A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
“Sign in with Apple” Vulnerability (Schneier on Security, Jun 02 2020)
“Researcher Bhavuk Jain discovered a vulnerability in the “Sign in with Apple” feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any account.
It is fixed.”
Most companies suffered a cloud data breach in the past 18 months (Help Net Security, Jun 03 2020)
Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals. According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.
This Bot Hunts Software Bugs for the Pentagon (Wired, Jun 01 2020)
Mayhem emerged from a 2016 government-sponsored contest at a Las Vegas casino hotel. Now it’s used by the military—and Netflix.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Cloud Security Architect Proves Hardest Infosec Role to Fill (Dark Reading, May 27 2020)
Nearly 70% of businesses struggle to recruit, hire, and retain cybersecurity talent, and many link security incidents to lack of skills.
External attacks on cloud accounts grew 630 percent from January to April (Help Net Security, May 28 2020)
The McAfee report uncovers a correlation between the increased use of cloud services and collaboration tools, such as Cisco WebEx, Zoom, Microsoft Teams and Slack during the COVID-19 pandemic, along with an increase in cyber attacks targeting the cloud.
How insurance CISOs can address cloud migration security concerns (SC Media, May 29 2020)
The cloud is hardly new for most industries, but insurance is still in its early days with respect to widespread adoption. While solid progress is being made—a recent report from Novarica shows that more than 70% of insurers now use cloud computing (more than triple the last few years)—most have implemented it only in segments…
VMware flaw allows takeover of multiple private clouds (Naked Security – Sophos, Jun 03 2020)
VMWare’s Cloud Director has a security flaw that researchers believe could be exploited to compromise multiple customer accounts using the same cloud infrastructure.
Data on Indian Mobile Payments App Reportedly Exposed via Open S3 Bucket (Dark Reading, Jun 01 2020)
Over 7 million records exposed, according to vpnMentor, but app maker says there is no sign of malicious use.
Debunking Nagging Cloud-Adoption Myths (eWEEK, Jun 02 2020)
Some companies are still playing cloud catch-up. There are persistent cloud adoption myths that may be to blame, acting as barriers and preventing companies from leveraging the superpowers of the cloud to boost efficiency, security and innovation.
How to perform automated incident response in a multi-account environment (AWS Security Blog, Jun 01 2020)
“In this post, I provide a pattern and ready-made templates for a scalable multi-account setup of an automated incident response process with minimal code base, using native AWS tools. I also explain how to set up exception handling for approved deviations based on resource tags.”
AWS Shield Threat Landscape report is now available (AWS Security Blog, May 29 2020)
AWS Shield is a managed threat protection service that safeguards applications running on AWS against exploitation of application vulnerabilities, bad bots, and Distributed Denial of Service (DDoS) attacks. The AWS Shield Threat Landscape Report (TLR) provides you with a summary of threats detected by AWS Shield. This report is curated by the AWS Threat Research Team (TRT), who continually monitors and assesses the threat landscape to build protections on behalf of AWS customers. This includes rules and mitigations for services like AWS Managed Rules for AWS WAF and AWS Shield Advanced. You can use this information to expand your knowledge of external threats and improve the security of your applications running on AWS.
Microsoft and Docker collaborate on new ways to deploy containers on Azure (Microsoft Azure Blog, May 27 2020)
“Containerization is one key way to increase agility. Containerized applications are built in a more consistent and repeatable way, by way of defining desired infrastructure, dependencies, and configuration as code for all stages of the lifecycle. Applications often start and stop faster at runtime too, which often helps quickly start, stop, scale out, and update in the cloud.
With this in mind, we announced a new partnership earlier today between Microsoft and Docker to integrate Docker Desktop more closely with Microsoft Azure and the Visual Studio line of products.”
DevSecOps vs. Agile Development: Putting Security at the Heart of Program Development (DevOps, Jun 03 2020)
Despite most developers and managers being well aware of the concept of DevSecOps, it is still often confused with a number of related processes and concepts. This is particularly true for the Department of Defense (DoD) contractors because they have long been encouraged to use a related process known as agile development.
Will Quick and Security Ever Meet in DevOps? (DevOps Zone, Jun 02 2020)
The adoption of DevOps by global enterprises has spiked in the last three years. While many companies have shown success by delivering software at break-neck speed, maintaining new security as per industry standards has been a pressing concern for all of them.
But why is this the case?