A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Twitter-Owned SDK Leaking Location Data of Millions of Users (VICE, Oct 21 2020)
Researchers found several apps using an outdated version of an SDK made by Twitter-owned MoPub.
Serious Vulnerability in GitHub Enterprise Earns Researcher $20,000 (SecurityWeek, Oct 20 2020)
A security researcher says he has earned $20,000 for a high-severity GitHub Enterprise vulnerability that might have allowed an attacker to execute arbitrary commands.
Global spending on cloud services to surpass $1 trillion in 2024 (Help Net Security, Oct 20 2020)
The COVID-19 pandemic has largely proven to be an accelerator of cloud adoption and extension and will continue to drive a faster conversion to cloud-centric IT. Global spending on cloud services to rise According to IDC, total global spending on cloud services, the hardware and software components underpinning cloud services, and the professional and managed services opportunities around cloud services will surpass $1 trillion in 2024 while sustaining a double-digit compound annual growth rate
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Massive New Phishing Campaigns Target Microsoft, Google Cloud Users (Dark Reading, Oct 16 2020)
At least three campaigns are now underway.
Cloud environment complexity has surpassed human ability to manage (Help Net Security, Oct 18 2020)
IT leaders are increasingly concerned accelerated digital transformation, combined with the complexity of modern multicloud environments, is putting already stretched digital teams under too much pressure, a Dynatrace survey of 700 CIOs reveals. This leaves little time for innovation, and limits teams’ ability to prioritize tasks that drive greater value and better outcomes for the business and its customers.
#InfosecurityOnline: How to Implement Effective Cloud Security (Infosecurity Magazine, Oct 20 2020)
What best practices have emerged to secure the cloud environment?
Orgs Struggling to Secure SaaS Applications Following Shift to the Cloud (Infosecurity Magazine, Oct 20 2020)
Two-thirds of IT pros have less time to secure SaaS applications
Moving to the cloud with a security-first, zero trust approach (Help Net Security, Oct 21 2020)
Many companies tend to jump into the cloud before thinking about security. They may think they’ve thought about security, but when moving to the cloud, the whole concept of security changes. The security model must transform as well. Moving to the cloud and staying secure Most companies maintain a “castle, moat, and drawbridge” attitude to security.
The multi-headed hydra of cloud resilience (Gartner, Oct 21 2020)
Operations folks know: Everything breaks. Physical stuff fails, software is buggy, and people screw up (a lot). A provider can try its best to reduce the number of failures, limit the “blast radius” of a problem, limit the possibility of “cascading failures”, and find ways to mitigate the impact on users. But you can’t avoid failure entirely. Systems that are resilient recover quickly from failure.
Use AWS Firewall Manager to deploy protection at scale in AWS Organizations (AWS Security Blog, Oct 14 2020)
Security teams that are responsible for securing workloads in hundreds of Amazon Web Services (AWS) accounts in different organizational units aim for a consistent approach across AWS Organizations. Key goals include enforcing preventative measures to mitigate known security issues, having a central approach for notifying the SecOps team about potential distributed denial of service (DDoS)…
Managing the competing demands of development velocity and application security (SC Media, Oct 21 2020)
Nearly half of the respondents to the Modern Application Development Security Survey, conducted by Enterprise Strategy Group (ESG), state their organizations regularly push vulnerable code to production. Not surprisingly, for over half of those teams, tight delivery schedules and critical deadlines are the main contributing factor.
Theory and practice of web application security efforts in organizations worldwide (Help Net Security, Oct 15 2020)
75% of executives believe their organization scans all web applications for security vulnerabilities, while nearly 50% of security staff say they don’t, a Netsparker survey reveals. Web application security efforts are insufficient Even more concerning, over 60% of DevOps respondents indicate that new security vulnerabilities are being found faster than they can be fixed, indicating that web application security efforts are insufficient.
TikTok Launches Public Bug Bounty Program (SecurityWeek, Oct 16 2020)
TikTok announced this week that it has launched a public bug bounty program in collaboration with HackerOne.
Safari, other mobile browsers affected by address bar spoofing flaws (Help Net Security, Oct 21 2020)
Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites. “With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” he noted.
Chrome Update Patches Actively Exploited FreeType Vulnerability (SecurityWeek, Oct 21 2020)
A Chrome 86 update released by Google on Tuesday patches several high-severity vulnerabilities, including a zero-day that has been exploited in the wild.