A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Google Discloses Details of GitHub Actions Vulnerability (SecurityWeek, Nov 04 2020)
Details on a vulnerability impacting GitHub Actions were made public this week by Google, following a 104-day disclosure deadline.
Bug Bounty Hunters’ Pro Tips on Chasing Vulns & Money (Dark Reading, Nov 05 2020)
From meditation to the right mindset, seasoned vulnerability researchers give their advice on how to maximize bug bounty profits and avoid burnout.
What is cloud security? How is it different from traditional on-premises network security? (Cloud Security Alliance, Nov 09 2020)
The following 13 domains which comprise the CSA Security Guidance highlight areas of concern for cloud computing and are tuned to address both the strategic and tactical security “pain points” within a cloud environment, and can be applied to any combination of cloud service and deployment model.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
How to secure your Amazon WorkSpaces for external users (AWS Security Blog, Nov 10 2020)
In response to the current shift towards a remote workforce, companies are providing greater access to corporate applications from a range of different devices. Amazon WorkSpaces is a desktop-as-a-service solution that can be used to quickly deploy cloud-based desktops to your external users, including employees, third-party vendors, and consultants.
AWS Security Profiles: Cassia Martin, Senior Security Solutions Architect (AWS Security Blog, Nov 09 2020)
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting, and get a sneak peek at their work. How long have you been at AWS and what do you do in your current role?
New enhanced DNS features in Azure Firewall—now generally available (Microsoft Azure Blog, Nov 09 2020)
Custom DNS, DNS proxy, and FQDN filtering in network rules (for non-HTTP/S and non-MSSQL protocols) in Azure Firewall are now generally available. In this blog, we also share an example use-case on using DNS proxy with Private Link. Azure Firewall is a cloud-native firewall as a service (FWaaS) offering that allows you to centrally govern and log all your traffic flows using a DevOps approach.
GitHub’s source code was leaked on GitHub last night… sort of (Ars Technica, Nov 05 2020)
GitHub wasn’t actually compromised, despite appearances to the contrary.
Vulnerabilities Affect 100,000 Sites Using WordPress Plugin (Infosecurity Magazine, Nov 10 2020)
Critical privilege-escalation vulnerabilities impact 100,000 sites using WordPress plugin, Ultimate Member