A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Microsoft Paid Out ~$14M via Bug Bounty Programs in Past Year (SecurityWeek, Aug 04 2020)
Microsoft reported on Tuesday that it paid out roughly $13.7 million through its bug bounty programs between July 1, 2019, and June 30, 2020.
Google Adds Security Updates to Chrome Autofill (Dark Reading, Jul 30 2020)
Chrome users can retrieve payment card numbers via biometric authentication and use a new “touch-to-fill: feature to log in to accounts.
New Open Source Security Foundation wants to improve open source software security (Help Net Security, Aug 03 2020)
The Linux Foundation announced the formation of the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~15,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Quarterly Cloud Spending Blows Past $30B; Incremental Growth Continues (eWEEK, Jul 31 2020)
Amazon Web Services’ market share remained at its long-standing mark of around 33%, while Microsoft Azure was at 18% for the third consecutive quarter and Google Cloud’s share nudged up to 9%.
Logical separation: Moving beyond physical isolation in the cloud computing era (AWS Security Blog, Jul 29 2020)
“We’re sharing an update to the Logical Separation on AWS: Moving Beyond Physical Isolation in the Era of Cloud Computing whitepaper to help customers benefit from the security and innovation benefits of logical separation in the cloud. This paper discusses using a multi-pronged approach—leveraging identity management, network security, serverless and containers services, host and instance features, logging, and encryption—to build logical security mechanisms that meet and often exceed the security results of physical separation of resources and other on-premises security approaches.”
Businesses are preparing for a cloud-based approach to applications (Help Net Security, Jul 29 2020)
While most enterprises are committed to modernizing their application software portfolios, there are still myriad challenges to overcome and improvements to be made, according to a survey conducted by Hanover Research. According to the report, application development functions have a full agenda for the next 12 months, with the majority seeking improvements in speed, quality and security to ensure continued competitiveness. Speed: Only 37% of respondents are very satisfied with how fast they are
Cloud Breaches Set to Grow in “Velocity and Scale” (Infosecurity Magazine, Aug 05 2020)
93% of cloud deployments contain misconfigured services
Misconfigured servers contributed to more than 200 cloud breaches (SC Media, Aug 04 2020)
Misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over the past two years, exposing more than 30 billion records, according to a report from Accurics, which predicted that cloud breaches are likely to increase in both velocity and scale.
New – Using Amazon GuardDuty to Protect Your S3 Buckets (AWS News Blog, Jul 31 2020)
“As we anticipated in this post, the anomaly and threat detection for Amazon Simple Storage Service (S3) activities that was previously available in Amazon Macie has now been enhanced and reduced in cost by over 80% as part of Amazon GuardDuty. This expands GuardDuty threat detection coverage beyond workloads and AWS accounts to also help you protect your data stored in S3.”
Migrating your rules from AWS WAF Classic to the new AWS WAF (AWS Security Blog, Aug 04 2020)
“In November 2019, Amazon launched a new version of AWS Web Application Firewall (WAF) that offers a richer and easier to use set of features. In this post, we show you some of the changes and how to migrate from AWS WAF Classic to the new AWS WAF.”
Over 150 AWS services now have a security chapter (AWS Security Blog, Jul 30 2020)
“We’re happy to share an update on the service documentation initiative that we first told you about on the AWS Security Blog in June, 2019. We’re excited to announce that over 150 services now have dedicated security chapters available in the AWS security documentation.”
Introducing CAS: Securing applications with private CAs and certificates (Google Cloud Blog, Aug 04 2020)
“Certificate Authority Service (CAS), now in beta, from Google Cloud—a highly scalable and available service that simplifies and automates the management and deployment of private CAs while meeting the needs of modern developers and applications.”
Security, privacy, and compliance resources for Healthcare and Life Sciences customers (Google Cloud Blog, Jul 30 2020)
“While they’re dealing with these challenges, healthcare and life sciences organizations are still compelled to uphold their security, privacy, and regulatory compliance obligations. To help these organizations manage their applications appropriately and confidently, today we’re highlighting several recently published solution guides, whitepapers, and other assets.”
Vulnerability Allowed Brute-Forcing Passwords of Private Zoom Meetings (SecurityWeek, Jul 30 2020)
A vulnerability that Zoom addressed in its web client could have allowed an attacker to join private meetings by brute-forcing the passcode.
Security analysis of legacy programming environments reveals critical flaws (Help Net Security, Aug 05 2020)
New research from Trend Micro highlights design flaws in legacy languages and released new secure coding guidelines. These are designed to help Industry 4.0 developers greatly reduce the software attack surface, and therefore decrease business disruption in OT environments.