A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

GitHub Takes Aim at Open Source Software Vulnerabilities (Wired, May 06 2020)
GitHub Advanced Security will help automatically spot potential security problems in the world’s biggest open source platform.

AWS Foundational Security Best Practices standard now available in Security Hub (AWS Security Blog, May 07 2020)
“In this post, we will cover:
How to enable the new AWS Foundational Security Best Practices standard.
– An overview of the security controls.
– An explanation of the security control details.
– How to disable and enable specific security controls.
– How to navigate to the remediation instructions for a failed security control.”

Admin Essentials: Protecting enterprise credentials with Password Alert (Google Cloud Blog, May 07 2020)
There’s another free feature in Chrome Browser that can help enterprises: Password Alert.
Password Alert helps enterprises:
– Avoid phishing attacks by detecting when an employee enters their corporate credentials into a known phishing or suspicious site
– Prevent reuse of corporate passwords on non-corporate sites

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Microsoft and AWS exchange poisoned pen blog posts in latest Pentagon JEDI contract spat (TechCrunch, May 08 2020)
Microsoft and Amazon are at it again as the fight for the Defense Department JEDI contract continues. In a recent series of increasingly acerbic pronouncements, the two companies continue their ongoing spat over the $10 billion, decade-long JEDI contract spoils.

How to implement least privilege in the cloud (Help Net Security, May 13 2020)
According to a recent survey of 241 industry experts conducted by the Cloud Security Alliance (CSA), misconfiguration of cloud resources is a leading cause of data breaches. The primary reason for this risk? Managing identities and their privileges in the cloud is extremely challenging because the scale is so large.

Cloud-Native Threats in the COVID-19 Pandemic (Infosecurity Magazine, May 13 2020)
Shadow traffic poses a serious risk as it isn’t inspected and creates a gate to corporate resources.

Easily control the naming of individual IAM role sessions (AWS Security Blog, May 12 2020)
AWS Identity and Access Management (IAM) now has a new sts:RoleSessionName condition element for the AWS Security Token Service (AWS STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions.

Enabling AWS Security Hub integration with AWS Chatbot (AWS Security Blog, May 08 2020)
“In this post, we show you how to configure AWS Chatbot to send findings from AWS Security Hub to Slack. Security Hub gives you a comprehensive view of your security high-priority alerts and security posture across your Amazon Web Services (AWS) accounts.”

Trend Micro Publishes Guide to Kubernetes Security (Container Journal, May 11 2020)
Trend Micro has created a guide to Kubernetes threats that categorizes the threats into three broad categories: external attacks, misconfiguration issues and vulnerable applications.

Monitor your Azure workload compliance with Azure Security Benchmark (Microsoft Azure Blog, May 12 2020)
The Azure Security Benchmark v1 was released in January 2020 and is being used by organizations to manage their security and compliance policies for their Azure workloads.

Why DevSecOps Is Critical for Containers and Kubernetes (Dark Reading, May 08 2020)
DevSecOps is a big and sometimes difficult shift for organizations. The key to success? Take small steps.

Now More Than Ever? Securing the Software Life Cycle (Dark Reading, May 07 2020)
The more things change, the more they stay the same. That’s true for software security, even in these turbulent times.

Financial services leading the way in adopting DevOps, still hurdles remain (Help Net Security, May 07 2020)
Adopting DevOps and overcoming hurdles “At the heart of what makes the financial services sector so interesting is its willingness to adopt a generative culture, which focuses on breaking free of siloes and promoting a proactive, collaborative atmosphere,”

Chef InSpec Profile for Critical Salt Vulnerabilities (Chef Blog, May 06 2020)
On April 30, 2020, two critical security vulnerabilities were identified with the SaltStack open source project (github.com/saltstack/salt). These vulnerabilities are critical and must be patched to avoid potential take over of your systems. This vulnerability has been assigned the highest severity rating, 10.0, according to the Common Vulnerability Scoring System…

The Secure Software Development Life Cycle: Syncing Development and Security (DevOps, May 13 2020)
Over the last five to 10 years, the nature of software development has shifted dramatically. Whereas large software releases occurred every six to 18 months in the past, current release schedules have become much more frequent.

Essential Role of EDR in Safeguarding DevOps Network (DevOps Zone, May 08 2020)
EDR solutions can be integrated within the DevOps cycle, so nasty activity can be tracked and hunted down by developers. This can be the quickest and automated way to tackle security threats.

Data Breach Exposes Four Million Dating App Users (Infosecurity Magazine, May 11 2020)
MobiFriends was apparently breached back in January 2019

Facebook Awards Researcher $20,000 for Account Hijacking Vulnerability (SecurityWeek, May 13 2020)
Security researcher Vinoth Kumar says Facebook awarded him $20,000 after he discovered and reported a Document Object Model-based cross-site scripting (DOM XSS) vulnerability that could have been exploited to hijack accounts.

Info on NHS Coronavirus app leaks out via Google Drive snafu (Graham Cluley, May 13 2020)
Sensitive documents about the UK’s Coronavirus-tracing app have reportedly been carelessly leaked via a publicly accessible Google Drive link.