A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Top 10 blog posts of 2020 (AWS Security Blog, Feb 09 2021)
The top 10 posts of 2020
Use AWS Lambda authorizers with a third-party identity provider to secure Amazon API Gateway REST APIs
How to use trust policies with IAM roles
How to use G Suite as external identity provider AWS SSO
Top 10 security items to improve in your AWS account
Automated response and remediation with AWS Security Hub
How to add authentication single page web application with Amazon Cognito OAuth2 implementation
Get ready for upcoming changes in the AWS Single Sign-On user sign-in process
TLS 1.2 to become the minimum for all AWS FIPS endpoints
How to use KMS and IAM to enable independent security controls for encrypted data in S3
Use AWS Firewall Manager VPC security groups to protect your applications hosted on EC2 instances
Google Paid Out $6.7 Million in Bug Bounty Rewards in 2020 (SecurityWeek, Feb 05 2021)
Google this week said it paid out more than $6.7 million in rewards as part of its bug bounty programs in 2020.
Malicious Chrome and Edge add-ons had a novel way to hide on 3 million devices (Ars Technica, Feb 03 2021)
28 malicious extensions disguised traffic as Google Analytics data.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
New ‘Hildegard’ Malware Targets Kubernetes Systems (SecurityWeek, Feb 04 2021)
The hacking group referred to as TeamTNT has been employing a new piece of malware in a recently started campaign targeting Kubernetes environments, security researchers with Palo Alto Networks’ Unit 42 reveal.
Use new account assignment APIs for AWS SSO to automate multi-account access (AWS Security Blog, Feb 08 2021)
“In this blog post, we’ll show how you can programmatically assign and audit access to multiple AWS accounts for your AWS Single Sign-On (SSO) users and groups, using the AWS Command Line Interface (AWS CLI) and AWS CloudFormation.”
Innovations for a more secure U.S. microelectronics supply chain (Microsoft Azure Blog, Feb 04 2021)
Keeping up with the rapid pace of technology innovation today requires equal advances in the pace of development of new microelectronics.
An Observability Pipeline Could Save Your SecOps Team (Dark Reading, Feb 03 2021)
Traditional monitoring approaches are proving brittle as security operations teams need better visibility into dynamic environments.
What you can learn in our Q1 2021 Google Cloud Security Talks (Cloud Blog, Feb 10 2021)
Join us for our first Google Cloud Security Talks of 2021, a live online event on March 3rd where we’ll help you navigate the latest in cloud security.
We’ll share expert insights into our security ecosystem and cover the following topics
Sunil Potti and Rob Sadowski will kick off Security Talks on March 3rd.
Thomas Kurian and Juan Rajlin join us for a conversation on overcoming risk management challenges in the Cloud.
This will be followed by a roundtable to get insight into cloud risk manageme
Copy Formula Down
Is $50,000 for a Vulnerability Too Much? (Dark Reading, Feb 04 2021)
Lofty bug bounties catch attention, but don’t alleviate the application security flaws they are trying to solve.
Patch Imperfect: Software Fixes Failing to Shut Out Attackers (Dark Reading, Feb 03 2021)
Incomplete patches are allowing attackers to continue exploiting the same vulnerabilities, reducing the cost to compromise.
API security concerns hindering new application rollouts (Help Net Security, Feb 04 2021)
66% of organizations admit to having slowed the rollout of a new application into production because of API security concerns, a Salt Security report reveals. In addition, 54% of organizations running production APIs have at best only a basic strategy for API security, with 27% having no strategy at all. “In today’s digital economy, APIs are the direct gateway to organizations’ most critical data and assets.
Enterprises average one root access orphan key on every enterprise server (Help Net Security, Feb 05 2021)
SSH machine identities are critical to digital transformation strategies, as they authenticate privileged access between machines and are ubiquitous across enterprise networks. While CIOs say they are concerned about the security risks SSH machine identities pose, survey data indicates they seriously underestimate the scope of these risks.
Security Researchers Push for ‘Bug Bounty Program of Last Resort’ (Dark Reading, Feb 05 2021)
An international program that pays out hefty sums for the discovery of software vulnerabilities could spur greater scrutiny of applications and lead to better security.
Google pitches security standards for ‘critical’ open-source projects (SC Media, Feb 08 2021)
In a post-Solar Winds era, less structured projects are extremely vulnerable to malicious forces and human error, the software giant argues.
Thanks for finding a critical bug. Have a $1.5 million bounty, and our CTO will get a tattoo of anything you like (Graham Cluley, Feb 08 2021)
It’s not that unusual for a company to reward you handsomely if you find a vulnerability that could have lost them millions of dollars, but it’s not often you also get the CTO offering to get a tattoo in your honour…
Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks (SecurityWeek, Feb 10 2021)
Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.