A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
CISA Warns Organizations About Attacks on Cloud Services (SecurityWeek, Jan 14 2021)
In light of successful cyberattacks targeting organizations’ cloud services, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a series of recommendations on how businesses can improve their cloud security.
Most containers are running as root, which increases runtime security risk (Help Net Security, Jan 14 2021)
While container usage reveals organizations are shifting left by scanning images during the build phase, DevOps teams are still leaving their environments open to attack, according to Sysdig. The report also looks at trends, finding a 310 percent growth in container density since 2017, and reveals how organizations of all sizes and across industries are using and securing container environments.
Apple pulls the plug on user-found method to sideload iOS apps on Mac (Ars Technica, Jan 18 2021)
The now-nonviable method involved fetching the IPA file via apps like iMazing.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
43% of financial services orgs plan to increase private cloud investments (Help Net Security, Jan 13 2021)
Nutanix announced the financial services industry findings of its report, measuring organizations’ plans for adopting private, hybrid and public clouds. The findings point to a digital transformation within the industry, with 50% of respondents reporting that COVID-19 caused them to increase their investment in hybrid cloud.
Chimera’ Threat Group Abuses Microsoft & Google Cloud Services (Dark Reading, Jan 14 2021)
Researchers detail a new threat group targeting cloud services to achieve goals aligning with Chinese interests.
Vulnerability management isn’t working for cloud security: Here’s how to do it right (Help Net Security, Jan 18 2021)
Three things in life are seemingly guaranteed: death, taxes and high-profile cloud security breaches. But there is no reason why public cloud or hybrid cloud breaches must remain so stubbornly persistent. The fact is that we understand why these incidents keep occurring: managing risk and vulnerabilities within dynamic cloud environments isn’t easy.
Does your cloud stack move faster than your cloud security solutions? (Help Net Security, Jan 20 2021)
According to Gartner, worldwide end-user spending on public cloud services is forecasted to grow by 18.4% in 2021 to a total of $304.9 billion, up from $257.5 billion in 2020. “The pandemic validated the cloud’s value proposition,” said Sid Nag, research vice president at Gartner.
DevSecOps Implementation: Intrusion Detection (DevOps, Jan 20 2021)
Originally, this series was just going to be four articles on the DevSec side of DevSecOps. There are many reasons for this, but primarily because that side is cleaner. The other reason is that these topics are beyond the work we were doing at Accelerated Strategies Group.
Enterprises move on from legacy approaches to software development (Help Net Security, Jan 18 2021)
Application development and maintenance services in the U.S. are evolving to meet changing demands from enterprises that need dynamic applications with rich user interfaces, according to a report published by Information Services Group.
Vulnerabilities in Popular DNS Software Allow Poisoning (Dark Reading, Jan 19 2021)
Seven flaws in DNSMasq have limited impact, but in combination they could be chained to create a multistaged attack.
Retail and Hospitality Facing Deluge of Critical Web App Flaws (Infosecurity Magazine, Jan 20 2021)
Sector has one of the worst rates of high severity bugs