In this week’s news we make reference to a few published articles and documents. We have link all these articles in episode notes for this podcast so you can easily access them

• Amazon Web Services, Google Cloud, IBM, and Microsoft have joined forces this week  with the Enterprise Data Management (EDM) Council to publish a framework for managing data in the cloud. The new cloud data management capabilities (CDMC) framework was developed over the last 18 months with participation from more than 100 leading companies. CDMC consists of six component – data governance and accountability, cataloguing and classification, data accessibility and usage, data protection and privacy,  data lifecycle, and technical architecture. The framework can be found here

• Microsoft has published information this week on a new malware it calls FoggyWeb which has been deployed by Russia-linked threat actors Nobelium who are said to be behind the devastating SolarWinds supply chain attack. FoggyWeb is a backdoor used against Active Directory Federation Services servers, which provide single sign-on for users and can be used to remotely exfiltrate sensitive information   Microsoft’s published document can be found here

• For those of you familiar with OWASP (Open Web Application Security Project), OWASP celebrated its 20th anniversary last week with a 24-hour webinar +  launched their top 10 web security vulnerabilities for 2021 updated from 2017. It worth noting that there are a few updates relevant to cloud security – broken access control has moved from #5 to #1, insecure design and server side request forgery have now been added while security misconfiguration has made it to top 5.  You can read more about it here

2021 Owasp Top 10    

1. Broken access control
2. Cryptographic failures
3. Injection 
4. Insecure design
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Security logging and monitoring failures
10. Server-side request forgery

• Trufflehog, a git repository scanner from Truffle Security was originally released in 2017. Recently an open source extension for chrome was released for Trufflehog that will help identify API Keys for SaaS and cloud providers that are often making their way into Javascript. AWS API’s as well as many other SaaS and Cloud provider API’s have extremely permissive CORS (Cross-Origin Resource Sharing) settings.

If you would like to know more about Trufflehog, we had the pleasure of speaking to Dylan Avrey from Truffle Security on Cloud Security Podcast – you can check out the episode on www.cloudsecuritypodcast.tv

• In an effort to become more competitive, Google Cloud is trying to attract independent software makers to sell their products on Google’s cloud. Google is reducing the amount of revenue it keeps when customers buy software from other vendors on its cloud marketplace

• Cloud Security Alliance released their The State of Cloud Security Risk, Compliance, and Misconfigurations report this month. Based on over 1000 responses from IT and security professionals, they found ​
  • lack of knowledge and expertise continue to plague security teams
  • organizations continue to struggle with management of misconfigurations as IT operations and information security teams still are primarily responsible for detecting, monitoring, and tracking potential misconfigurations as well as remediating these misconfigurations rather than distributing responsibilities across the DevOps or application engineering teams who may be accidentally causing such mistakes and are in a better position to directly fix these errors. 
  • many organizations struggle to implement devsecops due to cultural differences and conflicting priorities 

You can access the report here