A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Every presidential campaign website has suspicious 3rd-party code (SC Media, Mar 25 2020)
An analysis of 11 presidential campaign websites performed last September and again in December found multiple instances of potentially risky third-party code, unwanted code execution and unauthorized data tracking. According to a new report from The Media Trust, 81 percent of executing code on these websites was not internally developed, but rather from external third-party…

Skimmer May Have Put NutriBullet Customers’ Card Data at Risk for Nearly a Month (Dark Reading, Mar 18 2020)
Blender maker is the latest victim of Magecart.

Top 10 security items to improve in your AWS account (AWS Security Blog, Mar 20 2020)
“If you’re looking to improve your cloud security, a good place to start is to follow the top 10 most important cloud security tips that Stephen Schmidt, Chief Information Security Officer for AWS, laid out at AWS re:Invent 2019. Here are the tips, expanded to help you take action.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How Attackers Could Use Azure Apps to Sneak into Microsoft 365 (Dark Reading, Mar 24 2020)
Researchers warn Microsoft 365 account holders to pay attention to unknown applications that request permissions.

How to Secure Your Kubernetes Deployments (Dark Reading, Mar 24 2020)
As more companies shift their software to a microservices-based architecture and orchestrate their containerized applications in Kubernetes, distributed security controls become a must.

Cloud-native security considerations for critical enterprise workloads (Help Net Security, Mar 25 2020)
Since the advent of the public cloud as a viable alternative to on-premise systems, CIOs and CISOs have been citing security as one of the top concerns when it comes to making the switch. While most of their worries have abated over the years, some remain, fuelled by the number of data leak incidents, mainly arising from misconfiguration. Johnnie Konstantas, Senior Director, Security Go to Market at Oracle, says that the main reason we are…

JEDI Contract to Have Only One Master (Infosecurity Magazine, Mar 24 2020)
US Department of Defense confirms epic consolidated cloud contract will be awarded to a single contractor

Supporting SHA-2 algorithm in SSH on Azure DevOps (Azure DevOps Blog, Mar 18 2020)
With the release of OpenSSH 8.2 last month, connections to SSH servers using SHA-1 was disabled by default in the OpenSSH client. We understand that this move helps improve the security of SSH connections, by encouraging all users to adopt the SHA-2 class of algorithms,

Kubernetes Security: Key Factors to Consider (Container Journal, Mar 24 2020)
Here are six ways organizations can increase their Kubernetes security Containers and Kubernetes adoption have been phenomenal in the last year. According to the recently published CNCF report, container adoption has jumped to 84%, with Kubernetes being adopted by 78% of respondents to orchestrate those containers.

Achieving DevSecOps Requires Cutting Through the Jargon (Dark Reading, Mar 19 2020)
Establishing a culture where security can work easily with developers starts with making sure they can at least speak the same language.

Increase web application security without causing any user disruption (Help Net Security, Mar 19 2020)
In this podcast recorded at RSA Conference 2020, Jason A. Hollander, CEO, and Paul B. Storm, President at Cymatic, talk about how their platform builds a defensible barrier around the user, so web-based threats can be stopped at the source.

Here’s the Netflix account compromise Bugcrowd doesn’t want you to know about (Ars Technica, Mar 19 2020)
Weakness allows attackers to steal browser cookies used to authenticate Netflix users.

Crowdsourced pentesting is not without its issues (Help Net Security, Mar 23 2020)
Crowdsourced security isn’t new anymore, having existed in one form or another as a consumable enterprise service since 2013 with the launch of the main crowdsourced platforms (HackerOne, Bugcrowd and Synack). Slowly but surely, these platforms challenged traditional pentesting practices and started to eat away at their market share. Further platforms and competitors have since launched within the crowdsourced space to compete for a part of this growing market share. But is crowdsourced security…

Flaw in Password Managers Allowed Apps to Steal Credentials (SecurityWeek, Mar 23 2020)
One of the vulnerabilities that researchers from the University of York discovered in widely-used password managers could have resulted in malicious apps stealing users’ credentials.

Mozilla to Remove Support for FTP in Firefox (SecurityWeek, Mar 21 2020)
Mozilla is getting ready to remove support for the File Transfer Protocol (FTP) from the Firefox web browser due to security concerns.

Open redirect on Dept. of HHS website benefits COVID-19 phishing scam (SC Media, Mar 24 2020)
A coronavirus-themed phishing campaign designed to infect victims with Raccoon information-stealing malware has reportedly been leveraging an open redirect vulnerability found on the U.S. Department of Health and Human Services’ website, HHS.gov. As defined by Trustwave here, an open redirect occurs when a website’s “parameter values (the portion of URL after “?”)…