A Review of the Best News of the Week on Cloud Security, DevOps, AppSec
Principles and best practices for data governance in the cloud (Google, May 02 2019)
Every enterprise should think about the entire data governance lifecycle, including data intake and ingestion, cataloging, persistence, retention, storage management, sharing, archiving, backup, recovery, disposition, and removal and deletion.
Password Reuse, Misconfiguration Blamed for Repository Compromises (Dark Reading, May 06 2019)
Armed with stolen credentials from another breach or from a misconfigured file, attackers delete developers’ repositories on GitHub, Bitbucket, and GitLab, leaving behind ransom notes.
On Security Tokens (Schneier on Security, May 01 2019)
“Mark Risher of Google extols the virtues of security keys: I’ll say it again for the people in the back: with Security Keys, instead of the *user* needing to verify the site, the *site* has to prove itself to the key. Good security these days is about human factors; we have to take the onus off of the user as much as we can. Furthermore, this “proof” from the site to the key is only permitted over close physical proximity (like USB, NFC, or Bluetooth). Unless the phisher is in the same room as the victim, they can’t gain access to the second factor.”
8,000 Security News Articles
Since I started this curated newsletter in June 2017, I’ve clipped ~8,000 articles and narrowed them down into the best 20 per day. This is my favority way to stay abreast of the industry. Readers like you make this all worthwhile.
Thanks! – Lucas Samaras
As organizations continue to adopt multicloud strategies, security remains an issue (Help Net Security, May 01 2019)
97 percent of organizations are adopting multicloud strategies for mission-critical applications and nearly two-thirds are using multiple vendors for mission-critical workloads, a Virtustream survey reveals.
Security and compliance obstacles among the top challenges for cloud native adoption (Help Net Security, May 01 2019)
Cloud native adoption has become an important trend among organizations as they move to embrace and employ a combination of cloud, containers, orchestration, and microservices to keep up with customers’ expectations and needs.
Vulnerabilities Found in Over 100 Jenkins Plugins (SecurityWeek, May 03 2019)
A researcher has discovered vulnerabilities in more than 100 plugins designed for the Jenkins open source software development automation server and many of them have yet to be patched.
How to BYOK (bring your own key) to AWS KMS for less than $15.00 a year using AWS CloudHSM (AWS Security Blog, May 06 2019)
“Note: BYOK is helpful for certain use cases, but I recommend that you familiarize yourself with KMS best practices before you adopt this approach. You can review best practices in the AWS Key Management Services Best Practices (.pdf) whitepaper.”
Hacking AWS (DevOpsGroup, May 07 2019)
“While preparing for a Security Game Day with workloads running on AWS, I decided to get more familiar with some of the tools that Red Teams would use to try and compromise the account and infrastructure.”
Continuous Security for GitOps (DevOps Zone, May 06 2019)
Brice gave us an overview of what GitOps is, and why it is a logical and more secure way for large development teams to update applications in Kubernetes.
What’s Behind the Wolters Kluwer Tax Outage? (Krebs on Security, May 07 2019)
“Early in the afternoon on Friday, May, 3, I asked a friend to relay a message to his security contact at CCH, the cloud-based tax division of the global information services firm Wolters Kluwer in the Netherlands. The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.”
Staffing the Software Security Team: Who You Gonna Call? (Dark Reading, May 01 2019)
Recruiting developers and testers from the product group is a great way to build a top-notch application security team. Here’s why.
Open source security: The risk issue is unpatched software, not open source use (Help Net Security, May 02 2019)
The use of ‘abandoned’ components is common. Eighty-five percent of codebases contained components that were more than four years out-of-date or had no development in the past two years. If a component is inactive and no one is maintaining it, that means no one is addressing its potential vulnerabilities.
What Is Application Shielding? (Wired, May 05 2019)
Security firms are increasingly touting application shielding as an important layer of defense. But it may be better suited to DRM.
Open Security Tests Gain Momentum With More Lab Partners (Dark Reading, May 03 2019)
NetSecOPEN, a group of next-generation firewall vendors, has added the first university-based testing facility in its effort to move toward more open security testing.
Job seeker’s data exposed on open Ladders database (SC Magazine, May 02 2019)
The employment website Ladders exposed almost 14 million user records when it left an Amazon Elasticsearch database unprotected.
Firefox add-ons with obfuscated code will be banned by Mozilla (Naked Security – Sophos, May 07 2019)
The updated Add-on Policy aims to rid Firefox of third-party malicious code that hides what it’s really up to.