A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Google Says Chrome Cookie Replacement Plan Making Progress (SecurityWeek, Jan 26 2021)
Google says it’s making progress on plans to revamp Chrome user tracking technology aimed at improving privacy even as it faces challenges from regulators and officials.
Pwn2Own 2021: Hackers Offered $200,000 for Zoom, Microsoft Teams Exploits (SecurityWeek, Jan 27 2021)
Trend Micro’s Zero Day Initiative (ZDI) on Tuesday announced the targets, prizes and rules for the Pwn2Own Vancouver 2021 hacking competition, a hybrid event scheduled to take place on April 6-8.
Bot Lets Hackers Easily Lookup Facebook Users’ Phone Numbers (VICE, Jan 25 2021)
The person selling access to the service claims it has data on 500 million Facebook users.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Security Biggest Barrier to Cloud Adoption for Over Half of UK Firms (Infosecurity Magazine, Jan 21 2021)
28% of orgs targeted by cloud hacking attempt since the pandemic
Reliance on cloud, APIs create confusion and introduce risk into software development (SC Media, Jan 20 2021)
Businesses are increasingly hosting their applications in public or private clouds while using APIs to speed up the development process. Both shifts come with security implications.
Cloud Jacking: The Bold New World of Enterprise Cybersecurity (Dark Reading, Jan 21 2021)
Increased reliance on cloud computing puts more weight on robust authentication systems to protect data against hijackers.
Cloud Controls Matrix v4 adds 60+ new cloud security controls (Help Net Security, Jan 22 2021)
The Cloud Security Alliance (CSA) announced the availability of version 4 of the Cloud Controls Matrix (CCM), CSA’s cybersecurity framework for cloud computing. The CCM v4 includes additional cloud security and privacy-related controls and encompasses coverage of requirements deriving from new cloud technologies, improved control auditability, enhanced interoperability and compatibility with other standards, and expanded support offerings to navigate the cloud shared responsibility model.
Hackers hijacked cloud accounts of high-tech and aviation firms, hid in systems for years (SC Media, Jan 21 2021)
The effectiveness of this operation serves as a reminder of the risks of openly sharing and storing plain-text network credentials or sensitive network access instructions on internet-accessible apps or servers.
Speed of Digital Transformation May Lead to Greater App Vulnerabilities (Dark Reading, Jan 22 2021)
The fastest-moving industries are struggling to produce secure code, according to AppSec experts.
AWS is the first global cloud service provider to comply with the new K-ISMS-P standard (AWS Security Blog, Jan 25 2021)
We’re excited to announce that Amazon Web Services (AWS) has achieved certification under the Korea-Personal Information & Information Security Management System (K-ISMS-P) standard (effective from December 16, 2020 to December 15, 2023).
Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools (AWS DevOps Blog, Jan 21 2021)
DevOps is a combination of cultural philosophies, practices, and tools that combine software development with information technology operations. These combined practices enable companies to deliver new application features and improved services to customers at a higher velocity. DevSecOps takes this a step further, integrating security into DevOps.
How Cloud Services Are Exploited for Cyber-Espionage (Infosecurity Magazine, Jan 27 2021)
A number of recent cyber-espionage campaigns share common characteristics
DevSecOps Implementation: SIEM (DevOps, Jan 27 2021)
The world is filled with events. Our inbox floods with events that marketers really want us to pay attention to, while news feeds flood us with events they’re trying to raise above the background noise, but then, the dog barking interrupts our consumption of that information.
Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks (VICE, Jan 21 2021)
The flaws that potentially allowed hackers to spend money using victims’ credit cards are now fixed.
Retail and hospitality sector fixing software flaws at a faster rate than others (Help Net Security, Jan 22 2021)
The retail and hospitality sector is fixing software flaws at a faster rate than five other sectors, a Veracode analysis of more than 130,000 applications reveals.
Organizations struggle to maintain application security across platforms (Help Net Security, Jan 22 2021)
Global organizations are struggling to maintain consistent application security across multiple platforms, and they are also losing visibility with the emergence of new architectures and the adoption of APIs, Radware reveals.
Former LulzSec Hacker Releases VPN Exploit Used to Hack Hacking Team (VICE, Jan 25 2021)
A security researcher has released an exploit for SonicWall VPNs that was originally found by Phineas Fisher in 2015.