A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000 (VICE, Apr 15 2020)
People who trade in zero-day exploits say there are two Zoom zero-days, one for Windows and one for MacOS, on the market.

DoD Inspector General report finds everything was basically hunky-dory with JEDI cloud contract bid (TechCrunch, Apr 15 2020)
While controversy has dogged the $10 billion, decade-long JEDI contract since its earliest days, a report by the DoD’s Inspector General’s Office concluded today that, while there were some funky bits and potential conflicts, overall the contract procurement process was fair and legal…

GitHub sharply slashes plan pricing, offers core features for free to all (Ars Technica, Apr 14 2020)
The lowest-tier paid plan is dropping to $4 per seat per month from $9.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Kubernetes Security (Schneier on Security, Apr 10 2020)
Attack matrix for Kubernetes, using the MITRE ATT&CK framework. A good first step towards understand the security of this suddenly popular and very complex container orchestration system.

Enterprises regard the cloud as critical for innovation, but struggle with security (Help Net Security, Apr 10 2020)
Most enterprises (85%) believe embracing the public cloud is critical to fuel innovation, but the majority are not equipped to operate in the cloud securely…

You have to consider cybersecurity at all points of a cloud migration (Help Net Security, Apr 12 2020)
Human error and complex cloud deployments open the door to a wide range of cyber threats, according to Trend Micro. Cloud security issues Gartner predicts that by 2021, over 75% of midsize and large organizations will have adopted multi-cloud or hybrid IT strategy.

Zscaler to Acquire Cloudneeti to Solve Cloud Misconfiguration Problems (SecurityWeek, Apr 13 2020)
San Jose, Calif.-based cloud security firm Zscaler (NASDAQ: ZS) said it will acquire Redmond, Wash.-based startup Cloudneeti for an undisclosed sum.

You’re One Misconfiguration Away from a Cloud-Based Data Breach (Dark Reading, Apr 14 2020)
Don’t assume that cyberattacks are all you have to worry about. Misconfigurations should also be a top cause of concern.

Shift to work-from-home: Most IT pros worried about cloud security (Help Net Security, Apr 14 2020)
As most companies make the rapid shift to work-from-home to stem the spread of COVID-19, a significant percentage of IT and cloud professionals are concerned about maintaining the security of their cloud environments during the transition, according to a survey conducted by Fugue.

DevOps Chats: DevSecOps and OpenShift, with Red Hat (DevOps, Apr 14 2020)
In this DevOps Chats, we had a talk with Kirsten Newcomer, senior principal product manager at Red Hat. It is a great discussion on the state of DevSecOps and how the Red Hat OpenShift team is trying to make it easier for developers, DevOps and cyber folks to work together…

Slack in the security spotlight – lessons for collaboration servers (Naked Security – Sophos, Apr 08 2020)
Interested in WFH collaboration tools right now? Lots of people are – so here’s a history lesson to learn from…

HackerOne bug bounty hunters give to COVID-19 relief fund (SC Media, Apr 10 2020)
HackerOne is helping white hat hackers to donate some of their bug bounties to benefit groups battling COVID-19. The group has created a specific website,  https://hackerone.com/hackforgood, where HackerOne participants can “invite” hackforgood as a collaborator on any bug bounty program on which they are working.

SASE Firm Cato Networks Raises $77 Million (SecurityWeek, Apr 10 2020)
Cato Networks, a firm poised to take advantage of the sudden acceleration of business transformation and working from home caused by the COVID-19 pandemic, has raised $77 million in a Series D funding round.

Google Keeps Support for FTP in Chrome (SecurityWeek, Apr 14 2020)
Google has decided to keep support for the File Transfer Protocol (FTP) in Chrome a bit longer, after initially saying it would completely remove it in Chrome 82.

Application security: Getting it right, from the start (Help Net Security, Apr 15 2020)
Security testing data is “the unsung hero” of securing application development. It’s the backbone of application development quality, compliance and risk management, and rests on the three fundamental pillars of security…

Tencent Partners With HackerOne for Bug Bounty Program (SecurityWeek, Apr 15 2020)
HackerOne announced on Tuesday that the bug bounty program of Chinese technology giant Tencent is now accessible through its platform.