| Title | Description | URL | Date |
|---|---|---|---|
| W3LL Gang Compromises Thousands of Microsoft 365 Accounts | A secretive phishing cabal boasts a sophisticated affiliate network and a modular, custom toolset that's claiming victims on three continents. | https://www.darkreading.com/endpoint/w3ll-gang-compromises-thousands-of-microsoft-365-accounts | 2023/09/06 |
| EvilProxy Cyberattack Flood Targets Execs via Microsoft 365 | A campaign sent 120,000 phishing emails in three months, circumventing MFA to compromise cloud accounts of high-level executives at global organizations | https://www.darkreading.com/cloud/evilproxy-cyberattack-flood-execs-microsoft-365 | 2023/08/10 |
| Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines | This document from NIST focuses on actionable measures to integrate the various building blocks of SSC security assurance into CI/CD pipelines to prepare organizations to address SSC security in the development and deployment of their cloud-native applications. | https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204D.ipd.pdf | 2023/09/10 |
| Leveraging VSCode Extensions for Initial Access | The article discusses how to use VSCode extensions for initial access during security assessments. It provides examples of extensions that can be leveraged for reconnaissance, exploitation, and post-exploitation activities, highlighting their capabilities and potential risks. | https://www.mdsec.co.uk/2023/08/leveraging-vscode-extensions-for-initial-access/ | 2023/09/10 |
| Cloud Detection and Response Needs To Break Down Boundaries | The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up. | https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries | 2023/09/10 |
| 7 Ways to Escape a Container | Post delving into seven common container escape techniques, shedding light on the essential configurations and minimal Linux capabilities required for each method. | https://www.panoptica.app/research/7-ways-to-escape-a-container | 2023/09/10 |
| Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows | Action pinning doesn't always offer security. Understand risks stemming from the GitHub Actions ecosystem and learn how to avoid compromise of CI/CD pipeline. | https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/ | 2023/09/10 |
| New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services | Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage. | https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services | 2023/09/10 |
| Certified-Kubernetes-Security-Specialist | Curated resources help you prepare for the CNCF CKS "Kubernetes Certified Security Specialist" Certification exam. | https://github.com/walidshaari/Certified-Kubernetes-Security-Specialist | 2023/09/10 |
| Lessons from Recent Social Engineering Attacks on Okta Super Admin Accounts | Post exploring the latest Okta security incidents and explaining how to fortify your IAM system against social engineering attacks. | https://acsense.com/blog/okta-super-admin-breach-steps-for-iam-resilience/ | 2023/09/10 |
| Getting into AWS cloud security research | How to start doing AWS security research. What you need to learn, who you should learn from, and what you should think about along the way while not actually doing research. | https://dagrz.com/writing/aws-security/getting-into-aws-security-research/ | 2023/09/03 |
| Build your own SLSA 3+ provenance builder on GitHub Actions | Thanks to the "Bring Your Own Builder" framework, it's now possible for maintainers of existing GitHub Actions to start producing SLSA Level 3 provenance attestations. | https://slsa.dev/blog/2023/08/bring-your-own-builder-github | 2023/09/03 |
| Authorizing cross-account KMS access with aliases | KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly. | https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases/ | 2023/09/03 |
| Falco-bypasses | Research on various techniques to bypass default falco ruleset. | https://github.com/blackberry/Falco-bypasses | 2023/09/03 |
| How to Detect When an Azure Guest User Account Is Being Exploited | In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake. | https://orca.security/resources/blog/detect-guest-user-account-exploited/ | 2023/09/03 |
| 5 Tips to prevent or limit the impact of an incident in Azure | Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subscriptions from entering your tenant, ingest audit logging, and limit external collaboration. | https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100 | 2023/09/03 |
| Grafana security update: GPG signing key rotation | Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user. | https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/ | 2023/09/03 |
| Verifying images in a private Amazon ECR with Kyverno and IAM Roles for Service Accounts (IRSA) | Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions. | https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/ | 2023/09/03 |
| The building blocks of modern enterprise identity | The article discusses the importance of modern enterprise identity in the context of cloud-native technologies. It highlights the key building blocks of identity, including authentication, authorization, and identity governance, and emphasizes the need for a comprehensive and scalable identity solution to ensure security and compliance in the cloud. | https://www.bvp.com/atlas/the-building-blocks-of-modern-enterprise-identity | 2023/08/27 |
| Risk in AWS SSM Port Forwarding | A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features. | https://ramimac.me/ssm-iam | 2023/08/27 |
| Shipping RDS IAM Authentication (with a bastion host & SSM) | A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint. | https://ramimac.me/rds-iam-auth | 2023/08/27 |
| Methods to Backdoor an AWS Account | Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command. | https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/ | 2023/08/27 |
| Container security fundamentals part 5: AppArmor and SELinux | A look at how AppArmor and SELinux are used in Linux and container systems. | https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-5/ | 2023/08/27 |
| Kubernetes Security Ultimate Checklist | A security checklist to understand the basics of authentication, authorization, audit logging, and admission control of Kubernetes. | https://ksoc.com/blog/kubernetes-security-ultimate-checklist | 2023/08/27 |
| Building Docker Images Smaller, Rootless and Non-Shell for Kubernetes | The article discusses how to build smaller Docker images for Kubernetes by using rootless and non-shell configurations. It provides step-by-step instructions and code examples to help optimize container images. | https://dev.to/madmaxx/building-docker-images-smaller-rootless-and-non-shell-for-kubernetes-hkb | 2023/08/27 |
| Pivoting Clouds in AWS Organizations: Examining AWS Security Features and Tools for Enumeration | The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover. | https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/ | 2023/08/27 |
| Kubernetes Validating Admission Policies: A Practical Example | An example showing how to use the new Common Expression Language (CEL) to declare validation rules. | https://kubernetes.io/blog/2023/03/30/kubescape-validating-admission-policy-library/ | 2023/08/27 |
| How Threat Actors Use GitHub | The article explains how threat actors leverage GitHub for command and control & data exfiltration, malware delivery, and supply chain attacks. | https://detect.fyi/how-threat-actors-use-github-bd991c11ed37 | 2023/08/20 |
| Third-Party GitHub Actions: Effects of an Opt-Out Permission Model | Post sharing how the world's most popular repositories fail to manage their build permissions, as well as walking through the why and the how of proper permissions management in GitHub Actions. | https://www.paloaltonetworks.com/blog/prisma-cloud/github-actions-opt-out-permissions-model/ | 2023/08/20 |
