A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Open Source Does Not Equal Secure (Schneier on Security, Dec 03 2020)
“Way back in 1999, I wrote about open-source software:
First, simply publishing the code does not automatically mean that people will examine it for security flaws. Security researchers are fickle and busy people. They do not have the time to examine every piece of source code that is published. So while opening up source code is a good thing, it is not a guarantee of security. I could name a dozen open source security libraries that no one has ever heard of, and no one has ever evaluated.”
Three common cloud encryption questions and their answers on AWS (AWS Security Blog, Dec 07 2020)
At Amazon Web Services (AWS), we encourage our customers to take advantage of encryption to help secure their data. Encryption is a core component of a good data protection strategy, but people sometimes have questions about how to manage encryption in the cloud to meet the growth pace and complexity of today’s enterprises.
Open Source Flaws Take Years to Find But Are Quick to Fix (Dark Reading, Dec 02 2020)
Companies need to embrace automation and dependency tracking to keep software secure, GitHub says in its annual security report.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Cloud Security Threats for 2021 (Dark Reading, Dec 03 2020)
Most of these issues can be remediated, but many users and administrators don’t find out about them until it’s too late.
The challenges of keeping a strong cloud security posture (Help Net Security, Dec 03 2020)
It’s simple – you can’t secure what you can’t see or don’t know about. In this interview, Badri Raghunathan, Director of Product Management for Container and Serverless Security at Qualys, talks about cloud security, and their approach for enabling global CISOs to focus on what’s most important. What are the main challenges organizations face when it comes to maintaining security architectures for the public cloud?
HackerOne making its debut in AWS Marketplace (Help Net Security, Dec 06 2020)
HackerOne announced that it is making its debut in AWS Marketplace. Amazon Web Services (AWS) customers can now find and purchase services from HackerOne in AWS Marketplace, a curated digital catalog of software, data, and services that run on AWS. HackerOne is one of the first comprehensive security solutions providers to quote and contract services in AWS Marketplace.
Cloud Security Firm Wiz Emerges From Stealth With $100M in Funding (SecurityWeek, Dec 09 2020)
Cloud security startup Wiz on Wednesday emerged from stealth mode with $100 million in Series A funding.
How to protect a self-managed DNS service against DDoS attacks using AWS Global Accelerator and AWS Shield Advanced (AWS Security Blog, Dec 08 2020)
“In this blog post, I show you how to improve the distributed denial of service (DDoS) resilience of your self-managed Domain Name System (DNS) service by using AWS Global Accelerator and AWS Shield Advanced.”
GE puts default password in radiology devices, leaving healthcare networks exposed (Ars Technica, Dec 08 2020)
Fixing the critical vulnerability isn’t straightforward and comes with its own risks.
Hiding Malware in Social Media Buttons (Schneier on Security, Dec 07 2020)
This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.
The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container…”
Google patches four high‑severity flaws in Chrome (WeLiveSecurity, Dec 08 2020)
The new release patches a total of eight vulnerabilities affecting the desktop versions of the popular browser.
WordPress 5.6 Introduces a New Risk to Your Site: What to Do (Wordfence, Dec 09 2020)
Application passwords open up exciting new possibilities for WordPress, but may be prone to social engineering.
Open Source Developers Still Not Interested in Secure Coding (Dark Reading, Dec 08 2020)
Security and development are still two different worlds, with open source developers resistant to spending time finding and fixing vulnerabilities.
Microsoft’s GitHub adds dependency review to new code submitted from programmers (SC Media, Dec 09 2020)
Modern software is typically a patchwork of interdependent code from multiple sources. GitHub will now deliver an advanced warning of potential vulnerabilities detected so programmers can catch issues early on.