A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Organizations Continue to Struggle With App Vulns (Dark Reading, Jul 24 2020)
A high percentage of discovered bugs remain unremediated for a long time, a new study shows.

Attackers exploit Twilio’s misconfigured cloud storage, inject malicious code into SDK (Help Net Security, Jul 23 2020)
Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets. “Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company shared.

How to use AWS Organizations to simplify security at enormous scale (AWS Security Blog, Jul 22 2020)
AWS Organizations provides central governance and management across AWS accounts. In this post, we explain how AWS Organizations can make the lives of your Information Security engineers easier, based on our experience in the Information Security team at Amazon. The service control policies (SCPs) feature in AWS Organizations offers you central control over permissions…

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Cloud Misconfigurations a Major Compliance Risk, Say IT Decision Makers (Infosecurity Magazine, Jul 23 2020)
95% of IT decision makers consider cloud misconfiguration a data security risk

Gartner Forecasts Worldwide Public Cloud Revenue to Grow 6.3% in 2020 (Gartner, Jul 23 2020)
The worldwide public cloud services market is forecast to grow 6.3% in 2020 to total $257.9 billion, up from $242.7 billion in 2019, according to Gartner, Inc.

Integrated cloud-native security platforms can overcome limitations of traditional security products (Help Net Security, Jul 26 2020)
To close security gaps caused by rapidly changing digital ecosystems, organizations must adopt an integrated cloud-native security platform that incorporates artificial intelligence, automation, intelligence, threat detection and data analytics capabilities, according to 451 Research.

9 Tips to Keep Your Cloud Storage Safe and Secure (Wired, Jul 26 2020)
Make sure that your Dropbox, Google Drive, and Microsoft OneDrive data is protected—while still being easy for you to access.

Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness (Dark Reading, Jul 28 2020)
More than 80% of companies have at least one Internet-facing cloud asset that is more than six months out of date or running software that is no longer supported, according to scan data.

As Businesses Move to the Cloud, Cybercriminals Follow Close Behind (Dark Reading, Jul 28 2020)
In the wake of COVID-19, data theft is by far the top tactic, followed by cryptomining and ransomware.

Public cloud environments leave numerous paths open for exploitation (Help Net Security, Jul 29 2020)
As organizations across industries rapidly deploy more assets in the public cloud with Amazon, Microsoft, and Google, they’re leaving numerous paths open for exploitation, according to Orca Security. Cloud estates are being breached through their weakest links of neglected internet-facing workloads, widespread authentication issues, discoverable secrets and credentials, and misconfigured storage buckets.

Google Cloud Armor: Introducing 3 key features to protect your websites and applications (Google Cloud Blog, Jul 28 2020)
“With the seemingly never-ending list of threats, keeping your websites and applications secure is a constant challenge. At Google, we strive to help you operate your mission critical workloads securely and efficiently, while reducing toil along the way. Over the first half of this year we’ve made several critical features and capabilities generally available for Google Cloud Armor, includingWAF rules, geo-based access controls, a custom rules language, support for CDN Origins servers, and …”

Source Code From Major Firms Leaked via Unprotected DevOps Infrastructure (SecurityWeek, Jul 28 2020)
Source code belonging to tens of companies, including several major organizations, has been leaked online after it was found on unprotected DevOps infrastructure.

Ratings for Open Source Projects Aim to Make Software More Secure (Dark Reading, Jul 27 2020)
Two companies have teamed up to rate open source projects, but can adopting repository ratings help developers make better decisions regarding open source?

Dating app OKCupid fixed serious security vulnerability after alert (SC Media, Jul 28 2020)
The popular online OKCupid dating service left the private details of its more than 50 million users in 110 countries vulnerable to hacking, reports Check Point this morning in a report. After discovering the potential for malicious actions, Check Point presented its findings to OKCupid, which fixed the security flaws in its servers within 48…