A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Twitter turns off SMS-based tweeting in most countries (Sophos, Apr 29 2020)
Buh-bye, original way of tweeting. Twitter said it’s to keep our accounts safe, referring to unspecified SMS-enabled vulnerabilities.
IAM Access Analyzer flags unintended access to S3 buckets shared through access points (AWS Security Blog, Apr 27 2020)
To help you identify buckets that can be accessed publicly or from other AWS accounts or organizations, AWS Identity and Access Management (IAM) Access Analyzer mathematically analyzes resource policies. Now, Access Analyzer analyzes access point policies in addition to bucket policies and bucket ACLs. This helps you find unintended access to S3 buckets that use access points.
Improving your security posture with centralized secrets management (Google Cloud Blog, Apr 28 2020)
One of the biggest advantages of a centralized secrets management solution is mitigating secret sprawl. Without a centralized solution, secrets–like API keys, certificates, and database passwords–often end up committed to a source repository, saved on a corporate wiki page, or even written on a piece of paper. When secrets are sprawled like this, you lose the ability to easily audit and control access to their values, allowing an attacker to move undetected throughout a system, as has happened in several recent data breaches.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Learning From the Honeypot: A Researcher and a Duplicitous Docker Image (Dark Reading, Apr 22 2020)
When Larry Cashdollar set up a honeypot in a Docker image, he found behavior that was more enlightening than he had imagined.
New Startup Accurics Tackles Cloud Infrastructure Security (Dark Reading, Apr 28 2020)
Accurics offers a free product to prevent “drift” between infrastructure defined through code and infrastructure running in the cloud.
Cloud Services Are the New Critical Infrastructure. Can We Rely on Them? (Dark Reading, Apr 27 2020)
If cloud services vendors successfully asked themselves these three questions, we’d all be better off.
Rapid7 Buys into CSPM with DivvyCloud Purchase (Infosecurity Magazine, Apr 28 2020)
Boston-based firm will pay $145m to tackle cloud misconfiguration
Use AWS Firewall Manager and VPC security groups to protect your applications hosted on EC2 instances (AWS Security Blog, Apr 24 2020)
You can use AWS Firewall Manager to centrally configure and manage Amazon Virtual Private Cloud (Amazon VPC) security groups across all your AWS accounts. This post will take you through the step-by-step instructions to apply common security group rules, audit your security groups, and detect unused and redundant rules in your security groups across your AWS environment.
Threat Stack Report Highlights Common Kubernetes Security Issues (Container Journal, Apr 27 2020)
A security report for the first quarter of 2020 published by Threat Stack, a provider of tools for ensuring security and compliance in the cloud, details some of the most common security issues organizations are encountering when they deploy Kubernetes on the Amazon Web Services (AWS) public cloud.
Accelerating Cybersecurity Maturity Model Certification (CMMC) compliance on Azure (Microsoft Azure Blog, Apr 28 2020)
Expanding compliance coverage to meet CMMC requirements, announcing a new CMMC acceleration program for DIB companies serving the DoD.
Researcher Earns $20,000 From GitLab for Critical Vulnerability (SecurityWeek, Apr 29 2020)
A researcher has earned $20,000 from GitLab after reporting a critical vulnerability that could have been exploited to obtain sensitive information from a server and to execute arbitrary code.
Security, simplified: Making Shielded VM the default for Compute Engine (Google Cloud Blog, Apr 27 2020)
“Last April we announced the general availability of Shielded VM—virtual machine instances that are hardened with a set of easily configurable security features to ensure that when your VM boots, it’s running a verified bootloader and kernel. To make it accessible to everyone, we offered Shielded VM at no additional charge.”
Secure the software development lifecycle with machine learning (Microsoft, Apr 16 2020)
A collaboration between data science and security produced a machine learning model that accurately identifies and classifies security bugs based solely on report names.