A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
GitHub Tool Spots Security Vulnerabilities in Code (Dark Reading, Sep 30 2020)
Scanner, which just became generally available, lets developers spot problems before code gets into production.
New Research Finds Bugs in Every Anti-Malware Product Tested (Dark Reading, Oct 06 2020)
Products from every vendor had issues that allowed attackers to elevate privileges on a system — if they already were on it.
Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities (SecurityWeek, Oct 06 2020)
Microsoft on Tuesday shared the results of its three-month-long Azure Sphere Security Research Challenge and the company says it has paid out more than $374,000 to participants.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
AWS adds new S3 security and access control features (Help Net Security, Oct 06 2020)
Amazon Web Services (AWS) has made available three new S3 (Simple Storage Service) security and access control features: Object Ownership Bucket Owner Condition Copy API via Access Points Object Ownership Object Ownership is a permission that can be set when creating a new object within an S3 bucket, to enforce the transfer of new object ownership onto the bucket owner.
Cloud Misconfiguration Mishaps Businesses Must Watch (Dark Reading, Sep 30 2020)
Cloud security experts explain which misconfigurations are most common and highlight other areas of the cloud likely to threaten businesses.
Microsoft Azure customers can now implement Datadog as a monitoring solution for their cloud workloads (Help Net Security, Oct 01 2020)
Datadog announced a new strategic partnership with Microsoft Azure. As part of this launch, Datadog will now be available in the Azure console as a first class service. This means that Azure customers will be able to implement Datadog as a monitoring solution for their cloud workloads through new streamlined workflows that cover everything from procurement to configuration.
Cisco Acquires Kubernetes-Native Security Platform Portshift (SecurityWeek, Oct 02 2020)
Cisco this week announced plans to acquire Kubernetes-native security platform Portshift.
Public cloud IT infrastructure spending exceeds that for non-cloud IT infrastructure (Help Net Security, Oct 04 2020)
Vendor revenue from sales of IT infrastructure products (server, enterprise storage, and Ethernet switch) for cloud environments, including public and private cloud, increased 34.4% year over year in the second quarter of 2020 (2Q20), according to IDC. Investments in traditional, non-cloud, IT infrastructure declined 8.7% year over year in 2Q20.
AWS Firewall Manager helps automate security group management: 3 scenarios (AWS Security Blog, Oct 06 2020)
“In this post, we walk you through scenarios that use AWS Firewall Manager to centrally manage security groups across your AWS Organizations implementation. Firewall Manager is a security management tool that helps you centralize, configure, and maintain AWS WAF rules, AWS Shield Advanced protections, and Amazon Virtual Private Cloud (Amazon VPC) security groups across AWS…”
How to get read-only visibility into the AWS Control Tower console (AWS Security Blog, Oct 01 2020)
“When you audit an environment governed by AWS Control Tower, having visibility into the AWS Control Tower console allows you to collect important configuration information, but currently there isn’t a read-only role installed by AWS Control Tower. In this post, I will show you how to create a custom permission set by using both a…”
New security and privacy announcements for Google Workspace (Google Cloud Blog, Oct 06 2020)
“Today, we announced Google Workspace, which brings together everything you need to get anything done, now in one place. It’s never been more critical to protect the connections that Google Workspace enables everyday, and we’re constantly innovating to deliver the best in security. Our security features help you create flexible workspaces that scale, no matter what device or browser you are using.”
AWS Security Best Practices: Cloud Security Report 2020 for InfoSec (Cloud Security Alliance, Oct 05 2020)
By adopting new IaaS and PaaS solutions or expanding their existing footprints in the cloud, companies are able to support a growing work-from-anywhere workforce. However, the introduction of new cloud technologies has increased the potential for security vulnerabilities.
Few security pros believe their organizations have reached full DevSecOps maturity (Help Net Security, Oct 01 2020)
20% of security professionals described their organizations’ DevSecOps practices as “mature”, while 62% said they are improving practices and 18% as “immature”, a WhiteSource report finds.
Checkmarx provides automated security scans within GitHub repositories (Help Net Security, Oct 05 2020)
Checkmarx announced a new GitHub Action to bring comprehensive, automated static and open source security testing to developers. As enterprises look to differentiate themselves through digital innovation, recent research found that nearly two-thirds will be prolific software producers, with code deployed daily, by 2025.
How important is monitoring in DevOps? (Help Net Security, Oct 06 2020)
The importance of monitoring is often left out of discussions about DevOps, but a Gartner report shows how it can lead to superior customer experiences. The report provides the following key recommendations: Work with DevOps teams during the design phase to add the instrumentation necessary to track business key performance indicators and monitor business metrics in production.
Critical Grindr Account Takeover Bug Rings Alarm Bells (Infosecurity Magazine, Oct 05 2020)
Flaw could have enabled attackers to reset user passwords
6 Best Practices for Using Open Source Software Safely (Dark Reading, Oct 06 2020)
Open source software is critical yet potentially dangerous. Here are ways to minimize the risk.
Food Delivery Service Chowbus Experiences Data Breach (Infosecurity Magazine, Oct 07 2020)
Asian food delivery service suffers major data breach of customer and partner records