A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
How secure are open source libraries? (Help Net Security, May 21 2020)
Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code.
Application threats and security trends you need to know about (Help Net Security, May 27 2020)
Applications are a gateway to valuable data, so it’s no wonder they are one of attackers’ preferred targets. And since modern applications aren’t a monolithic whole but consist of many separate components “glued together” over networks, attackers have at their disposal many “doors” through which they can attempt access to the data.
Cloud WAF Comparison, Part 2 (Medium, May 20 2020)
In this follow-up article we’ll have a look at how three additional cloud WAFs perform against the services tested in our first comparison.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Organizations plan to migrate most apps to the cloud in the next year (Help Net Security, May 24 2020)
More than 88% percent of organizations use cloud infrastructure in one form or another, and 45% expect to migrate three quarters or more of their apps to the cloud over the next twelve months, according to the O’Reilly survey.
Docker Desktop danger discovered, patch now (Naked Security – Sophos, May 26 2020)
Docker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service.
Use of cloud collaboration tools surges and so do attacks (Network World Security, May 27 2020)
Some industries have seen increases in cloud-related threat events rise as much as 1,350% since the COVID-19 crisis began.
How to create SAML providers with AWS CloudFormation (AWS Security Blog, May 26 2020)
“AWS provides many solutions that can orchestrate a person’s identity across multiple accounts. AWS Identity and Access Management (IAM), SAML, and OpenID can all help. The solution I describe in this post uses these features and services and can scale to thousands of AWS accounts. It provides a repeatable and automated means for deploying a unified identity management structure across all of your AWS environments. It does this while extending existing identity management into AWS without needing to change your current sources of user information.”
Zero-trust remote admin access for Windows VMs on Compute Engine (Google Cloud Blog, May 21 2020)
It’s more important than ever for IT administrators to be able to securely access resources from wherever they are. Exposing VM instances to the public internet can be risky, potentially giving bad actors a direct access path to your network. But solutions such as VPN tunnels or jump (bastion) hosts to access these systems can be cumbersome and may not provide the precise access control admin tasks demand.
Microsoft Announces New Security Features for Devs, Customers (SecurityWeek, May 21 2020)
At this week’s Build virtual event, Microsoft announced new Identity and Azure features meant to improve security for both application developers and enterprise customers.
Weird’ Nintendo Switch Issue Makes it Easier to Guess Passwords (VICE, May 22 2020)
A design choice on the Nintendo Switch eShop can gives hackers clues as to a target’s password.
Enterprises look to SASE to bolster security for remote workers (Network World Security, May 26 2020)
The coronavirus pandemic has accelerated some companies’ plans to adopt secure access service edge (SASE). Last summer, Gartner estimated SASE adoption at less than 1% of enterprises and said it would take five to 10 years before the technology reaches mainstream. But today, SASE is one of the main topics of client interest, according to Gartner analyst John Wheeler.