A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Helping users keep their org secure w/ phone’s built-in security key (Google, Feb 16 2021)
“We want as many of our customers as possible to adopt this essential protection and to make them aware of potential risks they are exposed to if they don’t. That’s why today we’re launching a new Recommender into Active Assist, our portfolio of services that help teams operate and optimize their cloud deployments with proactive intelligence instead of unnecessary manual effort. This new “Account security” recommender will automatically detect when a user with elevated permissions, such as a Project Owner, is eligible to use their phone’s built-in security key to better protect their account, but has not yet turned on this important safeguard. “
Facebook Announces Payout Guidelines for Bug Bounty Program (SecurityWeek, Feb 16 2021)
Facebook on Tuesday announced several new features for its bug bounty program, including an educational resource and payout guidelines.
Tips for boosting the “Sec” part of DevSecOps (Help Net Security, Feb 17 2021)
The most significant barrier to achieving DevSecOps is the continued perception that “Sec” is not already a part of “Dev” and “Ops”, says James Arlen, CISO at cloud data platform provider Aiven. Also, the fact this needs to be explicitly called out is actually a barrier in itself.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
You’ve Got Cloud Security All Wrong: Managing Identity in a Cloud World (Dark Reading, Feb 12 2021)
In a hybrid and multicloud world, identity is the new perimeter and a critical attack surface for bad actors.
Facing high stakes, government agencies prioritize network and cloud security (SC Media, Feb 17 2021)
Remote work, an increase in cloud networking attacks and the complexity of IT infrastructure all heighten agencies’ vulnerability, according to new research. In response, many agencies increased IT budgets last year and will do so again this year.
Use tags to manage and secure access to additional types of IAM resources (AWS Security Blog, Feb 12 2021)
AWS Identity and Access Management (IAM) now enables Amazon Web Services (AWS) administrators to use tags to manage and secure access to more types of IAM resources, such as customer managed IAM policies, Security Assertion Markup Language (SAML) providers, and virtual multi-factor authentication (MFA) devices.
Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever (Dark Reading, Feb 11 2021)
Cloud-native deployments tend to be small, interchangeable, and easier to protect, but their software supply chains require closer attention.