A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Malicious Office 365 Apps Are the Ultimate Insiders (Krebs on Security, May 05 2021)
Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

Serious MacOS Vulnerability Patched (Schneier on Security, Apr 30 2021)
“Apple just patched a MacOS vulnerability that bypassed malware checks.

The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes. Owens discovered that if he made an application that was really just a script—code that tells another program what do rather than doing it itself—and didn’t include a standard application metadata file called “info.plist,” he could silently run the app on any Mac. The operating system wouldn’t even give its most basic prompt: “This is an application downloaded from the Internet. Are you sure you want to open it?””

Cybersecurity Community Unhappy With GitHub’s Proposed Policy Updates (SecurityWeek, Apr 30 2021)
GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Researchers Find Bugs Using Single-Codebase Inconsistencies (Dark Reading, May 03 2021)
A Northeastern University research team finds code defects — and some vulnerabilities — by detecting when programmers used different code snippets to perform the same functions.

Researchers Connect Complex Specs to Software Vulnerabilities (Dark Reading, Apr 29 2021)
Following their release of 70 different vulnerabilities in different implementations of TCP/IP stacks over the past year, two companies find a common link.

MITRE ATT&CK v9 is out and includes ATT&CK for Containers (Help Net Security, May 03 2021)
The Mitre Corporation has released the ninth version of its ATT&CK knowledge base of adversary tactics and techniques, which now also includes a newly created ATT&CK matrix for containers.

How to establish a DevSecOps organization (SC Media, Apr 30 2021)
Today’s columnist, Chris Buijs of NS1, points to Kubernetes expertise as one of the new skills essential to building a successful DevSecOps team.

Secure your cloud: Remove the human vulnerabilities (Help Net Security, May 04 2021)
Training to increase employees’ security awareness and change risky behaviours among end users is important, particularly as the future workplace will be hybrid and many professionals will still be working remotely. After all, you don’t want your employees to be the “soft underbelly” that hackers, criminals, or other bad actors can easily target. While end user education and awareness plays a crucial role, this is only a partial defense.

More Companies Adopting DevOps & Agile for Security (Dark Reading, May 04 2021)
Measures of programming speed, security, and automation have all significantly increased in the past year, GitLab’s latest survey finds.

Amazon DevOps Guru: ML-powered cloud operations service to improve application availability (Help Net Security, May 05 2021)
Amazon Web Services announced the general availability of Amazon DevOps Guru, a fully managed operations service that uses machine learning to make it easier for developers to improve application availability by automatically detecting operational issues and recommending specific actions for remediation.

Misconfigs and Unpatched Bugs Top Cloud Native Security Incidents (Infosecurity Magazine, May 05 2021)
Snyk study claims automation is key to enhancing security

Software developers warm up to automated testing as security, cloud rise in importance (SC Media, May 04 2021)
Developers are frustrated about the sluggish pace of testing code and are increasingly incorporating automation and machine learning to ease workloads.

Application Container Security: Risks and Countermeasures (Cloud Security Alliance, May 05 2021)
Written by Suria VenkataramanVirtualizations enable isolated, virtualized views of the operating systems (OS) to each application. Today’s OS virtualization technologies are primarily focused on providing a portable, reusable, and automatable way to package and run applications as containers-based deployments, and they provide key automation enablement in cloud scaling.

Cloud Security for SaaS Startups Part 2: Application & Platform Security (Cloud Security Alliance, May 03 2021)
Based on the Cloud Security for Startups guidelines written by the CSA Israel ChapterAs a SaaS startup, how can your organization ensure you implement proper security for your applications and platforms? In this blog we provide a preview of the information and guidelines available in the Cloud Security for Startups.

The Evolution of DevSecOps (DevOps Zone, May 05 2021)
I wrote The Future of DevSecOps in June 2019 after gathering insights from professionals who foresaw:
-greater adoption,
-security ingrained in development, and,
-AI/ML-driven automation.
For this article, I wanted to go back and see how the adoption of DevSecOps has proceeded over the past two years.