A Review of the Best News of the Week on Cloud Security, DevOps, AppSec

MacOS Zero-Day Let Attackers Bypass Privacy Preferences (Dark Reading, May 25 2021)
Apple has released security patches for vulnerabilities in macOS and tvOS that reports indicate have been exploited in the wild.

Label standard and best practices for Kubernetes security (Help Net Security, May 26 2021)
This article talks about label standard and best practices for Kubernetes security, a common area where I see organizations struggle to define the set of labels required to meet their security requirements. My advice is to always start with a hierarchical security design that can achieve your enterprise security and compliance requirements, then define your label standard in alignment with your design.

The state of AppSec and the journey to DevSecOps (Help Net Security, May 23 2021)
While the perceived benefits of DevSecOps to both security and DevOps are high, much progress must be made in defining a repeatable and consistent governance model for true DevSecOps to take hold, a ZeroNorth survey of 250 global security, DevOps and IT professionals reveals.

Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

100M Users’ Data Exposed via Third-Party Cloud Misconfigurations (Dark Reading, May 20 2021)

As cloud environments get more complex, app security needs an AI-powered upgrade (SC Media, May 26 2021)
Huma Abidi of Intel speaks at the Artificial Intelligence Conference in San Francisco three years ago. Today’s columnist, Dave Anderson of Dynatrace, says AI-powered risk and impact analysis and remediation can deliver the visibility developers need to more effectively manage vulnerabilities.

Average loss from compromised cloud accounts is more than $500,000 a year (SC Media, May 25 2021)
The report also noted that 68% of respondents believe cloud account takeovers present a significant security risk to their organizations – and more than 50% indicated that the frequency and severity of cloud account compromises increased over the past year.

How to import AWS IoT Device Defender audit findings into Security Hub (AWS Security Blog, May 24 2021)
AWS Security Hub provides a comprehensive view of the security alerts and security posture in your accounts. In this blog post, we show how you can import AWS IoT Device Defender audit findings into Security Hub.

AWS Shield threat landscape review: 2020 year-in-review (AWS Security Blog, May 20 2021)
AWS Shield is a managed service that protects applications that are running on Amazon Web Services (AWS) against external threats, such as bots and distributed denial of service (DDoS) attacks.

Cloud Security Blind Spots: Where They Are and How to Protect Them (Dark Reading, May 21 2021)
Security experts discuss oft-neglected areas of cloud security and offer guidance to businesses working to strengthen their security posture.

Misconfigurations are the Biggest Threat to Cloud Security: Here’s What to Do (Infosecurity Magazine, May 24 2021)
Four ways to protect against cloud security misconfigurations, the biggest threat to cloud security

If you’re ready to move to the cloud, here’s how to vet service providers (SC Media, May 19 2021)
During the RSA Conference’s Cloud Security Summit this week, three speakers noted top priorities when making a cloud transition, all tied to establishing expectations of a cloud service provider up front, and ensuring in writing that the provider can and will adhere to specific standards for maintaining and securing data.

Dev-Sec Disconnect Undermines Secure Coding Efforts (Dark Reading, May 20 2021)

Web App Bugs Drove Multiple Breaches Per Firm in 2020 (Infosecurity Magazine, May 20 2021)
Barracuda Networks claims bad bots are the main challenge