A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
An Absurdly Basic Bug Let Anyone Grab All of Parler’s Data (Wired, Jan 12 2021)
The “free speech” social network also allowed unlimited access to every public post, image, and video.
The Hacker Who Archived Parler Explains How She Did It (and What Comes Next) (VICE, Jan 12 2021)
The hacker, donk_enby, explained that she only scraped what was publicly available: “I hope that it can be used to hold people accountable and to prevent more death.”
Widely Used Software Company May Be Entry Point for Huge U.S. Hacking (The New York Times, Jan 12 2021)
Russian hackers may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic, to gain access to federal government and private sector systems in the United States.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
How to make sure the switch to multicloud pays off (Help Net Security, Jan 08 2021)
By now, the benefits of adopting a multicloud approach are well and truly out of the bag. By working with two or more cloud providers, companies can pick and choose offerings from each to leverage the “best of all worlds”, all the while allowing for better contingency planning, avoiding vendor lock-in, and boosting their disaster recovery strategy.
Confidence in FedRAMP driving cloud deployments (Help Net Security, Jan 07 2021)
Maximus and Genesys announced the results of a new survey of federal, state, and local government officials about their cloud deployments. The findings reveal a greater understanding of where agencies are in their cloud adoption journey, how they perceive cloud solutions, and whether they are using FedRAMP (Federal Risk and Authorization Management Program) solutions in their cloud environments.
New Resources Define Cloud Security and Privacy Responsibilities (SecurityWeek, Jan 12 2021)
Data protection and compliance solutions provider HITRUST has announced the release of new Shared Responsibility Matrices for Amazon Web Services (AWS) and Microsoft Azure.
Best practices and advanced patterns for Lambda code signing (AWS Security Blog, Jan 12 2021)
Amazon Web Services (AWS) recently released Code Signing for AWS Lambda. By using this feature, you can help enforce the integrity of your code artifacts and make sure that only trusted developers can deploy code to your AWS Lambda functions.
Use AWS Secrets Manager to simplify the management of private certificates (AWS Security Blog, Jan 07 2021)
AWS Certificate Manager (ACM) lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Amazon Web Services (AWS) services and your internal connected resources.
4 best practices for ensuring privacy and security of your data in Cloud Storage (Google Cloud Blog, Jan 12 2021)
Cloud storage enables organizations to reduce costs and operational burden, scale faster, and unlock other cloud computing benefits. At the same time, they must also ensure they meet privacy and security requirements to restrict access and protect sensitive information.
Navigating the trade-off between development speed and security (SC Media, Jan 07 2021)
Software companies succeed on their ability to ship valuable features quickly. Ideally, companies would give teams ample time to take security into consideration and think through all the implications of their code and configurations. But when the deadline pressure gets turned up, security becomes less of a priority.
Top 5 ‘Need to Know’ Coding Defects for DevSecOps (Dark Reading, Jan 08 2021)
Integrating static analysis into the development cycle can prevent coding defects and deliver secure software faster.
Bug Bounty Program Launched to Discover US Army Vulnerabilities (Infosecurity Magazine, Jan 07 2021)
Defense Digital Service is working with HackerOne to launch the new program
Poor Software Quality Costs US $2.08tn (Infosecurity Magazine, Jan 06 2021)
ISQ estimates cost of poor software quality (CPSQ) in the US as $2.08tn in 2020
Google Pays Out Over $100,000 for Vulnerabilities Patched With Chrome 87 Update (SecurityWeek, Jan 07 2021)
An update released this week by Google for Chrome 87 patches 16 vulnerabilities, including 14 rated high severity. The company has awarded more than $100,000 for these vulnerabilities.
SQL injection: The bug that seemingly can’t be squashed (Help Net Security, Jan 11 2021)
If you’re in a hands-on cybersecurity role that requires some familiarity with code, chances are good that you’ve had to think about SQL injection over and over (and over) again. It’s a common vulnerability that – despite being easily remedied – continues to plague our software and, if left undetected before deployment, provides a small window of opportunity to would-be attackers. December 2020 marked SQL injection’s 22nd birthday (of sorts).
Facebook Awards Big Bounties for Invisible Post and Account Takeover Vulnerabilities (SecurityWeek, Jan 12 2021)
One researcher said he earned $30,000 from Facebook for finding a vulnerability that could have been exploited to create invisible posts on any page. The same amount was paid out to a different researcher for an account hijacking flaw.
United Nations Security Flaw Exposed 100K Staff Records (Dark Reading, Jan 12 2021)
Security researchers have disclosed a vulnerability they exploited to access more than 100,000 private employee records.
Healthcare Hit by 187 Million Monthly Web App Attacks in 2020 (Infosecurity Magazine, Jan 13 2021)
Imperva says attacks Surged 51% in December alone
Voting Machine Company Threatens Researchers for Exposing Valid Security Flaws (VICE, Jan 13 2021)
Election Systems and Software s sending cease and desist letters to organizations simply for highlighting proven security vulnerabilities.