A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Intel Security Gap Hard to Exploit Without Physical Data Center Access (IT Pro, Mar 12 2020)
Security researchers say the flaw is “unfixable,” but attackers would need to get inside your data center to use it.

The DevOps Sweet Spot: Inserting Security at Pull Requests (Part 2) (DevOps, Mar 17 2020)
In part one of this two-part series, I explored how organizations can more effectively automate security quality decisions and discard doing automation for automation’s sake. I shared why security scans need to be faster, more reliable and comprehensive.

Open source bugs have soared in the past year (Naked Security – Sophos, Mar 16 2020)
Open source bugs have skyrocketed, according to a report from WhiteSource, with XSS flaws account for a quarter of those bugs.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Pentagon asks court for time to reconsider JEDI award to Microsoft (TechCrunch, Mar 13 2020)
The JEDI contract award process might never be done. Following legal challenges from Amazon after the Pentagon’s massive, $10 billion cloud contract was awarded to Microsoft in October, the Pentagon indicated in court documents last night that it wishes to reconsider the award. It’s just the latest plot twist in an epic government procurement saga. […]

Google Offering Higher Bonuses for Cloud Platform Vulnerabilities (SecurityWeek, Mar 12 2020)
Google announced on Wednesday that it’s prepared to pay out an extra $313,337 for interesting Cloud Platform vulnerabilities submitted in 2020.

CASB 101: Why a Cloud Access Security Broker Matters (Dark Reading, Mar 12 2020)
A CASB isn’t a WAF, isn’t an NGF, and isn’t an SWG. So what is it, precisely, and why do you need one to go along with all the other letters?

Secure Access Service Edge (SASE) – key points for early adopters (SC Media, Mar 17 2020)
Last year Gartner introduced the term Secure Access Service Edge or SASE in their technology hype cycle and almost immediately it grabbed enormous attention from the vendors and enterprise consumers. Existing and new technology players already started highlighting the benefits of SASE and marketing their offering to attract customers. But what is this SASE?

15 additional AWS services authorized at DoD Impact Level 6 for the AWS Secret Region (AWS Security Blog, Mar 17 2020)
The Defense Information Systems Agency (DISA) has authorized 15 additional AWS services in the AWS Secret Region for production workloads at the Department of Defense (DoD) Impact Level (IL) 6 under the DoD’s Cloud Computing Security Requirements Guide (DoD CC SRG). The authorization at DoD IL 6 allows DoD Mission Owners to process classified and mission-critical workloads for National Security Systems in the AWS Secret Region.

Cloudflare’s Current Expansion Is Different from the Others (IT Pro, Mar 12 2020)
The company is expanding its US network in a big way, and it’s turned to two edge data center startups for help.

Discussing AppSec Policies within DevSecOps (Checkmarx, Mar 13 2020)
“This highlights the critical need for formal, organization-wide security policies, in addition to AppSec policies that directly influence software developers and application security teams, who must still operate at the speed that modern DevOps requires.”

Slack Vulnerability Allowed Hackers to Hijack Accounts (SecurityWeek, Mar 16 2020)
A researcher earned $6,500 from Slack last year after finding a critical vulnerability that could have been exploited to hijack Slack accounts.