| How to identify when you've lost control of your SIEM (and how to rein it back in) | The article explains how to recognize when you have lost control of your SIEM. It provides signs to look out for, such as excessive false positives and having trouble answering basic investigative questions. | https://expel.com/blog/how-to-identify-when-youve-lost-control-of-your-siem/ | 2023/08/20 |
| Identifying & Reducing Permission Explosion in AWS | The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment. | https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf | 2023/08/20 |
| When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability | Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials. | https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ | 2023/08/20 |
| What's new for security in Kubernetes 1.28 | A recap of some of the interesting new security changes in Kubernetes 1.28. | https://securitylabs.datadoghq.com/articles/whats-new-for-security-in-kubernetes-128/ | 2023/08/20 |
| Unleashing in-toto: The API of DevSecOps | The article discusses the importance of integrating security into the DevOps process and introduces In-Toto, an open-source framework that provides a way to verify the integrity of software supply chains. It explains how In-Toto can be used as an API in DevSecOps to ensure the security and trustworthiness of software. | https://www.cncf.io/blog/2023/08/17/unleashing-in-toto-the-api-of-devsecops/ | 2023/08/20 |
| An Azure Tale of VPN, Conditional Access and MFA Bypass | A walkthrough review of the implementation of an on-prem VPN server that used Azure AD as the idP and enforced MFA via conditional access policies. | https://simondotsh.com/infosec/2023/08/15/azure-tale-vpn-ca-mfa-bypass.html | 2023/08/20 |
| Terraform best practices for reliability at any scale | At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers? | https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale | 2023/08/20 |
| How to setup geofencing and IP allow-list for Cognito user pool | AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists. | https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/ | 2023/08/20 |
| AWS Security Monitoring in 2023: Untangle the chaos | This post provides recommendations for implementing an effective security monitoring strategy in AWS. | https://cloudonaut.io/2023-08-04-aws-security-monitoring/ | 2023/08/13 |
| Application Architecture as Code | Cloud automation isn't just about infrastructure anymore. This also affects automation language design. | https://architectelevator.com/cloud/iac-architecture-as-code/ | 2023/08/13 |
| SSRF Tricks - Thread | Some tricks @rhynorater picked up over the past 5 years of web app testing. | https://twitter.com/rhynorater/status/1689400476452679682 | 2023/08/13 |
| Hacking Github AWS integrations again | Another post looking at the perils of unproperly scoping access provided by OIDC. | https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/ | 2023/08/13 |
| VS Code Token Security: Keeping Your Secrets... Not So Secretly | Apparently VSCode's secret manager allows any extension to extract all the secrets, including built-in authentication tokens for Microsoft and GitHub. | https://cycode.com/blog/exposing-vscode-secrets/ | 2023/08/13 |
| Kubernetes Exposed: One Yaml away from Disaster | The AquaSec team found two misconfigurations in Kubernetes clusters belonging to more than 350 organizations openly accessible and largely unprotected. | https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster | 2023/08/13 |
| Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform | A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets). | https://www.tenable.com/security/research/tra-2023-25 | 2023/08/13 |
| Knocking on the Front Door (client side desync attack on Azure CDN) | A write-up on a Browser-Powered Desync bug discovered in the Azure CDN service known as Front Door. | https://blog.jeti.pw/posts/knocking-on-the-front-door/ | 2023/08/13 |
| HashiCorp Vault observability: Monitoring Vault at scale | How to implement a mature Vault monitoring and observability strategy to simplify finding answers to important Vault questions. | https://www.hashicorp.com/blog/hashicorp-vault-observability-monitoring-vault-at-scale | 2023/08/13 |
| HashiCorp adopts Business Source License | HashiCorp is changing its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL, also known as BUSL) v1.1 on all future releases of HashiCorp products. HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0. | https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license | 2023/08/13 |
| awesome-kubernetes-threat-detection | A curated list of resources about detecting threats and defending Kubernetes systems. | https://github.com/jatrost/awesome-kubernetes-threat-detection | 2023/08/06 |
| Signing URLs in GCP: Convenience vs. Security | Why the "iam.serviceAccounts.signBlob" permission can cause trouble in your GCP environment. | https://lsgeurope.com/post/signing-urls-in-gcp-convenience-vs-security | 2023/08/06 |
| More on Abusing the Amazon Web Services SSM Agent as a Remote Access Trojan | This blog lays out a new potential post-exploitation technique: Abusing AWS Systems Manager (SSM) agent so that it functions as a Remote Access Trojan (RAT) on both Linux and Windows machines, while using an attacker AWS account as a Command and Control (C&C). | https://www.mitiga.io/blog/abusing-the-amazon-web-services-ssm-agent-as-a-remote-access-trojan | 2023/08/06 |
| A Complete Kubernetes Config Review Methodology | An overview of the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment. | https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-methodology/ | 2023/08/06 |
| From soup to nuts: Building a Detection-as-Code pipeline | How to build and implement a Detection-as-Code pipeline from scratch using Terraform, Sumo Logic, and Tines. | https://medium.com/threatpunter/from-soup-to-nuts-building-a-detection-as-code-pipeline-28945015fc38 | 2023/08/06 |
| Microsoft Entra Workload ID - Introduction and Delegated Permissions | Post providing an overview about some aspects and features which are important in delegating management of Workload ID in Microsoft Entra: Who can see and create apps? Why you should avoid assigning owners to service principals or application objects? | https://www.cloud-architekt.net/entra-workload-id-introduction-and-delegation/ | 2023/08/06 |
| Best practices for organizations and teams using GitHub Enterprise Cloud | The article provides best practices for organizations and teams using GitHub Enterprise Cloud, including tips for securing repositories, managing access controls, and integrating with other security tools. | https://github.blog/2023-08-02-best-practices-for-organizations-and-teams-using-github-enterprise-cloud/ | 2023/08/06 |
| Maturing your Terraform workflow | A few guidelines that can help organizations mature their use of HashiCorp Terraform modules for scale and a faster release cadence. | https://www.hashicorp.com/blog/maturing-your-terraform-workflow | 2023/08/06 |
| Telling More Okta Detection Stories with Google Chronicle | Okta has partnered with Google Chronicle to open source a set of detections rules that help surface cloud attack vectors and provide high-fidelity, contextualized alerts to give insight into potential threats. You can find these detectionson GitHub. | https://sec.okta.com/articles/2023/08/telling-more-okta-detection-stories-google-chronicle | 2023/08/06 |
| Let's talk about SaaS attack techniques | A collection of SaaS attack techniques to help defenders understand the threats they face. You can also refer to thecompanion repository. | https://pushsecurity.com/blog/saas-attack-techniques/ | 2023/07/30 |
