A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Severe Flaws in Official ‘Facebook for WordPress’ Plugin (SecurityWeek, Mar 26 2021)
A critical vulnerability in the official Facebook for WordPress plugin could be abused to upload arbitrary files, essentially leading to remote code execution, according to a warning from security researchers at Wordfence.

#IMOS21: Six Components of a Bug Bounty Program (Infosecurity Magazine, Mar 25 2021)
Verizon Media’s Sean Poris outlines to how to run a successful bug bounty scheme

40% of Apps Leaking Information (Dark Reading, Mar 26 2021)
Apps in manufacturing most at risk, according to WhiteHat Security.


Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


IBM launches new and enhanced services to simplify hybrid cloud security (Help Net Security, Mar 24 2021)
IBM Security announced new and enhanced services designed to help organizations manage their cloud security strategy, policies and controls across hybrid cloud environments. The services bring together cloud-native, IBM and third-party technologies along with IBM expertise to help organizations create a unified security approach across their cloud ecosystems.

In the Rush to Embrace Hybrid Cloud, Don’t Forget About Security (Dark Reading, Mar 30 2021)
Cloud service providers typically only secure the infrastructure itself, while customers are responsible for their data and application security.

How to automate SCAP testing with AWS Systems Manager and Security Hub (AWS Security Blog, Mar 24 2021)
US federal government agencies use the National Institute of Standards and Technology (NIST) framework to provide security and compliance guidance for their IT systems. The US Department of Defense (DoD) also requires its IT systems to follow the Security Technical Implementation Guides (STIGs) produced by the Defense Information Systems Agency (DISA).

Strengthen and optimize compliance in Azure Security Center (Microsoft Azure Blog, Mar 25 2021)
The Regulatory Compliance dashboard in Azure Security Center is an excellent tool for helping organizations understand their compliance posture relative to industry standards.

A Day in the Life of a DevSecOps Manager (Dark Reading, Mar 26 2021)
“Most days are good days,” says Rally Health’s Ari Kalfus. But they sure are busy, he tells The Edge.

Microsoft Offers Up to $30,000 for Vulnerabilities in Teams Desktop Client (SecurityWeek, Mar 25 2021)
Microsoft on Wednesday announced that its bug bounty programs now also cover the desktop client of its Teams business communications platform.

70% of organizations recognize the importance of secure coding practices (Help Net Security, Mar 26 2021)
A research from Secure Code Warrior has revealed an attitudinal shift in the software development industry, with organizations bucking traditional practices for DevOps and Secure DevOps. The global survey of professional developers and their managers found 70% of organizations recognize the importance of secure coding practices, with results indicating an industry-wide shift from reaction to prevention is underway.

In wake of giant software hacks, application security tactics due for an overhaul (SC Media, Mar 29 2021)
Rising rates of vulnerabilities, a more complex development environment and a lack of industry standards are putting software applications at risk. Can newer security tools and processes turn the tide?

Chinese Researchers Earn Another $20,000 for Chrome Sandbox Escape (SecurityWeek, Mar 31 2021)
Researchers from Chinese cybersecurity company Qihoo 360 have earned another $20,000 from Google for a sandbox escape vulnerability affecting the Chrome web browser.