A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Google Releases Open Source Tool for Verifying Containers (SecurityWeek, May 10 2021)
Google has released a new open-source tool called cosign to make it easier to manage the process of signing and verifying container images.

Researcher Claims Peloton APIs Exposed All Users Data (Infosecurity Magazine, May 06 2021)
Even those in privacy mode were affected, says Pen Test Partners

Emerging open cloud security framework has backing of Microsoft, Google and IBM (TechCrunch, May 05 2021)
Each of the big cloud platforms has its own methodology for passing on security information to logging and security platforms, leaving it to the vendors to find proprietary ways to translate that into a format that works for their tool. The Cloud Security Notification Framework (CSNF), a new working group that includes Microsoft, Google and…

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Microsoft Pledges to Store European Cloud Data in EU (SecurityWeek, May 06 2021)
US tech giant Microsoft pledged Thursday to process and store all European cloud-based client data in the European Union amid unease in the region over the reach of US legislation on personal data collection.

Cloud-Native Businesses Struggle With Security (Dark Reading, May 06 2021)
More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.

Misconfigurations are Mistakes: Eliminate the Biggest Vulnerability in Cloud Services (Infosecurity Magazine, May 07 2021)
Mark Nunnikhoven argues that organizations should be pushing to move faster to the cloud in order to improve their security

The Benefits of Cloud Services Far Outweigh On-Premises in 2021 (SecurityWeek, May 10 2021)
The pandemic, among other variables, has greatly accelerated cloud adoption for many organizations in 2021.

IBM announces hybrid cloud and AI capabilities to boost digital transformation (Help Net Security, May 11 2021)
IBM announces advances in artificial intelligence (AI), hybrid cloud, and quantum computing. The innovations highlight IBM’s role in helping its clients and partners accelerate their digital transformations, return to work smarter, and build strategic ecosystems that can drive better business outcomes. “We will look back on this year and last as the moment the world entered the digital century in full force,” said IBM Chairman and CEO Arvind Krishna.

AWS configuration issues lead to exposure of 5 million records (SC Media, May 11 2021)
In analyzing the SSM documents, the Check Point researchers found that some basic misconceptions of the service had occurred, along with a lack of proper parameters of usage as defined in the AWS best practices, leading to potential misconfigurations.

How to monitor expirations of imported certificates in AWS Certificate Manager (ACM) (AWS Security Blog, May 07 2021)
Certificates are vital to maintaining trust and providing encryption to internal or external facing infrastructure and applications. AWS Certificate Manager (ACM) provides certificate services to any workload that requires them. Although ACM provides managed renewals that automatically renew certificates in most cases, there are exceptions, such as imported certs, where an automatic renewal isn’t possible.

Vulnerability attacks weakness in Microsoft Azure virtual machine extensions (SC Media, May 11 2021)
The flaw, which Microsoft patched in March, would allow an attacker to escalate privileges and access sensitive user data.

Application Attacks Spike as Criminals Target Remote Workers (Dark Reading, May 11 2021)
Application-specific and Web application attacks made up 67% of all attacks in 2020 as criminal strategies shifted in the pandemic.

Nine additional AWS cloud service offerings authorized by DISA (AWS Security Blog, May 06 2021)
I’m excited to share that the Defense Information Systems Agency (DISA) has authorized three additional Amazon Web Services (AWS) services at Impact Level (IL) 4 and IL 5 in the AWS GovCloud (US) Regions, as well as five additional AWS services and one feature at IL 6 in the AWS Secret Region, under the Department…

How to Ensure Data Protection in Multi-Cloud (Cloud Security Alliance, May 12 2021)
This blog was originally published by CyberCrypt here.Multi-cloud setups pose a handful of challenges: data ownership, control and responsibility are shared among different CSPs and different regions, leaving open the door to misconfigurations and increasing the attack surface available to malicious actors.

Apple Removed 95,000 Fraudulent Applications From App Store in 2020 (SecurityWeek, May 12 2021)
In 2020, Apple removed or rejected hundreds of thousands of applications from the App Store for engaging in various forms of fraudulent behavior, including spam, mischief, and privacy violations.