A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Mimecast says SolarWinds hackers breached its network (Ars Technica, Mar 16 2021)
Mimecast-issued certificate used to connect to customers’ Microsoft 365 tenants.

Validate access to your S3 buckets before deploying permissions changes with IAM Access Analyzer (AWS Security Blog, Mar 10 2021)
“AWS Identity and Access Management (IAM) Access Analyzer helps you monitor and reduce access by using automated reasoning to generate comprehensive findings for resource access. Now, you can preview and validate public and cross-account access before deploying permission changes. For example, you can validate whether your S3 bucket would allow public access before deploying your…”

Mitigating leaked personal access tokens (PATs) found on GitHub public repositories (Azure DevOps Blog, Mar 10 2021)
Personal access tokens (PATs) make it easy to integrate your tools with Azure DevOps or extend Azure DevOps functionality for your business needs. However, like other authentication credentials, personal access tokens need to be stored securely. Leaked tokens could compromise your Azure DevOps account and data…

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

CCSK Success Stories: From a Cloud Digital Security Architect (Cloud Security Alliance, Mar 11 2021)
“In this blog series we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage the Certificate of Cloud Security Knowledge (CCSK) in their current roles. In this blog we’ll be interviewing Yogesh, a Cloud Digital Security Architect at Mashreq Bank in the United Arab Emirates (UAE).”

Transform data to secure it: Use Cloud DLP (Google Cloud Blog, Mar 11 2021)
“When you want to protect data in-motion, at rest or in use, you usually think about data discovery, data loss detection and prevention. Few would immediately consider transforming or modifying data in order to protect it.

But doing so can be a powerful and relatively easy tactic to prevent data loss. Our data security vision includes transforming data to secure it, and that’s why our DLP product includes powerful data transformation capabilities.

So what are some data modification techniques that you can use to protect your data and the use cases for them?”

Getting your application security program off the ground (Help Net Security, Mar 11 2021)
IT and security professionals are increasingly concerned about attackers compromising their mission-critical applications. According to a recent Ponemon study, the reasons for that are many: more funds go towards protecting networks, security is not adequately emphasized during the development of new applications and often outright ignored, many are unable to quickly detect vulnerabilities and threats and to quickly perform patches on applications in production.

Can a Programming Language Reduce Vulnerabilities? (Dark Reading, Mar 12 2021)
Rust offers a safer programming language, but adoption is still a problem despite recent signs of increasing popularity.

The influence of the Agile Manifesto, 20 years on (Help Net Security, Mar 17 2021)
On 11th February 2001, many software delivery thought leaders came together in Snowbird, Utah, to discuss how to create processes that can enable enterprises to continuously deliver valuable software that satisfies their customers’ needs, and helps contribute to the overall goals of the business. While there were differences of opinion on the specific merits of one method over another, the attendees agreed that their shared values and beliefs dwarfed these differences.