A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

SBA Reports Data Breach in Disaster Loan Application Website (SecurityWeek, Apr 22 2020)
Thousands of small business owners reeling from the aggressive measures taken to halt the spread of the coronavirus may have had their personal information exposed last month on a government website that handles disaster loan applications.

Protecting businesses against cyber threats during COVID-19 and beyond (Google Cloud Blog, Apr 16 2020)
No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19. At the same time, some things remain constant: Security is at the top of the priority list, and phishing is still one of the most effective methods that attackers use to compromise accounts and gain access to company data and resources. In fact, bad actors are creating new attacks and scams every day that attempt to take advantage of the fear and uncertainty surrounding the pandemic.

#COVID19 Tracing App Leaks User Data (Infosecurity Magazine, Apr 21 2020)
Dutch app in privacy snafu as source code is posted online

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How to track changes to secrets stored in AWS Secrets Manager using AWS Config and AWS Config Rules (AWS Security Blog, Apr 20 2020)
On April 20th, AWS Config announced support for AWS Secrets Manager, making it easier to track configuration changes to the secrets you manage in AWS Secrets Manager. You can now use AWS Config to track changes to secrets’ metadata — such as secret description and rotation configuration, relationship to other AWS sources such as the KMS Key used for secret encryption, Lambda function used for secret rotation, and attributes such as tags associated with the secrets.

How to verify AWS KMS asymmetric key signatures locally with OpenSSL (AWS Security Blog, Apr 15 2020)
“In this post, I demonstrate a sample workflow for generating a digital signature within AWS Key Management Service (KMS) and then verifying that signature on a client machine using OpenSSL.”

Enable automatic logging of web ACLs by using AWS Config (AWS Security Blog, Apr 10 2020)
“In this blog post, I will show you how to use AWS Config, with its auto-remediation functionality, to ensure that all web ACLs have logging enabled. The AWS CloudFormation template included in this blog post will facilitate this solution, and will get you started being able to manage web ACL logging at scale.”

Now What Were Those Permissions for This User Again? (Chef Blog, Apr 21 2020)
If you have had occasion to try out the new IAM (Identity and Access Management) rollout for Chef Automate, you are probably eager to connect projects, policies, users and teams to give your organization the fine-grained separation of control vital to your business.

Secure the software development lifecycle with machine learning (Microsoft Security, Apr 16 2020)
A collaboration between data science and security produced a machine learning model that accurately identifies and classifies security bugs based solely on report names.

How to Get More Value Out of Cloud Services (eWEEK, Apr 16 2020)
Without taking advantage of native cloud services, performance optimization and automation capabilities for enterprise systems are limited.

Multi-cloud key management and BYOK (Help Net Security, Apr 20 2020)
Cloud providers such as Google Cloud Platform, AWS, and Microsoft Azure work hard to be the service provider of choice for enterprise customers. They often push the envelope with specialized features and capabilities unique to each platform. These features can often add real value for certain industries and applications and help to differentiate the platforms from each other. At the same time…

7 Steps to Avoid the Top Cloud Access Risks (Dark Reading, Apr 21 2020)
Securing identities and data in the cloud is challenging, but a least-privilege access approach helps.

Azure Security Center enhancements (Microsoft Azure Blog, Apr 20 2020)
At Microsoft Ignite 2019, we announced the preview of more than 15 new features. This blog provides an update for the features that are now generally available to our customers.

Open Source Vulnerabilities Were Up 50% in 2019 — How Will It Impact Software Development in 2020? (DevOps, Apr 20 2020)
Open source vulnerabilities have been on the rise in recent years, but 2019 was truly one for the record books with a spike of nearly 50% over the previous year.

TikTok app inherently unsafe and a privacy risk (SC Media, Apr 15 2020)
TikTok’s continued use of HTTP to move sensitive data across the internet is allowing the videos and other content being sent by the app’s users to be tracked and altered, according to two web developers. Talal Haj Bakry and Tommy Mysk noted in a blog that the CDN used by TikTok still uses unencrypted…

Supply-chain attack hits RubyGems repository with 725 malicious packages (Ars Technica, Apr 17 2020)
Bitcoin currency stealer was downloaded thousands of times.

Fitness App Kinomap Leaks 42 Million Records (Infosecurity Magazine, Apr 22 2020)
Unsecured 40GB database to blame in another privacy snafu

Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company (SecurityWeek, Apr 22 2020)
A vulnerability in Zoom’s video conferencing service could have been abused to enumerate all of the registered Zoom users within an organization, Cisco Talos reports.