Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of cybersecurity.
This week: Google Cloud takes a swing at software supply chain risk. Also: multiple vulnerabilities in Adobe products could lead to arbitrary code execution, and more.
This week’s top story
Google tackles supply chain risk with Software Delivery Shield
Google is doubling down on its investment to supply chain security, announcing a new platform and Google Cloud-based development workstations designed to secure cloud development organizations from supply chain risks.
The company's Software Delivery Shield is a managed supply chain security platform targeted at development, DevOps, and security teams. The platform integrates with Google's Cloud services and developer tooling, Google said in a blog post. Modules address application development, software “supply,” continuous integration (CI) and continuous delivery (CD), production environments, and policies.
As part of its new offering, Google is also introducing a new service for its Google Cloud Next dubbed Cloud Workstations — fully managed development environments that run on on Google Cloud. The goal is to eliminate the risks of decentralized development — for example: local storage of source code by developers, inconsistent configurations or privacy risks.
Finally, Google said it has added a new module to its Cloud Code IDE: Source Protect, which it claims gives developers "real-time security feedback" as they work, identifying issues such as vulnerable dependencies and license reporting.
Software Delivery Shield follows the previous work Google Cloud has done to pave the way for software security efforts, such as the company’s involvement in the creation of Supply Chain Levels for Software Artifacts (SLSA), as well as its $10 billion commitment to advancing cybersecurity.
News roundup
Here are the stories we’re paying attention to this week…
Supply chain cyber security: new guidance from the NCSC (NCSC)
The U.K.'s National Cyber Security Centre (NCSC) has published new guidance 'How to assess and gain confidence in your supply chain cyber security'. It’s aimed at medium to large organizations who need to gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers.
DevOps lesson from Toyota fail: crash test secrets (ReversingLabs Blog)
Toyota stands accused of lax DevOps standards, as the company reveals it stored prod database credentials in a public GitHub repo. That’s bad enough, but it also took five years to detect and fix. Easy to mock, but could it happen to you? What DevOps processes do you use to prevent a similar incident? And do those processes have management support?
Multiple vulnerabilities in Adobe products could allow for arbitrary code execution (Center for Internet Security)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
New npm timing attack could lead to supply chain attacks (BleepingComputer)
Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead.
Patient care delayed at a large hospital chain due to a ransomware attack (U.S. News)
A ransomware attack at one of the country's largest hospital chains disrupted care at hospitals from Seattle to Tennessee last week.
New report uncovers Emotet's delivery and evasion techniques used in recent attacks (The Hacker News)
Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware.
Microsoft Defender adds command and control traffic detection (BleepingComputer)
Microsoft has added command-and-control (C2) traffic detection capabilities to its Microsoft Defender for Endpoint (MDE) enterprise endpoint security platform.