| No keys attached: Exploring GitHub-to-AWS keyless authentication flaws | While popular, GitHub-to-AWS keyless authentication mechanisms can be insecurely configured. | https://securitylabs.datadoghq.com/articles/exploring-github-to-aws-keyless-authentication-flaws/ | 2023/07/30 |
| Swiping right on the AWS WAF CAPTCHA challenge | Post walking through a methodology for beating the AWS WAF CAPTCHA challenges programmatically. | https://onecloudplease.com/blog/swiping-right-on-the-aws-waf-captcha-challenge | 2023/07/30 |
| Hijacking Cloud CI/CD Systems for Fun and Profit | This research details a new technique that can be used by threat actors for supply chain attacks on open-source repositories using GCP, Azure and AWS. | https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit | 2023/07/30 |
| Container Security Workshop | Slides from @smarticu5 and @raesene container security workshop delivered at SteelCon, which covers the basics of Docker and Kubernetes security. | https://smarticu5.github.io/assets/talks/Steelcon-Container-Security-Workshop.pdf | 2023/07/30 |
| Automated First-Response in AWS using Sigma and Athena | Can Sigma rules provide first-response capabilities in a post-compromised AWS environment? | https://invictus-ir.medium.com/automated-first-response-in-aws-using-sigma-and-athena-615940bedc56 | 2023/07/30 |
| Rethinking infrastructure as code from scratch | Post pondering about infrastructure complexity, the current state of infrastructure as code, and how it will not get simpler. | https://nathanpeck.com/rethinking-infrastructure-as-code-from-scratch/ | 2023/07/30 |
| AWS Networking Concepts | A mind map to link together all the different networking-related concepts from AWS. | https://miparnisariblog.wordpress.com/2023/03/29/aws-networking-concepts/ | 2023/07/30 |
| From IP to identity: making cattle out of pets in cloud native | This article traces the evolution of identity in systems programming to the current cloud native era, and shows how identity is now key to how cloud native projects, like Kubernetes and Cilium, create powerful platforms in the real world today. | https://www.cncf.io/blog/2023/07/24/from-ip-to-identity-making-cattle-out-of-pets-in-cloud-native/ | 2023/07/30 |
| Authentication and Authorization for OCI File Storage (FSS) with Kerberos and LDAP | This blog post introduces Kerberos and LDAP integration with the OCI File Storage Service, providing an overview of the features and their general configuration requirements. | https://blogs.oracle.com/cloud-infrastructure/post/oci-file-storage-integration-kerberos-ldap-nfs | 2023/07/30 |
| Levels.fyi 2023 Mid-Year Compensation Report | Levels.fyi has released their 2023 Mid-Year Report, which provides insights into tech industry salaries and trends. | https://www.levels.fyi/blog/2023-mid-year-report.html | 2023/07/23 |
| Bad.Build: PE & RCE Vulnerabilities in Google Cloud Build | The Orca Research Pod discovered Bad.Build, a vulnerability in the Google Cloud Build service that enables attackers to escalate privileges and gain unauthorized access to code repositories and images in Artifact Registry. | https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/ | 2023/07/23 |
| Abusing Amazon VPC CNI plugin for Kubernetes | The article discusses a security vulnerability in the Amazon VPC CNI plugin, used by Amazon EKS. The flaw allows an attacker to move laterally to other VPCs in the AWS account. | https://www.elttam.com/blog/amazon-vpc-cni/ | 2023/07/23 |
| Refuting AWS Chain Attack - Digging Deeper into EKS Zero Day claims | An analysis of the findings published by a security researcher last month, claiming to have uncovered zero days in thousands of EKS cluster. | https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/ | 2023/07/23 |
| Guide to Istio's Authentication and Authorization Policies | Learn how Istio's authentication and authorization policies enhance security in microservices. Get a comprehensive guide to implementing robust access control. | https://www.infracloud.io/blogs/istio-authentication-authorization-policies/ | 2023/07/23 |
| How to get rid of AWS access keys - Part 3: Replacing the authentication | Post discussing alternative solutions to using access keys. | https://www.wiz.io/blog/how-to-get-rid-of-aws-access-keys-part-3 | 2023/07/23 |
| Kubernetes Security Basics Series: Part III - Container Deployment | Post explaining how to see container deployments as a precursor to building secure production infrastructure using Kubernetes. | https://ksoc.com/blog/kubernetes-security-basics-series-part-iii-container-deployment | 2023/07/23 |
| Kubernetes API limitations in finding non-standard pods and containers | Why it's essential to monitor non-standard pods and containers, including static pods, mirror pods, init containers, pause containers, and ephemeral containers within your Kubernetes environment. | https://www.wiz.io/blog/kubernetes-api-limitations-in-finding-non-standard-pods-and-containers | 2023/07/23 |
| Orca Security's journey to a petabyte-scale data lake with Apache Iceberg and AWS Analytics | Orca Security shares their experience in building a petabyte-scale data lake using Apache Iceberg and AWS services. | https://aws.amazon.com/blogs/big-data/orca-securitys-journey-to-a-petabyte-scale-data-lake-with-apache-iceberg-and-aws-analytics/ | 2023/07/23 |
| Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email | Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access. | https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/ | 2023/07/16 |
| Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact | In this paper, researchers analyzed 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5% of images indeed include secrets. | https://arxiv.org/pdf/2307.03958.pdf | 2023/07/16 |
| PCI/DSS Controls with Falco | Learn how Falco detects failed/misconfigured PCI/DSS Controls. | https://falco.org/blog/falco-pci-controls/ | 2023/07/16 |
| Enforcing Secure and Cost-Effective Infrastructure as Code with Terraform, OPA, and Infracost | Post exploring the implementation of OPA and Infracost in a Terraform project, featuring a basic AWS setup with EC2 and RDS resources. | https://medium.com/@ladibnasr/enforcing-secure-and-cost-effective-infrastructure-as-code-with-terraform-opa-and-infracost-22b4b4c880c2 | 2023/07/16 |
| detection-and-response-pipeline | A compilation of suggested tools/services for each component in a detection and response pipeline, along with real-world examples. | https://github.com/0x4D31/detection-and-response-pipeline | 2023/07/16 |
| Summary of Upcoming Changes in OCI Image and Distribution Specs v1.1 | Article which highlights improvements in areas such as image layout, content addressability, and distribution manifests, aiming to enhance security, interoperability, and performance in container image management. | https://opencontainers.org/posts/blog/2023-07-07-summary-of-upcoming-changes-in-oci-image-and-distribution-specs-v-1-1/ | 2023/07/16 |
| PodSecurityPolicy migration with Kyverno | The article discusses how to migrate from PodSecurityPolicy (PSP) to Kyverno, a Kubernetes policy engine. It explains the challenges of migrating and provides step-by-step instructions on how to perform the migration. | https://www.cncf.io/blog/2023/07/12/podsecuritypolicy-migration-with-kyverno/ | 2023/07/16 |
| Terraform apply as code: The multispace pattern | How to use the Terraform Cloud/Enterprise provider to coordinate applies and destroys on downstream workspaces in Terraform Cloud. | https://www.hashicorp.com/blog/terraform-apply-as-code-the-multispace-pattern | 2023/07/16 |
| Introducing passwordless authentication on GitHub.com | Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method. | https://github.blog/2023-07-12-introducing-passwordless-authentication-on-github-com/ | 2023/07/16 |
