A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
How an Obscure Company Took Down Big Chunks of the Internet (Wired, Jun 08 2021)
You may not have heard of Fastly, but you felt its impact when sites didn’t load around the world Tuesday morning.
Google Experts Explore Open Source Security Challenges & Fixes (Dark Reading, Jun 03 2021)
An open source security event brought discussions of supply chain security and managing flaws in open source projects.
First Known Malware Surfaces Targeting Windows Containers (Dark Reading, Jun 07 2021)
Siloscape is designed to create a backdoor in Kubernetes clusters to run malicious containers.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Deloitte acquires CloudQuest to bolster cloud security offerings (Help Net Security, Jun 08 2021)
Deloitte announced its acquisition of substantially all the assets of CloudQuest, a cloud security posture management (CSPM) provider based in Cupertino, Calif. The deal will bolster Deloitte’s existing cloud cybersecurity offerings with CloudQuest’s cloud-native security capabilities to more seamlessly manage security workflows, reduce risk and improve data security.
Only 17% of organizations encrypt at least half of their sensitive cloud data (SC Media, Jun 02 2021)
New research by Thales on security trends one year into the pandemic found that about half of businesses store more than 40% of their data in external cloud environments. The percentages for encryption of sensitive data in the cloud is less encouraging however.
Keeping pace with evolving code signing baseline requirements (Help Net Security, Jun 07 2021)
Maintaining code integrity has always been top of mind for today’s development-driven organizations. However, the recent SolarWinds breach was a stark reminder of the importance of stopping malicious tampering and maximizing trust. The attack was especially audacious because it took advantage of what is normally an industry best practice: regular software updates.
CISOs Agree That Traditional Application Security Measures Don’t Work (Infosecurity Magazine, Jun 04 2021)
Alert overload and legacy tooling cited as major DevSecOps challenges
Will feds mandate third-party code reviews? Developers say it’s a bad idea (SC Media, Jun 04 2021)
Some industry groups are warning the U.S. government that third-party testing or review would be overly intrusive and might not add much benefit, especially if the focus is on source code or earlier stages of the development process.
GitHub Updates Policies on Vulnerability Research, Exploits (SecurityWeek, Jun 07 2021)
Code hosting platform GitHub says it has updated its policies regarding vulnerability research, malware, and exploits, to permit dual-use security research.
Application security approaches broken by rising adoption of cloud-native architectures (Help Net Security, Jun 08 2021)
The rising adoption of cloud-native architectures, DevOps, and agile methodologies has broken traditional approaches to application security, a survey of 700 CISOs by Coleman Parkes reveals.
New Google tool reveals dependencies for open source projects (Help Net Security, Jun 07 2021)
Google has been working on a new, experimental tool to help developers discover the dependencies of the open source packages/libraries they use and known security vulnerabilities they are currently sporting.