A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Is Your Browser Extension a Botnet Backdoor? (Krebs on Security, Mar 01 2021)
A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.

How to protect sensitive data for its entire lifecycle in AWS (AWS Security Blog, Feb 26 2021)
“Many Amazon Web Services (AWS) customer workflows require ingesting sensitive and regulated data such as Payments Card Industry (PCI) data, personally identifiable information (PII), and protected health information (PHI). In this post, I’ll show you a method designed to protect sensitive data for its entire lifecycle in AWS. This method can help enhance your data security posture and be useful for fulfilling the data privacy regulatory requirements applicable to your organization for data protection at-rest, in-transit, and in-use.”

Attackers Turn Struggling Software Projects Into Trojan Horses (Dark Reading, Feb 26 2021)
While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Cybercriminals continue to target trusted cloud apps (Help Net Security, Mar 01 2021)
The majority of all malware is now delivered via cloud applications, underscoring how attackers increasingly abuse popular cloud services to evade legacy security defenses putting enterprise data increasingly at risk, a Netskope research reveals. “Cybercriminals increasingly abuse the most trusted and popular cloud apps, especially for cloud phishing and cloud malware delivery,” said Ray Canzanese, Threat Research Director at Netskope.

Announcing the Risk Protection Program: Moving from shared responsibility to shared fate (Google Cloud Blog, Mar 02 2021)
“At Google Cloud, our mission is to enable organizations around the world to transform their business using digital technology. We want to make it easy for organizations to transition even their most sensitive workloads onto our platform, and that includes navigating risk management in the ever-evolving cloud-native environment. Working closely with customers to deliver better security and risk outcomes is a core pillar of our strategy to be the most Trusted Cloud provider. We are committed to delivering a more secure experience to our customers and enhancing trust in the cloud ecosystem.”

Delivering the industry’s most Trusted Cloud (Google Cloud Blog, Mar 02 2021)
“Google Cloud is a leader in security, and with the recent revelations about the attacks on the software supply chain impacting governments and other organizations, customers need confidence in the providers to whom they entrust their mission-critical processes and information assets.”

New Cloud Security Podcast by Google is here (Google Cloud Blog, Feb 25 2021)
“Security continues to be top of mind for large enterprises as well as smaller organizations and businesses. Furthermore, cloud security continues to puzzle many security leaders and technologists. That is why we are excited to announce the launch of the Cloud Security Podcast by Google.”

Why Cloud Security Risks Have Shifted to Identities and Entitlements (Dark Reading, Mar 02 2021)
Traditional security tools focus on the network perimeter, leaving user and service accounts vulnerable to hackers.

Telemarketing Biz Exposes 114,000 in Cloud Config Error (Infosecurity Magazine, Mar 03 2021)
Call recordings of clients and customers on unsecured bucket

Essential security for everyone: Building a secure AWS foundation (AWS Security Blog, Mar 02 2021)
“In this post, I will show you how teams of all sizes can gain access to world-class security in the cloud without a dedicated security person in your organization. I look at how small teams can build securely on Amazon Web Services (AWS) in a way that’s cost effective and time efficient. I show you the key elements to create a foundation with good security controls, and how you can then use that foundation as a base to build a secure workload upon. In this post, I will also share a lab guide to get you started today. It may look like a lot of work but I ran this as a day-long workshop across Australia in 2019 reaching many start-ups and small businesses. The majority of them implemented the guide by mid-afternoon.”

TLS 1.2 will be required for all AWS FIPS endpoints beginning March 31, 2021 (AWS Security Blog, Mar 01 2021)
To help you meet your compliance needs, we’re updating all AWS Federal Information Processing Standard (FIPS) endpoints to a minimum of Transport Layer Security (TLS) 1.2. We have already updated over 40 services to require TLS 1.2, removing support for TLS 1.0 and TLS 1.1.

Why so many companies still find moving to DevSecOps hard (SC Media, Mar 01 2021)
Security pros face great challenges in managing all the products and tools they use to handle the cyber risks they face. How should they split the budget between tools and people?

Does DevSecOps Require Observability to Get the Job Done? (IT Pro, Mar 02 2021)
A panel at DeveloperWeek took a look at potential exposure organizations may face if their DevSecOps cycle does not include observability of apps.

What teamwork can do for application security (SC Media, Feb 25 2021)
Sentara Healthcare has had great success creating a DevSecOps culture. Today’s columnist, Christian van den Branden of ZeroNorth writes about how development and application teams must cooperate to deliver more effective security.

Quarter of Healthcare Apps Contain High Severity Bugs (Infosecurity Magazine, Mar 02 2021)
Veracode urges more regular scanning of applications

Flaws fixed incorrectly, as secure coding education lags (SC Media, Mar 01 2021)
Broken access control and broken object level authorizations vulnerabilities have proven the most difficult to fix, while fixes for command injection and SQL injection flaws are most often incorrect.

Rookie coding mistake prior to Gab hack came from site’s CTO (Ars Technica, Mar 02 2021)
Site executive introduces, then removes, insecure code, then hides the evidence.