| Kubernetes logging best practices | Post discussing Kubernetes logging and the best practices for logging in a Kubernetes environment. | https://www.cncf.io/blog/2023/07/03/kubernetes-logging-best-practices/ | 2023/07/09 |
| What's New in AWS Certified Security Specialty SCS-C02 Exam in 2023? | The AWS Security Specialty Exam (SCS-C01) got a makeover and will be retiring next week. The new and improved SCS-C01, updated with new content and an added domain is now available. | https://twitter.com/4n6lady/status/1675636987133321217 | 2023/07/09 |
| Sometimes What Sounds Benign Can Bite You: An Unexpected Implication of Lambda Privileges | Granting a user the unconstrained permission to update Lambda function code in an AWS account can have unexpected, possibly severe, consequences under certain conditions that might not be obvious on first pass. | https://ermetic.com/blog/aws/sometimes-what-sounds-benign-can-bite-you-an-unexpected-implication-of-lambda-privileges/ | 2023/07/09 |
| Cedar: Avoiding the cracks | More and more engineers are considering integrating Cedar into their own systems for authorization, but what do policy authors need to consider to avoid unexpected outcomes? | https://onecloudplease.com/blog/cedar-avoiding-the-cracks | 2023/07/09 |
| Threat Alert: Anatomy of Silentbob's Cloud Attack | AquaSec identified infrastructure in early stages of testing and deployment of a cloud worm, designed to deploy on exposed JupyterLab and Docker APIs. | https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack | 2023/07/09 |
| So you want to check image signatures in Kubernetes? | Five problems you'll likely encounter when trying to verify signatures at deployment time in Kubernetes. | https://www.chainguard.dev/unchained/so-you-want-to-check-image-signatures-in-kubernetes | 2023/07/09 |
| Securing CI/CD Pipelines with 1Password Service Accounts | 1Password announced that1Password Service Accountsare now generally available. Service accounts offer a secure, automated way to access infrastructure secrets from CI/CD workflows. | https://blog.1password.com/1password-service-accounts/ | 2023/07/09 |
| Confidential Kubernetes: Use Confidential Virtual Machines and Enclaves to improve your cluster security | Post introducing the concept of Confidential Computing (CC) to improve any computing environment's security and privacy properties, especially Kubernetes. | https://kubernetes.io/blog/2023/07/06/confidential-kubernetes/ | 2023/07/09 |
| Open-sourcing sysgrok - An AI assistant for analyzing, understanding, and optimizing systems | Elastic introduce sysgrok, a research prototype investigating how large language models (LLMs) can be applied to problems in the domains of performance optimization, root cause analysis, and systems engineering. | https://www.elastic.co/blog/open-sourcing-sysgrok-ai-assistant | 2023/07/09 |
| Defending Continuous Integration/Continuous Delivery (CI/CD) Environments | The NSA and CISA are releasing a cybersecurity information sheet to provide recommendations and best practices for improving defenses in cloud implementations of development, security, and operations (DevSecOps). | https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF | 2023/07/02 |
| How to get rid of AWS access keys - Part 2: Reducing Privileges | How to reduce the privileges of AWS access keys in order to mitigate their risk. | https://www.wiz.io/blog/how-to-get-rid-of-aws-access-keys-part-2 | 2023/07/02 |
| Leveraging AWS SSO (aka Identity Center) with Google Workspaces | A Better way to configure AWS Identity Center to use Google Workspace/Cloud Identity with SCIM Support. | https://www.primeharbor.com/blog/aws-identity-center-google-v2/ | 2023/07/02 |
| Verifying Container Image Signatures Within CRI Runtimes | The process of verifying container image signatures and the benefits of implementing this practice in a Kubernetes environment. | https://kubernetes.io/blog/2023/06/29/container-image-signature-verification/ | 2023/07/02 |
| Shrink to Secure: Kubernetes and Secure Compact Containers | Reduce the size of your Kubernetes containers to reduce security vulnerabilities CVE. Some tools to make this happen: Chainguard Apko and Melange, Buildpacks.io, WolfiOS. | https://medium.com/@giuseppe.santoro/shrink-to-secure-kubernetes-and-compact-containers-296b67d9975a | 2023/07/02 |
| How to add, use, and update .terraform.lock.hcl without pain | The article discusses the importance of using Terraform lockfiles. It explains how lockfiles work, why they are necessary, and provides practical examples on how to use them effectively in Terraform projects. | https://grem1.in/post/terraform-lockfiles-maxymvlasov/ | 2023/07/02 |
| 8 Terraform continuous validation use cases for AWS, Google Cloud, and Azure | How to use Terraform "check" blocks and continuous validation with AWS, Google Cloud, and Azure services. | https://www.hashicorp.com/blog/8-terraform-continuous-validation-use-cases-for-aws-google-cloud-and-azure | 2023/07/02 |
| AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice | While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass. | https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/ | 2023/07/02 |
| Analyzing Volatile Memory on a Google Kubernetes Engine Node | Post explaining in detail how memory analysis works and how it can be used on any GKE node in production today. | https://engineering.atspotify.com/2023/06/analyzing-volatile-memory-on-a-google-kubernetes-engine-node/ | 2023/06/25 |
| Implement DevSecOps to Secure your CI/CD pipeline | A thorough introduction which provides a step-by-step guide to implementing DevSecOps in a CI/CD pipeline. | https://www.infracloud.io/blogs/implement-devsecops-secure-ci-cd-pipeline/ | 2023/06/25 |
| AWS CloudTrail cheat sheet | An attempt to document CloudTrail events that are "interesting" for incident responders or detection engineers. | https://invictus-ir.medium.com/aws-cloudtrail-cheat-sheet-dcf2b92e37e2 | 2023/06/25 |
| A less suspect way to get external IP's, thanks to Cloudflare | You can use any Cloudflare protected site to retrieve your external IP address, thanks to a script offered by the CDN. | https://www.fullspectrum.dev/a-less-suspect-way-to-get-external-ips-thanks-to-cloudflare/ | 2023/06/25 |
| CloudGoat Vulnerable Lambda Scenario - Part 2 (Response) | As an incident responder, walk through how we can investigate and resolve an ongoing attack targeting CloudGoat's vulnerable Lambda scenario. | https://0xdeadbeefjerky.com/posts/cloudgoat-lambda-walkthrough-part-2/ | 2023/06/25 |
| Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry | Unlike providers, modules do not benefit from the cryptographic guarantee provided by the Dependency Lock File, resulting in potential security threats. | https://medium.com/boostsecurity/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry-2af48a7eb2 | 2023/06/25 |
| Kubernetes Security Basics Series: Part II - Container Security | Containers share the same kernel and potential vulnerabilities can pose risks to the host and other containers. Implementing security measures like namespace partitioning, control groups, seccomp, AppArmor, SELinux, and vulnerability scanning can help mitigate these risks. | https://ksoc.com/blog/kubernetes-security-basics-series-part-ii-container-security | 2023/06/25 |
| nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover | An implementation flaw discovered in Microsoft Azure AD OAuth applications that, when exploited, could lead to full account takeover. | https://www.descope.com/blog/post/noauth | 2023/06/25 |
