A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

The DevOps Sweet Spot: Inserting Security at Pull Requests (Part 1) (DevOps, Mar 11 2020)
While it’s true that security scans may be automatically started, they still finish in siloed processes that don’t keep up with the pace of releases. We call this “automation for automation’s sake.” It does not measurably improve defect density, slow the accrual of technical debt or reduce mean time to repair (MTTR). The only value that automating this way provides is checking a box on a compliance form.

How financial institutions can approve AWS services for highly confidential data (AWS Security Blog, Mar 10 2020)
“As a Principal Solutions Architect within the Worldwide Financial Services industry group, one of the most frequently asked questions I receive is whether a particular AWS service is financial-services-ready.”

Facebook Awards $55,000 for Flaw That Could Lead to Account Hijacking (SecurityWeek, Mar 10 2020)
A researcher has earned $55,000 from Facebook for reporting a serious vulnerability that could have been exploited by hackers to steal access tokens and hijack accounts.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Applying the 80/20 Rule to Cloud Security (SC Media, Mar 04 2020)
A focus area to reduce threat actor dwell time is cloud security misconfigurations that accidentally expose data to the internet at large. Exposed data was the most cited cloud security incident (27 percent) and the biggest overall concern of leaders (64 percent) in a 2019 report on cybersecurity.

Unsecured databases continue leaking millions of records (Help Net Security, Mar 06 2020)
UK ISP and telecom provider Virgin Media has confirmed on Thursday that one of its unsecured marketing databases had been accessed by on at least one occasion without permission (though the extent of the access is still unknown).

HITRUST Shared Responsibility: Assigning privacy and responsibility on the cloud (Help Net Security, Mar 05 2020)
HITRUST, a leading data protection, standards development, and certification organization, announces the general availability of the HITRUST Shared Responsibility Program and Matrix Version 1.0.

Essential things to know about container networking (Network World Security, Mar 09 2020)
Networking is a crucial component in the container ecosystem, providing connectivity between containers running on the same host as well as on different hosts.

Cyber Resiliency, Cloud & the Evolving Role of the Firewall (Dark Reading, Mar 09 2020)
Today’s defenses must be creative in both isolating threats and segmenting environments to prevent attacks. Here’s why.

Multi-cloud and edge deployments threatened by security and connectivity problems (Help Net Security, Mar 11 2020)
The survey reveals that multi-cloud deployments are being driven primarily by a need to maximize availability and reliability for applications, while at the edge IoT is the top use case driving deployments.

Docker Inc. Outlines Product Strategy (Container Journal, Mar 10 2020)
Docker Inc. today published a product road map that details how it intends to extend Docker Desktop and Docker Hub to create a vibrant cloud-native ecosystem.

Securing Kubernetes and the Container Landscape (Container Journal, Mar 09 2020)
Looking for the best way to secure your Kubernetes and container environments? End-to-end is your best bet