A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Let’s Hack a Pipeline: Argument Injection (Azure DevOps Blog, Aug 21 2020)
In this series of posts, we’ll walk through some common security pitfalls when setting up Azure Pipelines. We don’t really want to get hacked, so we’ll also show off the mitigation.

Apple OS developer supply chain threatened by ‘clever’ malware attack (SC Media, Aug 20 2020)
In an attack described as a “clever” supply-chain threat, XCSSET malware is being injected undetected into programs created by unwitting Xcode Apple developers who share their projects on the GitHub repository.

Using Cloud Logging as your single pane of glass (Cloud Blog, Aug 21 2020)
“Logs are an essential tool for helping to secure your cloud deployments. In the first post in this series, we explored Cloud Identity logs and how you can configure alerts for potentially malicious activity in the Cloud Identity Admin Console to make your cloud deployment more secure. Today, we’ll take it a step further and look at how you can centralize collection of these logs to view activity across your deployment in a single pane of glass.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How can companies avoid the risks of unexpected expenses related to cloud migration? (Help Net Security, Aug 23 2020)
As companies shift to remote work and move business operations online because of the spread of COVID-19, they are increasingly relying on cloud services. Unexpected expenses and cloud migration In fact, cloud spending hit a record $34.6 billion in the second quarter, representing a 30% bump year-over-year and 11% increase from the previous quarter.

With More Use of Cloud, Passwords Become Even Weaker Link (Dark Reading:, Aug 26 2020)
Slow patching provides vulnerabilities to exploit. A lack of network segmentation allows unrestricted lateral movement. Yet a report surveying a year of penetration tests finds that passwords still top the list of what attackers use to compromise systems.

Nearly Half of UK IT Leaders Have Not Upgraded to Cloud Security (, Aug 25 2020)
47% of UK IT leaders have not upgraded from on-premises security to cloud security strategies

How to think about cloud security governance (AWS Security Blog, Aug 25 2020)
When customers first move to the cloud, their instinct might be to build a cloud security governance model based on one or more regulatory frameworks that are relevant to their industry. Although this can be a helpful first step, it’s also critically important that organizations understand what the control objectives for their workloads should be…

CyberArk Discloses Potential Security Flaw in Kubernetes Agent Software (Container Journal, Aug 20 2020)
CyberArk, a provider of access management tools, today issued an advisory describing multiple potential misconfigurations of kubelet, the agent software that registers a Kubernetes node with an application programming interface (API) server, that could lead to a cybersecurity breach.

The Security Case for Containerized Cloud Architecture (Container Journal, Aug 18 2020)
Cloud-based containerized architecture is critical for cybersecurity and is especially relevant in the era of remote work As COVID-19 cases spike across the country, some companies have already made the difficult choice to delay office reopenings and extend remote work policies.

New DevSecOps study highlights need to address AppSec throughout the SDLC (SC Media, Aug 25 2020)
Despite the best of intentions among security and development teams, finding common ground can be a real challenge. Both sides are driven by different—and often competing—metrics, making alignment even harder. Add the fact that most security teams lack an understanding of modern application development practices, including the move to microservices-driven architectures and the use of…

GitLab Presses Case for DevSecOps Collaboration (DevOps.com, Aug 26 2020)
GitLab today at its GitLab Commit Virtual event pledged to make securing its open source continuous integration/continuous delivery (CI/CD) platform a more collaborative effort. Cindy Blake, senior security evangelist for GitLab, said the company is committed to sharing a road map developed in collaboration with DevOps teams that lets organizations see what cybersecurity issues will..

Fuzzing Services Help Push Technology into DevOps Pipeline (Dark Reading, Aug 19 2020)
As part of a continuous testing approach, fuzzing has evolved to provide in-depth code checks for unknown vulnerabilities before deployment.

Mozilla Offering Rewards for Bypassing Firefox Exploit Mitigations (SecurityWeek, Aug 21 2020)
Mozilla announced on Thursday that it has expanded its bug bounty program with a new category that focuses on bypass methods for the exploit mitigations, security features and defense-in-depth measures in Firefox.

Researchers aim to improve code patching in embedded systems (Help Net Security, Aug 26 2020)
Three Purdue University researchers and their teammates at the University of California, Santa Barbara and Swiss Federal Institute of Technology Lausanne have received a DARPA grant to fund research that will improve the process of patching code in vulnerable embedded systems. “Many embedded systems, like computer systems running in trucks, airplanes and medical devices, run old code for which the source code and the original compilation toolchain are unavailable,” Antonio Bianchi…

FBI/CISA Warn US Firms of State-Mandated Tax Malware (, Aug 26 2020)
Persistent Chinese attempts to obfuscate raises threat levels