A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Let’s Encrypt will revoke 3m+ TLS/SSL certificates (Help Net Security, Mar 04 2020)
Starting with 20:00 UTC (3:00pm US EST), today (March 4), the non-profit certificate authority Let’s Encrypt will begin it’s effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software. Preliminary investigation suggests the bug was introduced on July 25, 2019, but a more detailed investigation is under way – though, for now, it seems that “it’s not likely that there was any significant mis-issuance as a result of this incident.”
The Case for Limiting Your Browser Extensions (Krebs on Security, Mar 03 2020)
“Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee who’d edited the Web site in the past month.”
Mastering the Journey—Building Network Manageability and Security for your Path (Securosis Blog, Feb 27 2020)
“Learning cloud adoption patterns doesn’t just help us identify key problems and risks – we can use them to guide operational decisions to address the issues they consistently raise. This research focuses on managing networks and network security, but the patterns include broad security and operational implications which cover all facets of your cloud journey.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Exploring the impact that hybrid cloud is having on enterprise security and IT teams (Help Net Security, Mar 01 2020)
While enterprises rapidly transition to the public cloud, complexity is increasing, but visibility and team sizes are decreasing while security budgets remain flat to pose a significant obstacle to preventing data breaches, according to FireMon’s 2020 State of Hybrid Cloud Security Report.
Moving to Multi-Cloud? Time to Rethink Identity, Access Management (eWEEK, Mar 02 2020)
Except for a few mission-critical processes that will remain on-premises because they require intense oversight and control, much of an enterprise’s workloads and data soon will be spread across multi-cloud environments.
How to Prevent an AWS Cloud Bucket Data Leak (Dark Reading, Feb 26 2020)
Misconfigured AWS buckets have led to huge data breaches. Following a handful of practices will help keep you from becoming the next news story.
Less Than Half of Vulnerabilities in Popular Docker Images Pose Risk: Study (SecurityWeek, Feb 27 2020)
Many Vulnerabilities Found in Popular Docker Images, But Most Are Not Loaded Into Memory
Continuous compliance monitoring with Chef InSpec and AWS Security Hub (AWS Security Blog, Feb 26 2020)
“In this post, I will show you how to run a Chef InSpec scan with AWS Systems Manager and Systems Manager Run Command across your managed instances. InSpec is an open-source runtime framework that lets you create human-readable profiles to define security, compliance, and policy requirements and then test your Amazon Elastic Compute Cloud…”
How DNS over HTTPS Impacts Security Planning (IT Pro, Mar 03 2020)
For the enterprise, DNS over HTTPS introduces more security challenges than it solves–at least for now.
Establishing a Kubernetes Pod Security Policy (Container Journal, Mar 04 2020)
Kube-PSP-Advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single. yaml file containing a pod specification (deployment, daemon set, pod, etc.).
Advancing DevSecOps Into the Future (SecurityWeek, Mar 03 2020)
If DevOps represents the union of people, process, and technology to continually provide value to customers, then DevSecOps represents the fusion of value and security provided to those same customers.
Identifying and resolving security code vulnerabilities using Snyk in AWS CI/CD Pipeline (AWS DevOps Blog, Feb 28 2020)
The majority of companies have embraced open-source software (OSS) at an accelerated rate even when building proprietary applications. Some of the obvious benefits for this shift include transparency, cost, flexibility, and a faster time to market.
Framework Isolates Libraries in Firefox to Improve Security (SecurityWeek, Feb 27 2020)
A group of researchers has built a sandbox framework that can improve the security of Firefox by isolating third-party libraries used by the browser.
Facebook sues data analytics firm OneAudience over malicious SDK (Naked Security – Sophos, Mar 02 2020)
Facebook says OneAudience paid developers to install its social-media-profile-looting SDK into their apps to get marketing data for clients.
White hat hackers find thousands of vulnerabilities: DoD (SC Media, Mar 04 2020)
The U.S. Department of Defense’s Cyber Crime Center (DC3) received more than 2,800 validated vulnerability reports from a variety of sources, according to its 2019 Vulnerability Disclosure Program (VDP). In 2019 the VDP processed 4,013 vulnerability reports establishing that 2,816 were in fact previously unknown vulnerabilities, according to the VDP’s annual report.