| Bringing Transparency to Confidential Computing with SLSA | Google's Project Oak is a research effort that relies on the confidential computing paradigm to build an infrastructure for processing sensitive user data in a secure and privacy-preserving way. | https://security.googleblog.com/2023/06/bringing-transparency-to-confidential.html | 2023/06/25 |
| Vault 1.14 brings ACME for PKI, AWS roles, and more improvements | HashiCorp Vault 1.14 includes the Vault Secrets Operator GA, ACME PKI, and a new OpenLDAP secrets engine. | https://www.hashicorp.com/blog/vault-1-14-brings-acme-for-pki-aws-roles-and-more-improvements | 2023/06/25 |
| The principle of minimalism | The principle of minimalism in engineering, where your default should be the lowest-common denominator of what you actually need. | https://www.chainguard.dev/unchained/the-principle-of-minimalism | 2023/06/25 |
| Kubernetes Grey Zone: Risks in Managed Cluster Middleware | Little is known about the risks managed clusters bring to the table, compared to a vanilla Kubernetes distribution. | https://www.wiz.io/blog/kubernetes-grey-zone-risks-in-managed-cluster-middleware | 2023/06/18 |
| Messing Around With AWS Batch For Privilege Escalations | How to achieve privilege escalation via misconfigured AWS Batch. | https://blog.doyensec.com/2023/06/13/messing-around-with-aws-batch-for-privilege-escalations.html | 2023/06/18 |
| AWS API Gateway header smuggling and cache confusion | Post diving into two potential security issues identified in AWS API Gateway authorizers. | https://securityblog.omegapoint.se/en/writeup-apigw/ | 2023/06/18 |
| Spotted: How we discovered Privilege Escalation, missing CloudTrail data and a race condition in AWS Directory Service | A set of bugs in AWS Directory Service. One of them could be used for privilege escalation by an authenticated user with sufficient permissions. | https://cloudar.be/awsblog/spotted-privilege-escalation-in-aws-directory-service/ | 2023/06/18 |
| AWS Pentest Methodology | A high-level methodology of how one could conduct a penetration test inside the AWS platform. | https://medium.com/@MorattiSec/my-aws-pentest-methodology-14c333b7fb58 | 2023/06/18 |
| Executing Arbitrary Code & Executables in Read-Only FileSystems | Different methods of executing arbitrary code and executables in read-only file systems where writable folders are marked as noexec, focusing on pods within the Kubernetes context. | https://labs.withsecure.com/publications/executing-arbitrary-code-executables-in-read-only-filesystems | 2023/06/18 |
| Terraform 1.5 brings config-driven import and checks | HashiCorp Terraform 1.5 is now generally available, featuring a config-driven import workflow and a new language primitive for infrastructure validations. | https://www.hashicorp.com/blog/terraform-1-5-brings-config-driven-import-and-checks | 2023/06/18 |
| Vault Secrets Operator for Kubernetes now GA | The Vault Secrets Operator implements a first-class Kubernetes Operator for Vault, along with CRDs responsible for synchronizing Vault secrets to Kubernetes Secrets. | https://www.hashicorp.com/blog/vault-secrets-operator-for-kubernetes-now-ga | 2023/06/18 |
| The Big IAM Challenge | A CTF challenge created to boost your AWS IAM knowledge. | https://bigiamchallenge.com/challenge/1 | 2023/06/11 |
| Practical Dependency Management for Developers | Some useful tips on wrangling dependencies from someone who worked on large-scale projects, CI/CD, build tools, and more. | https://matt-rickard.com/practical-dependency-management-for-developers | 2023/06/11 |
| 7 lesser-known AWS SSM Document techniques for code execution | A deep dive into AWS SSM Run Command shows that there are multiple documents attackers can use for executing code remotely on EC2 instances. | https://securitycafe.ro/2023/04/19/7-lesser-known-aws-ssm-document-techniques-for-code-execution/ | 2023/06/11 |
| Scaling Authorization with Cedar and OPAL | A practical tutorial to build a comprehensive Cedar-based application authorization system. | https://www.permit.io/blog/scaling-authorization-with-cedar-and-opal | 2023/06/11 |
| OneDrive to Enum Them All | TrustedSec researchers have discovered a OneDrive enumeration vulnerability that could allow an attacker to discover the email addresses of OneDrive users. You can also refer to thecompanion tool. | https://www.trustedsec.com/blog/onedrive-to-enum-them-all/ | 2023/06/11 |
| Confused Deputy Vulnerability in Cloudflare CASB | A vulnerability in Cloudflare CASB that enabled to view sensitive information about other customers' Microsoft and GitHub organizations. This included employee names/emails, links to SharePoint files, repository names/descriptions and more. | https://albertpedersen.com/blog/cloudflare-casb-confused-deputy/ | 2023/06/11 |
| Implementing machine-to-machine authentication for services behind an AWS ALB with OIDC | Post delving into the possibilities of enforcing machine-to-machine (m2m) authentication using OIDC (OpenID Connect) at a high level when utilizing an AWS ALB. | https://medium.com/@hettiarachchi.yashodha/enforcing-machine-to-machine-authentication-for-services-behind-an-aws-alb-part-2-e06707e6f366 | 2023/06/11 |
| We reported a security issue in AWS CDK's eks.Cluster component | Two sleuthing SREs uncovered an AWS security issue. Here's how they found it, why it matters, and what you need to do to resolve it. | https://garden.io/blog/aws-security-issue | 2023/06/11 |
| Using Cloud Securely: The Config Doom Question | Customers do not know how to configure cloud services securely. | https://medium.com/anton-on-security/using-cloud-securely-the-config-doom-question-36e7e9c018e2 | 2023/06/11 |
| Exploring Firecracker MicroVMs for Multi-Tenant Dagger CI/CD Pipelines | Experimenting with the feasibility of running Dagger CI/CD pipelines isolated from each other using Firecracker microVMs to provide a strong security model in a multi-tenant scenario. When a customer runs a pipeline, their containers are executed in an isolated environment. | https://www.felipecruz.es/exploring-firecracker-microvms-for-multi-tenant-dagger-ci-cd-pipelines/ | 2023/06/04 |
| Detect Anomalies In Our AWS Infrastructure | Low-maintenance Cloud-Based Anomaly Detection System with Bytewax, Redpanda, and AWS. | https://bytewax.io/blog/aws-anomaly-detection | 2023/06/04 |
| Warden: Real Time Anomaly Detection at Pinterest | Pinterest Engineering has developed a real-time anomaly detection system called Warden, which uses machine learning to identify unusual activity and potential security threats on their platform. | https://medium.com/pinterest-engineering/warden-real-time-anomaly-detection-at-pinterest-210c122f6afa | 2023/06/04 |
| How to get rid of AWS access keys - Part 1: The easy wins | Learn how to identify unused and unnecessary long-lived IAM User access keys. | https://www.wiz.io/blog/how-to-get-rid-of-aws-access-keys-part-1-the-easy-wins | 2023/06/04 |
| Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service | A look at how the EC2 Instance Metadata Service can be taken advantage of. | https://securitylabs.datadoghq.com/articles/misconfiguration-spotlight-imds/ | 2023/06/04 |
| How to choose the right API Gateway auth method | API Gateway supports quite a few authentication and authorization methods, plus, you can always authenticate users inside your endpoint. So, the big question is, how do you choose the right one for your API? | https://theburningmonk.com/2020/06/how-to-choose-the-right-api-gateway-auth-method/ | 2023/06/04 |
| Passkeys, the end of passwords and account takeovers? | A deep-dive blogpost on how to implement Passkeys and how to think about the threat model and security guarantees they offer. | https://www.slashid.dev/blog/passkeys-security-implementation/ | 2023/06/04 |
| Understanding networking in Kubernetes | An in-depth analysis of Kubernetes networking, including container-to-container, pod-to-pod, pod-to-service, ingress, and egress communication. | https://www.learncloudnative.com/blog/2023-05-31-kubeproxy-iptables | 2023/06/04 |
