unique, but Not Unknown (Securosis Blog, Feb 18 2020)
“This is the first post in a new series, our “Network Operations and Security Professionals’ Guide to Managing Public Cloud Journeys”, which we will release as a white paper after we complete the draft and have some time for public feedback.”

Exploring Container Security: Run what you trust; isolate what you don’t (Google Cloud Blog, Feb 12 2020)
Many of the vulnerabilities we saw in 2019 compromised the container supply chain or escalated privileges through another overly-trusted component. It’s important that you trust what you run, and that you apply defense-in-depth principles to your containers. To help you do this, Shielded GKE Nodes is now generally available, and will be followed shortly by the general availability of Workload Identity–a way to authenticate your GKE applications to other Google Cloud services that follows best practice security principles like defense-in-depth.

Google pulls 500 malicious Chrome extensions after researcher tip-off (Naked Security – Sophos, Feb 17 2020)
Google has abruptly pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Judge halts Microsoft work on JEDI contract after AWS request (TechCrunch, Feb 13 2020)
A sealed order from a judge today has halted the $10 billion, decade-long JEDI project in its tracks until AWS’s protest of the contract award to Microsoft can be heard by the court.

Cloud Security Challenges in 2020 (Cloud Security Alliance, Feb 18 2020)
Recently the Cloud Security Alliance presented the following major cloud challenges in its report “Top Threats to Cloud Computing: Egregious Eleven.” In this blog, I will be summarizing each threat covered in the report and discuss its implications to organizations today.”

Cracking the code on cloud security for higher education (SC Media, Feb 13 2020)
According to Forbes, 83 percent of enterprise workloads will be in the cloud by 2020, and higher education isn’t far behind. A survey conducted by MeriTalk found that 60 percent of higher education institutions are integrating cloud computing into their IT strategies.

PhotoSquared: App Leaks Data on Thousands of Users (Infosecurity Magazine, Feb 17 2020)
Researchers find another unsecured S3 bucket

How to improve LDAP security in AWS Directory Service with client-side LDAPS (AWS Security Blog, Feb 13 2020)
Client-side secure LDAP (LDAPS) support enables applications that integrate with AWS Directory Service, such as Amazon WorkSpaces and AWS Single Sign-On, to connect to AD using Secure Sockets Layer/Transport Layer Security (SSL/TLS).

How to use the AWS Security Hub PCI DSS v3.2.1 standard (AWS Security Blog, Feb 17 2020)
On February 13, 2020, AWS added partial support for the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1 requirements to AWS Security Hub.

New Azure Firewall certification and features in Q1 CY2020 (Microsoft Azure Blog, Feb 18 2020)
several new Azure Firewall capabilities based on your top feedback items..

Azure Firewall Manager now supports virtual networks (Microsoft Azure Blog, Feb 18 2020)
“we are extending Azure Firewall Manager preview to include automatic deployment and central security policy management for Azure Firewall in hub virtual networks.”

SecOps teams face challenges in understanding how security tools work (Help Net Security, Feb 17 2020)
57% of security professionals were confident their current security solutions are working as intended. Yet only 35% of survey respondents stated that they conduct testing to ensure their security products are configured and operating as they expect.

Apps Remain Favorite Mobile Attack Vector (Dark Reading, Feb 13 2020)
Mobile apps are used in nearly 80% of attacks targeting mobile devices, followed by network and operating system attacks.

Researchers design a tool to identify the source of errors caused by software updates (Help Net Security, Feb 17 2020)
researchers at Texas A&M University, in collaboration with computer scientists at Intel Labs, have now developed a complete automated way of identifying the source of errors caused by software updates.

The Trouble with Free and Open Source Software (Dark Reading, Feb 18 2020)
Insecure developer accounts, legacy software, and nonstandard naming schemes are major problems, Linux Foundation and Harvard study concludes.

Cybersecurity: What Programming Language Is Better for Your Career? (DevOps, Feb 12 2020)
In fact, this question on Reddit inspired the whole article…