A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Data Security in the SaaS Age: Focus on What You Control (Securosis Blog, Jun 15 2020)
“Returning to the Data Breach Triangle, you can stop a breach by either ‘eliminating’ the data to steal, stopping the exploit, or preventing egress/exfiltration. In SaaS you cannot control the exploit, so forget that. You also probably don’t see the traffic going directly to a SaaS provider unless you inefficiently force all traffic through an inspection point. So focusing on egress/exfiltration probably won’t suffice either.

That leaves you to control the data.”

Exposed Cloud Databases Attacked 18 Times Per Day (Infosecurity Magazine, Jun 15 2020)
Comparitech’s honeypot research finds first raid just eight hours in

Machine-learning clusters in Azure hijacked to mine cryptocurrency (Ars Technica, Jun 11 2020)
Microsoft shuts down hacking spree that preyed on misconfigured machines.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Tighten S3 permissions for your IAM users and roles using access history of S3 actions (AWS Security Blog, Jun 10 2020)
To help with this, AWS Identity and Access Management (IAM) reports the last time users and roles used each service, so you can know whether you can restrict access. This helps you to refine permissions to specific services, but we learned that customers also need to set more granular permissions to meet their security requirements.

Stay ahead of multi-cloud attacks with Azure Security Center (Microsoft Security, Jun 15 2020)
three strategies to help you lock down your environment:

Protect all cloud resources across cloud-native workloads, virtual machines, data services, containers, and IoT edge devices.
Strengthen your overall security posture with enhanced Azure Secure Score.
Connect Azure Security Center with Azure Sentinel for proactive hunting and threat mitigation with advanced querying and the power of AI.

Why DevSecOps remains a mirage (Help Net Security, Jun 12 2020)
Despite the rhetoric around DevSecOps, security remains an afterthought when organizations are building software. Meanwhile, the latest Verizon threat report identified that web application attacks have doubled, validating that cloud-based data is under attack. The surge in web app security breaches in 2019 further solidifies that we are a long way from delivering on the DevSecOps vision.

Nintendo Switch hack nearly twice as bad as first reported (SC Media, Jun 11 2020)
Crisis communications experts always advise victims to not provide an initial estimate of impacted households or users because the number is always far greater. Such is the case with Nintendo, which admitted Tuesday that 300,000 of the Nintendo Switch accounts were hacked, not the 160,000 initially reported in April.

Details Released for Recently Patched Code Execution Vulnerability in Firefox (SecurityWeek, Jun 10 2020)
Cisco’s Talos threat intelligence and research group has released information on a recently addressed vulnerability in Firefox that could be exploited for code execution.

Building Security into Software (Dark Reading, Jun 12 2020)
Part 1 of a two-part series about securing machine learning.

Vulnerability in Trump campaign app revealed keys and secrets (SC Media, Jun 16 2020)
A security vulnerability in President Trump’s mobile campaign app exposed Twitter application keys and secrets, Google apps and maps keys and Branch.io keys in the Android APK file, researchers at Website Planet recently discovered.