| Google Trust Services ACME API available to all users at no cost | Google now offers general availability of Google Trust Services ACME endpoint allowing anyone to get TLS certificates for their websites for free. | https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html | 2023/06/04 |
| Packaging Open Policy Agent policies with Nix | Howto use Nix to turn Open Policy Agent policies into standalone CLI tools. | https://determinate.systems/posts/open-policy-agent | 2023/06/04 |
| Bridging the Security Gap: Mitigating Lateral Movement Risks from On-Premises to Cloud Environments | This blog post discusses lateral movement risks from on-prem to the cloud, explaining attacker TTPs, and outlining best practices for cloud builders and defenders to help secure their cloud environments and mitigate risk. | https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-4-from-compromis | 2023/05/28 |
| Is Cloud Forensics just Log Analysis? Kind Of. | The article discusses the differences between traditional forensics and cloud forensics, highlighting the importance of understanding cloud-specific artifacts and logs. | https://www.cadosecurity.com/is-cloud-forensics-just-log-analysis-kind-of/ | 2023/05/28 |
| Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor | This article describes the attack lifecycle and detection opportunities for a cloud-focused, financially motivated threat actor. | https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/ | 2023/05/28 |
| AWS Lambda Function: IAM User Password Expiry Notice | Walk through the necessary steps to set up an AWS Lambda function to email notifications to IAM Users when their AWS Web Console passwords are expiring. | https://blog.jennasrunbooks.com/aws-lambda-function-iam-user-password-expiry-notice-ses-boto3-terraform | 2023/05/28 |
| Protect your data from ransomware with S3 Object Lock | A simple-term introduction to S3 Object Lock, what it is, and how does it work. | https://blog.symops.com/2022/07/07/prevent-ransomware-s3-object-lock/ | 2023/05/28 |
| Tampering with Conditional Access Policies Using Azure AD Graph API | Modifications made using AADGraph are not properly logged, endangering integrity and non-repudiation of Azure AD policies. | https://www.secureworks.com/research/tampering-with-conditional-access-policies-using-azure-ad-graph-api | 2023/05/28 |
| Container security fundamentals part 4: Cgroups | A look at how cgroups are used in Linux and container systems. | https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-4/ | 2023/05/28 |
| Terraform check Block | The "check" block has been introduced in the latest pre-release of Terraform (v1.5.0). This allows practitioners to define assertions based on data source values to verify the state of the infrastructure on an ongoing basis. | https://unfriendlygrinch.info/posts/terraform-check-block/ | 2023/05/28 |
| Terraform AWS provider 5.0 adds updates to default tags | Version 5.0 of the HashiCorp Terraform AWS provider brings improvements to default tags, allowing practitioners to set tags at the provider level. | https://www.hashicorp.com/blog/terraform-aws-provider-5-0-adds-updates-to-default-tags | 2023/05/28 |
| The Art of the Security Double Play: How Mercari Combines Internal Audits and Custom CodeQL Queries to Keep Systems Safe | Mercari combines internal audits and custom CodeQL queries to keep their systems safe. They use CodeQL to write custom queries that identify vulnerabilities in their code. These queries are then run regularly as part of their internal audit process. | https://engineering.mercari.com/en/blog/entry/20230512-the-art-of-the-security-double-play-how-mercari-combines-internal-audits-and-custom-codeql-queries-to-keep-systems-safe/ | 2023/05/21 |
| Connecting Block Business Units with AWS API Gateway | How Block enables backend services to securely connect across business unit boundaries using AWS API Gateway. | https://developer.squareup.com/blog/connecting-block-business-units-with-aws-api-gateway/ | 2023/05/21 |
| Attacking and securing cloud identities in managed Kubernetes part 1: Amazon EKS | This post provides a deep dive into how Amazon EKS IAM works, and several attack vectors to pivot from an EKS cluster to an AWS environment. | https://securitylabs.datadoghq.com/articles/amazon-eks-attacking-securing-cloud-identities/ | 2023/05/21 |
| Securing Cloud Native Microservices with Role-Based Access Control using Keycloak | This article takes developers through how to integrate Keycloak's RBAC capabilities into cloud-native microservices for security with a step-by-step tutorial. | https://www.cncf.io/blog/2023/05/17/securing-cloud-native-microservices-with-role-based-access-control-using-keycloak/ | 2023/05/21 |
| Understanding Azure logging capabilities in depth | Azure includes lots of great technologies, which can be used for logging purpose. Currently, Microsoft is transitioning from v1-method (MMA) to v2-method using DCRs. | https://mortenknudsen.net/?p=1433 | 2023/05/21 |
| Building a Kubernetes purple teaming lab | An how-to article from Sumo Logic explaining how to build and create a home lab for Kubernetes threat detection engineering and purple teaming. | https://www.sumologic.com/blog/threat-labs-kubernetes-home-lab/ | 2023/05/21 |
| Fun with container images - Bypassing vulnerability scanners | An example of how it would be possible for a malicious container image to bypass container vulnerability scanners. | https://raesene.github.io/blog/2023/04/22/Fun-with-container-images-Bypassing-vulnerability-scanners/ | 2023/05/21 |
| An OPA Gatekeeper gotcha when enforcing policy on all resource kinds | Documenting and providing potential solutions for a beginner OPA Gatekeeper gotcha that people could ran into. | https://blog.skouf.com/posts/opa-gatekeeper-gotcha/ | 2023/05/21 |
| Kubernetes 1.27: KMS V2 Moves to Beta | KMS provides an interface for a provider to utilize a key stored in an external key service to encrypt etcd data. With Kubernetes 1.27, KMS is moving to beta. | https://kubernetes.io/blog/2023/05/16/kms-v2-moves-to-beta/ | 2023/05/21 |
| Equifax Controls Framework | Equifax has released an open-source controls framework that provides security guidance for cloud-native applications. The framework includes a set of controls that are mapped to security frameworks such as NIST. | https://controlsframework.equifax.com/ | 2023/05/14 |
| Cloud Security Jobs | A job board for cloud security professionals that scans and compiles the best open positions, from entry level to CISO (executive). | https://cloudsecurity.jobs/ | 2023/05/14 |
| Cybersecurity Incident Simulation @ Uber | A three-pronged approach for simulating cybersecurity incidents, which consists of tabletop exercises, red team operations, and atomic simulations. | https://www.uber.com/en-GB/blog/cybersecurity-incident-simulation/ | 2023/05/14 |
| My Love/Hate Relationship with Cloud Custodian | Cloud Custodian is a powerful tool for managing and enforcing policies in cloud environments, but it can be difficult to learn and use effectively. The author shares their experiences with using Cloud Custodian, including its benefits and drawbacks, and offers tips for getting started with the tool. | https://badshah.io/my-love-hate-relationship-with-cloud-custodian/ | 2023/05/14 |
| An AWS IAM Wishlist | A wishlist of AWS IAM feature requests: IAM Authorization Debugging, Mapping of API Calls/IAM Permissions/CloudTrail Events, SCP Audit Mode, SCP for Resources, and API Request Parameters as Condition Keys. | https://www.zeuscloud.io/post/an-aws-iam-wishlist | 2023/05/14 |
