A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Auto Insurance Giant GEICO Discloses Data Breach (SecurityWeek, Apr 20 2021)
American auto insurance provider GEICO has disclosed a cyber-incident that resulted in driver’s license numbers being compromised.

Infection Monkey: Open source tool allows zero trust assessment of AWS environments (Help Net Security, Apr 16 2021)
Guardicore unveiled new zero trust assessment capabilities in Infection Monkey, its open source breach and attack simulation tool. Available immediately, security professionals will now be able to conduct zero trust assessments of AWS environments to help identify the potential gaps in an organization’s AWS security posture that can put data at risk.

Backdoor Found in Codecov Bash Uploader (Schneier on Security, Apr 21 2021)
“Developers have discovered a backdoor in the Codecov bash uploader. It’s been there for four months. We don’t know who put it there.

Codecov said the breach allowed the attackers to export information stored in its users’ continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure,” the company warned.”

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Even though critical, web application security is getting less attention (Help Net Security, Apr 20 2021)
As organizations shifted focus to support remote work and business continuity amid the challenges of 2020, web application security suffered, according to an Invicti Security report. Between 2016 and 2019, the number of high-severity and medium-severity vulnerabilities decreased steadily every year, with an average reduction rate of 22% in high-severity vulnerabilities year over year.

Threat Actor Claims to Have Hacked Domino’s (Infosecurity Magazine, Apr 20 2021)
Hacker claims to have stolen 13TBs of data from multinational pizza chain’s Indian wing

Complexity and budgetary constraints complicate cloud security (Help Net Security, Apr 20 2021)
While spending on cloud services is high, with more than half of respondents having spent more than $10 million and 11% having spent more than $100 million in the last three years, security preparedness is low, with 32% saying they are doing less than they need to, or nothing at all, to ensure security of their cloud resources, an Osterman Research survey reveals.

Vulnerability in CocoaPods Dependency Manager Exposed Millions of Apps (SecurityWeek, Apr 21 2021)
A remote code execution vulnerability identified on the central CocoaPods server could have allowed an attacker to poison any package download, security researcher Max Justicz reveals.

Software Developer Arrested in Computer Sabotage Case (Dark Reading, Apr 15 2021)
Officials say Davis Lu placed malicious code on servers in a denial-of-service attack on his employer.

Google Brings 37 Security Fixes to Chrome 90 (Dark Reading, Apr 15 2021)
The latest version of Google Chrome also introduces HTTPS as the browser’s default protocol.