A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Hacker Earns $2m in Bug Bounties (Infosecurity Magazine, Dec 24 2020)
Romanian man earns $2m through HackerOne and becomes richest bug bounty hunter in the world

Amazon Has Trucks Filled with Hard Drives and an Armed Guard (Schneier on Security, Jan 04 2021)
“Plus, we make it easy to migrate and difficult to leave. If you have a ton of data in your data center and you want to move it to AWS but you don’t want to send it over the internet, we’ll send an eighteen-wheeler to you filled with hard drives, plug it into your data center with a fiber optic cable, and then drive it across the country to us after loading it up with your data.

What? How do you do that?

We have a product called Snowmobile. It’s a gas-guzzling truck. There are no public pictures of the inside, but it’s pretty cool. It’s like a modular datacenter on wheels. And customers rightly expect that if they load a truck with all their data, they want security for that truck. So there’s an armed guard in it at all times.”

Re:Invent – New security sessions launching soon (AWS Security Blog, Jan 06 2021)
You can stream all the sessions released in 2020 via the AWS re:Invent website. Additionally, we’re starting 2021 with all new sessions that you can stream live January 12–15. Here are the new Security, Identity, and Compliance sessions—each session is offered at multiple times, so you can find the time that works best for your location and schedule.


Happy New Year!
Hello 2021! Since I started this curated newsletter in June 2017, I’ve clipped ~18,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Misconfigured AWS Bucket Exposes Hundreds of Social Influencers (Infosecurity Magazine, Dec 24 2020)
Victims could be targeted by stalkers and fraudsters

New cloud-native approaches help companies manage cloud security and compliance (SC Media, Dec 30 2020)
Starbucks made a bold bet on the cloud years ago, creating a unified platform for both commerce and customer loyalty. Today it embodies a “digital flywheel” built around the Starbucks mobile app, and it’s something I was intimately involved in creating as the company’s principal security architect and then director of cloud engineering.

SolarWinds hack poses risk to cloud services’ API keys and IAM identities (SC Media, Jan 04 2021)
The SolarWinds hack endangers not just organizations’ on-premises systems but also their cloud-based infrastructure.

The post SolarWinds hack poses risk to cloud services’ API keys and IAM identities appeared first on SC Media.

Cloud Workload Security: Part 2 – Security Features of AWS (Cloud Security Alliance, Dec 28 2020)
In Part 1, we discussed what you need to focus on when developing your cloud security strategy, along with some controls you should consider and the best approach for implementing them. The rest of the series aims to explore the security tools and services delivered by the three leading cloud platforms—Azure, AWS, and GCP.

Here in Part 2, we’ll focus on the features and limitations of the security solutions offered by Amazon Web Services (AWS).

COVID-19’s Acceleration of Cloud Migration & Identity-Centric Security (Dark Reading, Jan 04 2021)
Here are some tips for updating access control methods that accommodate new remote working norms without sacrificing security.

DevSecOps: Bringing Compliance to DevOps (DevOps, Dec 22 2020)
DevOps and SecOps should align on three key objectives: collaboration, communication and integration.

The Best IAM Practices for DevOps (DevOps, Dec 22 2020)
As the scope and number of IAM objects grow, it may be hard to answer questions such as:

Are there inline policies?
Which policies are assigned to groups?
Can another person assume the role of other principles or users?
As a developer, there are different approaches you can use to ensure the IAM configuration is auditable, tidy and right-sized. Automation plays a key role in this case.

Three ways formal methods can scale for software security (Help Net Security, Jan 04 2021)
Security is not like paint: it can’t just be applied after a system has been completed. Instead, security has to be built into the system design. But how can we know that a system design is secure against a particular attack? And how can we know that the system implements that design correctly? The key problem, on one hand, is that system design specifications are often ambiguous and incomplete, with specifications (if they exist…)

6 Open Source Tools for Your Security Team (Dark Reading, Jan 06 2021)
Open source tools can be great additions to your cloud security arsenal. Here are a half-dozen to get you started.