| Cloud Run Security design overview | This article outlines the security features provided by Cloud Run, including automatic TLS encryption, secure communication between services, and integration with Cloud IAM for access control. | https://cloud.google.com/run/docs/securing/security | 2023/05/14 |
| Manage multiple Terraform projects in monorepo | A look at one possible way to organize and manage a monorepo setup, which will contain multiple projects and Terraform modules, with deployments spanning across multiple targets such as AWS accounts or Azure subscriptions. | https://janik6n.net/posts/manage-multiple-terraform-projects-in-monorepo/ | 2023/05/14 |
| Secure Data Sharing: Charting a course for the EU's Digital Future | Palantir, a data analytics company, has published a report proposing a framework for secure data sharing in the European Union. The report suggests that data should be shared in a way that preserves privacy and security, while also enabling innovation. The framework includes a set of principles and best practices for data sharing, as well as recommendations for policy and regulatory changes. | https://blog.palantir.com/secure-data-sharing-charting-a-course-for-the-eus-digital-future-102f6f58f03a | 2023/05/14 |
| SIEM Content, False Positives and Engineering (Or Not) Security | This SIEM content and false positives debate is a micro instantiation of a much bigger debate: the paradox between consuming security and engineering security. | https://medium.com/anton-on-security/siem-content-false-positives-and-engineering-or-not-security-4a1dfecc136c | 2023/05/14 |
| Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations | Post describing a hypothetical scenario of a cloud platform compromise with multiple components that would require investigation. Each component is an example of a real intrusion tactic that Mandiant has investigated across various cloud platforms, sometimes with logs available and sometimes without logs available. | https://www.mandiant.com/resources/blog/cloud-bad-log-configurations | 2023/05/07 |
| Move Over, Dockerfiles! The New Way to Craft Containers | Creating Docker images can sometimes be a pain. Here are alternatives for crafting containers, like ko, Bazel, Nix, and apko, and their strengths and weaknesses. | https://www.chainguard.dev/unchained/move-over-dockerfiles-the-new-way-to-craft-containers | 2023/05/07 |
| Testing Zero Touch Production Platforms and Safe Proxies | Post providing an overview of ZTP tools and services, exploring their security role in DevSecOps, and outlining common pitfalls to watch out for when testing them. | https://blog.doyensec.com//2023/05/04/testing-ztp-platforms-a-primer.html | 2023/05/07 |
| Mitigating Risky Pull Requests with Monocle Risk Advisor | Part two of the "Mitigating Risky Pull Requests with Monocle Risk Advisor" series explores how Monocle's risk scores can help developers make informed decisions about merging pull requests. | https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2 | 2023/05/07 |
| Google Online Security Blog: So long passwords, thanks for all the phish | You can now create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in. | https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html | 2023/05/07 |
| Exploiting misconfigured Google Cloud Service Accounts from GitHub Actions | A misconfigured GitHub Action using a GCP Workload Identity Federation Service Account could allow any GitHub Action to assume the role. | https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/ | 2023/05/07 |
| Use Amazon CodeWhisperer for Your AWS Security | Some code generations examples from Amazon CodeWhisperer to secure your AWS accounts. | https://aws.plainenglish.io/use-amazon-codewhisperer-for-your-aws-security-c2bae31a4ccd | 2023/05/07 |
| Public Report: AWS Nitro System API & Security Claims | AWS engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs. | https://research.nccgroup.com/2023/05/03/public-report-aws-nitro-system-api-security-claims/ | 2023/05/07 |
| AWS Identity Center: A Guide to Privilege Escalation and Identity and Access Management | Post covering Identity Center, as well as how to secure and monitor it. | https://www.cloudquery.io/blog/aws-priv-esc-identity-center | 2023/05/07 |
| When Good APIs Go Bad: Uncovering 3 Azure API Management Vulnerabilities | Two SSRF and a file upload path traversal in the Azure API Management service, which allowed access to internal Azure assets. | https://ermetic.com/blog/azure/when-good-apis-go-bad-uncovering-3-azure-api-management-vulnerabilities/ | 2023/05/07 |
| Elements of a Successful Cloud Security Program | Some thoughts on building a successful Cloud Security Program. | https://www.primeharbor.com/blog/successful_cloudsec_program/ | 2023/04/30 |
| An Adventure in Google Cloud threat detection | Post highlighting some common threats and exploits in Google Cloud, with the aim to share information to create detections that will catch the early signs of attacker activity. | https://securitylabs.datadoghq.com/articles/google-cloud-threat-detection/ | 2023/04/30 |
| Azure Threat Research Matrix | The purpose of the Azure Threat Research Matrix (ATRM) is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against the Azure platform. | https://microsoft.github.io/Azure-Threat-Research-Matrix/ | 2023/04/30 |
| Securing AWS Step Functions | Some macro-areas to consider when securing step functions: IAM roles and policies, data security, logging and monitoring, and abuse. | https://infosecwriteups.com/securing-aws-step-functions-3bc74845906 | 2023/04/30 |
| Understanding S3 Block Public Access | What does "public" actually mean? And how does S3 Block Public Access work? This post answers these questions hoping to shed some light on how S3 Block Public Access can help protect S3 buckets from public access. | https://aws.amazon.com/blogs/storage/understanding-s3-block-public-access/ | 2023/04/30 |
| EDR Telemetry Project: A Comprehensive Comparison | This project aims to compare and evaluate the telemetry of various EDR products. | https://kostas-ts.medium.com/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b | 2023/04/30 |
| Using Nix with Dockerfiles | The article discusses the benefits of using Nix, a functional package manager, with Dockerfiles to create reproducible and efficient container images. Nix allows for easy management of dependencies and versioning, while Dockerfiles provide a portable and scalable way to distribute the images. | https://mitchellh.com/writing/nix-with-dockerfiles | 2023/04/30 |
| Argo CD end user threat model: security considerations for hardening declarative GitOps CD on Kubernetes | A comprehensive threat modeling analysis of a typical production setup of Argo CD and accompanying security considerations. | https://www.cncf.io/blog/2023/04/21/argo-cd-end-user-threat-model-security-considerations-for-hardening-declarative-gitops-cd-on-kubernetes/ | 2023/04/30 |
| GhostToken: Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts | The vulnerability could allow threat actors to change a malicious application to be invisible and unremovable, effectively leaving the victim's Google account infected with a trojan app forever. | https://astrix.security/ghosttoken-exploiting-gcp-application-infrastructure-to-create-invisible-unremovable-trojan-app-on-google-accounts/ | 2023/04/30 |
| When MFA becomes SFA | A particular case where possession of an AWS access key/secret key alone was equivalent to possession of those keys and a previously configured MFA. | https://www.mwrcybersec.com/when-mfa-becomes-sfa | 2023/04/30 |
| Stealing GitHub staff's access token via GitHub Actions | A write-up about a vulnerability which could have exposed the access token of GitHub Staff. | https://blog.ryotak.net/post/github-actions-staff-access-token-en/ | 2023/04/30 |
