A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

Cloud CISO Perspectives: May 2021 (Google Cloud Blog, May 13 2021)
“Today, I’ll recap our cloud security and industry highlights, a sneak peak of what’s ahead from Google at RSA and more.”

University of Minnesota researchers fail to understand consent (Help Net Security, May 19 2021)
You’d think with all the recent discussion about consent, researchers would more carefully observe ethical boundaries. Yet, a group of researchers from the University of Minnesota not only crossed the line but ran across it, screaming defiantly the whole way. In response, the Linux Foundation, which is the core of the open-source community, took the unprecedented step of banning the entire University of Minnesota from contributing to the Linux kernel.

Rapid7 Source Code Exposed in Codecov Supply Chain Attack (SecurityWeek, May 13 2021)
Rapid7 says unauthorized third-party accessed source code, customer data during Codecov supply chain breach

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Google Cloud CISO: Usability must be baked into design of security tools (SC Media, May 19 2021)
Security and usability are not mutually exclusive, and effectively combining these concepts can help organizations overcome the cyber skills gap, according to Google Cloud Chief Information Security Officer Phil Venables, during an RSA Conference keynote session.

Five considerations for cloud migration, from the House of Representatives CISO (SC Media, May 18 2021)
Companies need to consider more than firewalls, access controls and incident response, said Randy Vickers: “You have to be allowed to exchange data with cloud service providers, with on-prem systems, and with other individuals and organizations, but in a secure way.”

Cloud compromise now the biggest cybersecurity issue for financial institutions (Help Net Security, May 12 2021)
Infoblox unveils a research into how the COVID-19 shutdowns challenged the financial services industry’s core infrastructure. More than one year into the pandemic, banks, insurers, and other financial institutions report costly consequences to falling short of protecting their massive data troves from cloud-based attacks and network disruptions.

Report finds old misconfiguration woes continue to hammer corporate clouds (SC Media, May 12 2021)
Misconfigured storage buckets and leaky APIs remain two of the top causes behind cloud breaches.

Firms Struggle to Secure Multicloud Misconfigurations (Dark Reading:, May 13 2021)
Half of companies had at least one case of having all ports open to the public, while more than a third had an exposed database.

Maximizing a hybrid cloud approach with colocation (Help Net Security, May 14 2021)
As a multi-tenant cloud environment, the public cloud offers companies with vast amounts of data a highly affordable option. However, it also presents a number of limitations including reliability challenges, a lack of control and transparency, and information security issues. First, uptime reliability can be a major issue for public cloud architectures. Popular cloud platforms – including Google Cloud, Microsoft Azure, Amazon AWS, and IBM Cloud – typically offer a 99.99% uptime guarantee, but..

Take control of your firewall rules with Firewall Insights (Google Cloud Blog, May 19 2021)
Corporate firewalls typically include a massive number of rules, which accumulate over time as new workloads are added. When rules stack up piecemeal like this, misconfigurations occur that, at best, create headaches for security administrators, and at worst, create vulnerabilities that lead to security breaches.

DevOps didn’t kill WAF, because WAF will never truly die (Help Net Security, May 14 2021)
The web application firewall (WAF) is dead, they say, and DevOps is the culprit, found over the body in the server room with a blade in its hand and splattered code on its shirt. But although some could argue that DevOps had the means, motive, and opportunity, the fact is that WAF isn’t dead at all, nor is it likely to be anytime soon.

Developers knowingly push flawed code, doubt build environments are secure (SC Media, May 13 2021)
A recent survey found that most development teams, 81%, knowingly pushed flawed code live, and 20% senior of managers even admitted to committing this practice often.

Agility Broke AppSec. Now It’s Going to Fix It. (Dark Reading:, May 17 2021)
Outnumbered 100 to 1 by developers, AppSec needs a new model of agility to catch up and protect everything that needs to be secured.

Hiring remote software developers: How to spot the cheaters (Help Net Security, May 18 2021)
For the past year, moving to an all-remote workforce has often been positioned as a silver lining to the pandemic. Software engineers, in particular, reported a better work-life balance and a higher level of productivity. With an overwhelming majority of software engineers expressing a preference for remote work, it’s no wonder that more employers are making commitments to expand their remote workforces.

Commercial third party code creating security blind spots (Help Net Security, May 18 2021)
Despite the fact that third party code in IoT projects has grown 17% in the past five years, only 56% of OEMs have formal policies for testing security, a VDC Research reveals. Meanwhile, when asked to rank the importance of security to current projects, 73.6% of respondents said it was important, very important or critical. Growing complexity of the software supply chain

The basics of security code review (Help Net Security, May 19 2021)
With staffing ratios often more than 200 developers for every AppSec professional, scaling security requires increasing the developer’s engagement in securing the product. To do that, developers must be responsible for the security of the code they write.

Google Workspace Gets New Security Features (SecurityWeek, May 19 2021)
Google this week announced adding new security features to its Google Workspace collaboration and productivity solution, to provide administrators with more capabilities and controls for protecting users and organizations.