A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Zero Trust architectures: An AWS perspective (AWS Security Blog, Nov 23 2020)
Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question…
A Security Engineer’s Quest to Find 365 Bugs in Microsoft Office 365 (VICE, Nov 24 2020)
He’s almost there, too, with about 310 bugs found so far.
Facebook Paid Out $11.7 Million in Bug Bounties Since 2011 (SecurityWeek, Nov 20 2020)
Social media giant Facebook this week announced that it has paid out more than $11.7 million in bug bounties since 2011. To date, more than 50,000 researchers signed up for the company’s bug bounty program, and approximately 1,500 of them, from 107 countries, have received a bug bounty reward, the company says.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
93% of businesses are worried about public cloud security (Help Net Security, Nov 18 2020)
Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud.
Faith App Pray.com Exposes Millions Through Cloud Misconfig (Infosecurity Magazine, Nov 20 2020)
Researchers at vpnMentor claim most of those affected weren’t even users
#COVID19 Drives Massive Multi-Cloud Adoption (Infosecurity Magazine, Nov 23 2020)
AWS regional centers in the US and EU were top targets for attackers
Canonical publishes set of secure container application images (Help Net Security, Nov 24 2020)
Canonical has published the LTS Docker Image Portfolio, a curated set of secure container application images, on Docker Hub. The LTS Docker Image Portfolio comes with up to ten years Extended Security Maintenance by Canonical. “LTS Images are built on trusted infrastructure, in a secure environment, with guarantees of stable security updates,” said Mark Lewis, VP Application Services at Canonical.
Prevention Is Better Than the Cure When Securing Cloud-Native Deployments (Dark Reading, Nov 25 2020)
The “OODA loop” shows us how to secure cloud-native deployments and prevent breaches before they occur.
New – Code Signing, a Trust and Integrity Control for AWS Lambda (AWS News Blog, Nov 23 2020)
Code signing is an industry standard technique used to confirm that the code is unaltered and from a trusted publisher. Code running inside AWS Lambda functions is executed on highly hardened systems and runs in a secure manner.
Announcement: Availability of AWS Recommendations for the management of AWS root account credentials (AWS Security Blog, Nov 18 2020)
When AWS customers open their first account, they assume the responsibility for securely managing access to their root account credentials, under the Shared Responsibility Model.
Bumble bugs could have exposed personal data of all users (WeLiveSecurity, Nov 19 2020)
The information at risk of theft due to API flaws included people’s pictures, locations, dating preferences and Facebook data
Abusive add-ons aren’t just a Chrome and Firefox problem. Now it’s Edge’s turn (Ars Technica, Nov 20 2020)
Edge users take to social media to report their Web searches are being hijacked.
Bug Allowed Hackers to Get Anyone’s Email Address on Xbox Live (VICE, Nov 25 2020)
Microsoft patched a bug that allowed hackers to reveal the email address used to register any Xbox gamertag.