A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Use the OWASP API Top 10 to Secure Your APIs (DevOps, Jun 02 2021)
The tools, languages, platforms, and methods used to build applications have changed drastically over the past decade. Application security practices have to change with them; otherwise, security professionals will be playing constant catch-up with attackers and cybercriminals. What Is the OWASP API Top 10?
Best practices for securing the CPaaS technology stack (Help Net Security, May 31 2021)
Like everything that’s connected to the cloud, Communications Platform-as-a-Service (CPaaS) solutions are vulnerable to hacking, which increased dramatically as workforces shifted to remote and hybrid models because of the pandemic. For this reason and others, such a platform must be built secure by design. This means taking the time necessary to examine and re-examine code and configuration, then make appropriate changes prior to deployment.
How to implement a hybrid PKI solution on AWS (AWS Security Blog, May 26 2021)
As customers migrate workloads into Amazon Web Services (AWS) they may be running a combination of on-premises and cloud infrastructure. When certificates are issued to this infrastructure, having a common root of trust to the certificate hierarchy allows for consistency and interoperability of the Public Key Infrastructure (PKI) solution.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Chart: Cloud Concerns (Dark Reading, May 28 2021)
As more organizations make their way to the cloud, their eyes are wide open to the associated cybersecurity risks that tag along for the ride.
The Misaligned Incentives for Cloud Security (Schneier on Security, May 28 2021)
Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and US federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network identity systems to then access cloud accounts and pilfer emails and files.
Securing Containers: Seven Key Concerns and What to Do About Them (Infosecurity Magazine, Jun 01 2021)
When building out a security strategy for containers, there are generally seven primary concerns.
AWS plans to open infrastructure region in the UEA (Help Net Security, May 26 2021)
Amazon Web Services announced that it plans to open an infrastructure region in the United Arab Emirates (UAE) in the first half of 2022. The new AWS Middle East (UAE) Region will consist of three Availability Zones and become AWS’s second region in the Middle East with the existing AWS Region in Bahrain, giving customers more choice and flexibility to leverage advanced technologies from the world’s leading cloud.
Zero-trust managed security for services with Traffic Director (Google Cloud Blog, Jun 02 2021)
We created Traffic Director to bring to you a fully managed service mesh product that includes load balancing, traffic management and service discovery. And now, we’re happy to announce the availability of a fully-managed zero-trust security solution using Traffic Director with Google Kubernetes Engine (GKE) and Certificate Authority (CA) Service.
Application security not a priority for financial services institutions (Help Net Security, May 28 2021)
Contrast Security announced the findings of a report based on a comprehensive survey of development, operations, and security professionals and executives at enterprise-level financial services institutions. The report explores the state of application security at these organizations, and the findings indicate that the security of these applications – that have access and control over consumers’ finances – is not a priority or major concern for most of them.
Critical Zero-Day in WordPress Plugin Under Active Attack (Infosecurity Magazine, Jun 02 2021)
Vulnerability in Fancy Product Designer could enable full site takeover.