A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Cloud has put security configuration errors in the spotlight (SC Media, Mar 04 2021)
Capital One was hit with an $80 million fine because of a cloud misconfiguration. Today’s columnist, Carolyn Crandall of Attivo Networks, offers insights on how to identify and prevent these errors.

Malicious NPM packages target Amazon, Slack with new dependency attacks (BleepingComputer, Mar 08 2021)
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using the new ‘Dependency Confusion’ vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers.

Introducing Cloud Code Secret Manager Integration (Google Cloud Blog, Mar 09 2021)
“Storing secrets like database credentials and passwords in code is never secure. Wouldn’t it be great if your IDE tool could help you write more secure code? That’s why we’re excited to announce the new Cloud Code integration with Secret Manager!

Today, many applications require credentials to connect to a database, API keys to invoke a service, or certificates for authentication. Managing and securing access to these secrets is often complicated by secret sprawl, poor visibility, or lack of integrations. To help you build more secure applications, without the hassle of figuring out complicated ways to store you secrets, we built Secret Manager.”

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

32% of enterprises experienced unauthorized access to cloud resources (Help Net Security, Mar 04 2021)
A new report conducted by Dimensional Research revealed that 32% of enterprises experienced unauthorized access to cloud resources, and another 19% were unaware if unauthorized access occurred. This was found to be largely driven by poor enforcement of identity and access management (IAM) policies in the cloud.

​The Age of Collaborative Security (Cloud Security Alliance, Mar 09 2021)
“SecOps and DevOps are just outnumbering hackers 1 to 1000. By teaming up, we are unstoppable. Wallstreetbets just spanked a major hedge fund. If the street can beat the wall, then why not apply the same thinking to our industry? Crowds teaming together have revolutionized so many lines of work already: hospitality, GPS, jobs, friendships, dating, etc. But have we ever seen a movement in cybersecurity of regrouping a million people to rebalance the odds? Not yet.”

How to replicate secrets in AWS Secrets Manager to multiple Regions (AWS Security Blog, Mar 04 2021)
“On March 3, 2021, we launched a new feature for AWS Secrets Manager that makes it possible for you to replicate secrets across multiple AWS Regions. You can give your multi-Region applications access to replicated secrets in the required Regions and rely on Secrets Manager to keep the replicas in sync with the primary secret.”

Azure Defender for Storage powered by Microsoft threat intelligence (Microsoft Azure Blog, Mar 10 2021)
With the reality of working from home, more people and devices are now accessing corporate data across home networks.

How Enterprises are Developing Secure Applications (Dark Reading, Mar 03 2021)
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

How SolarWinds Busted Up Our Assumptions About Code Signing (Dark Reading, Mar 03 2021)
With so much automation in code writing process, results are rarely double-checked, which opens the door to vulnerabilities and downright danger.

GitHub Informs Users of ‘Potentially Serious’ Authentication Bug (SecurityWeek, Mar 09 2021)
GitHub on Monday informed users that it had discovered what it described as an “extremely rare, but potentially serious” security bug related to how some authenticated sessions were handled.

Leaked Development Secrets a Major Issue for Repositories (Dark Reading, Mar 09 2021)
Every day, more than 5,000 private keys, database connection strings, certificates, and passwords are leaked to GitHub repositories, putting applications at risk.