This week’s news is brought to you by JupiterOne. To find our more about them head to www.jupiterone.com/csp
- If you have been in cybersecurity for a few years, you have possibly heard the name Snyk floating around – they are a Boston based cybersecurity company that provide developer security platform for securing code, dependencies, containers, and infrastructure as code. This week they announced that they have acquired Fugue, another name you may be familiar with. Fugue is a cloud security and compliance company and according to Snyk “This milestone marks Snyk’s entry into the cloud security market, a fast growing segment of cybersecurity predicted to be worth $77.5 billion by 2026 according to MarketsandMarkets.” Snyk has shared that In the near-term, a new Snyk solution will unite and then extend Snyk’s Infrastructure as Code (IaC) and Fugue’s cloud security capabilities, designed specifically with these DevSecOps teams in mind. You can read more about this story here.
- AWS has made a few announcements lately
Starting with the addition of AWS WAF Fraud Control – Account Takeover Prevention to protect your application’s login page against credential stuffing attacks, brute force attempts, and other anomalous login activities. Account Takeover Prevention enables you to proactively stop account takeover attempts at the network edge. You can find out more about it here, staying on the topic of WAF – AWS Firewall Manager now supports versioning for AWS WAF managed rule group, This feature enables you to test the new rule group versions safely before deploying them across your organization. Read more about it here
For those of you who thought Log4J from Dec 2021 was behind us – Next up is Amazon CodeGuru Reviewer which now detects Apache Log4j and other log injection vulnerabilities in code – its a new log injection detector that analyzes your Java or Python code for potentially unsafe logging statements, including those that could be leveraged by the Apache Log4j issue. You can find out more about Amazon CodeGuru and the upgrade here.
In addition to this AWS Security Hub has launched 13 controls and two partners for its Foundational Security Best Practice standard (FSBP) to enhance customers’ Cloud Security Posture Management (CSPM). These controls conduct fully-automatic checks against security best practices for Amazon CloudFront, Amazon EC2, Amazon OpenSearch and many others. Read more here
They have announced the general availability of AWS Backup for Amazon S3, which adds Amazon S3 to the set of supported services in AWS Backup. This is intended to make it easier for users to centrally automate backup and restore of your application data stored in Amazon S3 along with other AWS services for compute, storage, and database. You can find out more about this here
- Did you hear about Ghostbuster – and no I am not taking about the 1980s movies about capturing Ghosts – it’s an open source tool developed by Australian cybersecurity firm Assetnote. When you are deploying infrastructure to AWS, you may spin up EC2 instances which have an IP associated with them. When these EC2 instances are deleted or assigned to new IPs, organizations often forget to remove DNS records that point to IPs associated with the instances. This can make them vulnerable to subdomain takeover attacks. To combat these Assets Note have created an open source tool called Ghostbuster, which works by enumerating all the elastic/public IPs associated with every AWS account you own, and then checking if there are any DNS records pointing to elastic IPs that you don’t own in any of your AWS accounts. You can view their GitHub repository here and read more about Ghostbuster here.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently released FREE CYBERSECURITY SERVICES AND TOOLS – a list of free cybersecurity tools and services to help organizations further advance their security capabilities. They called it a living repository that contains cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. They have shared that they will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future and confirm that the list is not comprehensive and is subject to change pending future additions. They call out that all organizations should take certain foundational measures to implement a strong cybersecurity program. Take a look at their blog here and let us know what you think of the list they have compiled – any favorites on the list and any additions that must be made.