A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Research Finds Nearly 800,000 Access Keys Exposed Online (Dark Reading, Sep 15 2020)
The researchers searched approximately 150 million entities across GitHub, GitLab, and Pastebin during a 30-day period in August and September to find the roughly 800,000 keys. They discovered that more than 40% of the keys were database keys while 38% were for cloud services. Redis was the most common database involved, while Google Cloud API was the most common cloud service key.
Large Cloud Providers Much Less Likely Than Enterprises to Get Breached (Dark Reading, Sep 14 2020)
Pen-test results also show a majority of organizations have few protections against attackers already on the network.
Microsoft Releases Open Source Fuzzing Framework for Azure (SecurityWeek, Sep 15 2020)
Microsoft on Tuesday announced the release of Project OneFuzz, an open source fuzzing framework for Azure that the tech giant has been using internally for the past year to find and patch bugs.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Attacks growing in both scope and sophistication, exposing gaps in the cloud native toolchain (Help Net Security, Sep 14 2020)
There’s a growing, organized and increasingly sophisticated pattern of attacks on cloud native infrastructure, according to Aqua Security. While most attacks were aimed at abusing public cloud compute resources for cryptocurrency mining, the methods used open the door for higher-value targets that leverage security gaps in container software supply chains and runtime environments.
Build a scalable security practice with Azure Lighthouse and Azure Sentinel (Microsoft Azure Blog, Sep 16 2020)
The Microsoft Azure Lighthouse product group is launching a blog series Azure Lighthouse covering areas where we are investing to make our service provider partners and enterprise customers successful with Azure.
CrowdStrike enhances services for AWS (Help Net Security, Sep 09 2020)
CrowdStrike announced the expansion of support for Amazon Web Services (AWS) with new capabilities that deliver integrations for the compute services and cloud services categories. Through these expanded services, CrowdStrike is enhancing development, security and operations (DevSecOps) to enable faster and more secure innovation that is easier to deploy.
Oracle Announces Availability of Cloud Guard, Maximum Security Zones (SecurityWeek, Sep 15 2020)
Oracle on Monday announced the general availability of its Cloud Guard and Maximum Security Zones cloud security tools
6 Lessons IT Security Can Learn From DevOps (Dark Reading, Sep 10 2020)
DevOps has taken over enterprise software development. The discipline has lessons for IT security — here are a quick half-dozen.
Integrating AWS CloudFormation security tests with AWS Security Hub and AWS CodeBuild reports (AWS Security Blog, Sep 14 2020)
The concept of infrastructure as code, by using pipelines for continuous integration and delivery, is fundamental for the development of cloud infrastructure. Including code quality and vulnerability scans in the pipeline is essential for the security of this infrastructure as code.
Chrome Sandbox Escape Vulnerability Earns Researchers $20,000 (SecurityWeek, Sep 11 2020)
Two researchers have earned $20,000 from Google for reporting a sandbox escape vulnerability affecting the Chrome web browser.