A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Google Moves to Secure the Cloud From Itself (Wired, Jul 14 2020)
Confidential Virtual Machines allows Google Cloud Services Customers to keep data secret—even when it’s being actively processed.

70% of organizations experienced a public cloud security incident in the last year (Help Net Security, Jul 09 2020)
70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos. Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Malware stashed in China-mandated software is more extensive than thought (Ars Technica, Jul 14 2020)
Move over GoldenSpy, earlier GoldenHelper malware also targeted businesses in China.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Introducing Google Cloud Confidential Computing with Confidential VMs (Google Cloud Blog, Jul 14 2020)
“At Google, we believe the future of cloud computing will increasingly shift to private, encrypted services that give users confidence that they are always in control over the confidentiality of their data.”

An effective cloud security posture begins with these three steps (Help Net Security, Jul 10 2020)
Public cloud adoption continues to surge, with roughly 83% of all enterprise workloads expected to be in the cloud by the end of the year. The added flexibility and lower costs of cloud computing make it a no-brainer for most organizations. Yet while cloud adoption has transformed the way applications are built and managed, it has also precipitated a radical rethink of how to approach security.

Cloud Adoption Held Back by Data Loss and Compliance Fears (Infosecurity Magazine, Jul 10 2020)
Just 47% of enterprise data is stored in the cloud

How to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations (AWS Security Blog, Jul 13 2020)
Amazon Simple Storage Service (S3) is an object storage service that offers industry-leading scalability, performance, security, and data availability. With Amazon S3, you can choose from three different server-side encryption configurations when uploading objects…

Identify, arrange, and manage secrets easily using enhanced search in AWS Secrets Manager (AWS Security Blog, Jul 10 2020)
AWS Secrets Manager now enables you to search secrets based on attributes such as secret name, description, tag keys, and tag values. With this launch, you can easily identify, arrange, and manage your secrets into logical groups that can then be used by specific applications, departments, or employees.

Updates to the security pillar of the AWS Well-Architected Framework (AWS Security Blog, Jul 09 2020)
“We have updated the security pillar of the AWS Well-Architected Framework, based on customer feedback and new best practices. In this post, I’ll take you through the highlights of the updates to the security information in the Security Pillar whitepaper and the AWS Well-Architected Tool”

How to Secure Containers for Cybersecurity (Container Journal, Jul 14 2020)
Containers have many benefits but can be a cybersecurity risk if not secure. Here’s what you need to consider Today, innovative organizations and those that are quick to adopt new technologies, display faster growth rates than those that don’t.

DevSecOps Requires a Different Approach to Security (Dark Reading, Jul 14 2020)
Breaking applications into microservices means more difficulty in gaining good visibility into runtime security and performance issues, says startup Traceable.

How to Source Vulnerability Data for True DevSecOps (DevOps, Jul 14 2020)
Open source comes with code vulnerabilities that must be considered in the DevOps process The war between open source and “only proprietary code” is long over. Open source won the day by convincing the opposition of the benefits of joining the open source community. “Vulnerabilities in the Core,”…

Facebook Offering Big Rewards for Vulnerabilities in Hermes, Spark AR (SecurityWeek, Jul 10 2020)
Facebook announced on Friday that it’s offering significant rewards through its bug bounty program for vulnerabilities found in Hermes and Spark AR.

99% of Websites at Risk of Attack Via JavaScript Plug-ins (Dark Reading, Jul 14 2020)
The average website includes content from 32 different third-party JavaScript programs, new study finds.

‘Secure’ Chat App Spies on Users (Infosecurity Magazine, Jul 14 2020)
Welcome Chat leaks stolen data and is embroiled in cyber-espionage