| Terraform Cloud no-code provisioning is now GA with new features | No-code provisioning is now GA for Terraform Cloud Business, providing validated self-service infrastructure, additional security through more granular permissions, and ease of use with variable options as dropdowns. | https://www.hashicorp.com/blog/terraform-cloud-no-code-provisioning-is-now-ga-with-new-features | 2023/04/30 |
| Free Microsoft 365 subscriptions for learning purposes | You can get a free Microsoft 365 subscription with 25 user licenses to learn and create automations. | https://developer.microsoft.com/en-us/microsoft-365/dev-program | 2023/04/30 |
| Data Driven Detection Engineering | A post arguing for stronger software engineering skills in cybersecurity, and a focus on data engineering. | https://jvehent.org/2023/04/16/Data-Driven-Detection-Engineering.html | 2023/04/23 |
| Mind The Gap - Bringing Together Cloud Services and Managed K8s Environments | Slides from a KubeCon EU 2023 talk which describes common security pitfalls in managed Kubernetes environments. | https://docs.google.com/presentation/d/1UzJjNP7H3kaq6J8-_5Cs74a4d2pbayQZWcfEnxaz9xw/ | 2023/04/23 |
| State of Cloud Threat Detection and Response Report | A report which summarizes the survey responses of 400 security leaders and SecOps practitioners in North America regarding the capabilities, practices, and behaviors of protecting against, identifying, and remediating cloud-based threats. | https://services.google.com/fh/files/misc/gcat_cloud_dr_survey_report_2023.pdf | 2023/04/23 |
| Crafting Container Images That Won't Drive You Crazy | Jetstack shares some container security best practices, including using minimal base images, running as non-root users, managing secrets, signing images, and generating SBOMs. | https://www.jetstack.io/blog/container-best-practices/ | 2023/04/23 |
| Cloud Red Teaming: AWS Initial Access & Privilege Escalation | Slides from a session that covered the latest cloud focused attack vectors and described viable strategies on how to detect their malicious usage within your cloud environments. | https://speakerdeck.com/tweekfawkes/cloud-red-teaming-aws-initial-access-and-privilege-escalation | 2023/04/23 |
| Container security fundamentals part 3: Capabilities | A look at how capabilities are used in Linux and container systems. | https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-3/ | 2023/04/23 |
| Detecting the Use of Stolen AWS Lambda Credentials | A novel technique which uses AWS CloudTrail to detect the use of stolen credentials. | https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials | 2023/04/23 |
| New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns | Commodity threat actors have recently begun to exploit cloud environments for smishing campaigns, employing techniques strikingly similar to those used in SES enumeration and abuse. | https://permiso.io/blog/s/smishing-attack-on-aws-sms-new-phone-who-dis/ | 2023/04/23 |
| Hacking Your Cloud: Tokens Edition 2.0 | Techniques attackers might use to exploit cloud tokens and gain access to resources. Strong token management, limiting privileges, and token revocation policies help mitigate risks. | https://www.trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0/ | 2023/04/23 |
| BrokenSesame: Accidental write permissions to private registry allowed potential RCE to Alibaba Cloud Database Services | A container escape vulnerability, combined with accidental 'write' permissions to a private registry, opened a backdoor for Wiz Research to access Alibaba Cloud databases and potentially compromise its services through a supply-chain attack. | https://www.wiz.io/blog/brokensesame-accidental-write-permissions-to-private-registry-allowed-potential-r | 2023/04/23 |
| Asset Key Thief security vulnerability technical details | A persistent Service Account private key exfiltration privilege escalation technique that potentially affected Google Cloud Service Accounts, now remediated promptly by the Google Cloud team. | https://engineering.sada.com/asset-key-thief-disclosure-cfae4f1778b6 | 2023/04/23 |
| First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters | For the first time evidence that attackers are exploiting Kubernetes Role-Based Access Control (RBAC) in the wild to create backdoors. | https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters | 2023/04/23 |
| Kubernetes 1.24 Security Audit | NCC Group performed a security evaluation of Kubernetes 1.24.0 release. Key findings included concerns with the administrative experience, flaws in communication between the API Server and the Kubelet which may result in an elevation of privilege, and flaws in input sanitization which provide a limited authorization bypass. | https://research.nccgroup.com/2023/04/17/public-report-kubernetes-1-24-security-audit/ | 2023/04/23 |
| Kubernetes 1.27: Query Node Logs Using The Kubelet API | Kubernetes 1.27 introduced a new feature called Node log query that allows viewing logs of services running on the node. | https://kubernetes.io/blog/2023/04/21/node-log-query-alpha/ | 2023/04/23 |
| SLSA v1.0 is now final! | After almost two years since SLSA's initial preview release, the first official stable version, SLSA v1.0, has been released. | https://slsa.dev/blog/2023/04/slsa-v1-final | 2023/04/23 |
| Announcing the deps.dev API: critical dependency data for secure supply chains | Google announced thedeps.dev API, which provides free access to the deps.dev dataset of security metadata, including dependencies, licenses, advisories, and other critical health and security signals for more than 50 million open source package versions. | https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html | 2023/04/16 |
| Supply chain security for Go, Part 1: Vulnerability management | This post covers how Go helps teams with the tricky problem of managing vulnerabilities in their open source packages. | https://security.googleblog.com/2023/04/supply-chain-security-for-go-part-1.html | 2023/04/16 |
| DevOps threat matrix | Microsoft released a blog post discussing threats we face in their DevOps environment, introducing their new threat matrix for DevOps. Using this matrix, they show the different techniques an adversary might use to attack an organization from the initial access phase and forward. | https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/ | 2023/04/16 |
| A Myth or Reality? Debunking (Mis)Conceptions Surrounding Cloud Ransomware | Read about seven common myths surrounding cloud surfaces and the importance of securing cloud data from ransomware attacks. | https://www.sentinelone.com/blog/a-myth-or-reality-debunking-misconceptions-surrounding-cloud-ransomware/ | 2023/04/16 |
| Let's talk about Kubelet authorization | Kubelet authorization can be a bit of a confusing topic in Kubernetes as it doesn't (usually) use RBAC. This post tries to explain how it works. | https://raesene.github.io/blog/2023/04/08/lets-talk-about-kubelet-authorization/ | 2023/04/16 |
| Building a secure Azure reference architecture with Terraform | A reference architecture including several components, such as a virtual network, a bastion host, a load balancer, and a cluster of virtual machines running a web application. | https://www.hashicorp.com/blog/building-a-secure-azure-reference-architecture-with-terraform | 2023/04/16 |
| The Unholy Marriage of AWS IAM Roles and Instance Profiles | Post explaining IAM Roles and Instance Profiles, how to create and manage them, and attach them to EC2 instances to grant permissions to access AWS services while adhering to security best practices. | https://www.uptycs.com/blog/aws-iam-roles-instance-profiles | 2023/04/16 |
| Ransomware in the cloud. Insights from practical experience | The article discusses the rise of ransomware attacks in cloud environments and provides examples of recent attacks. It highlights the importance of securing cloud infrastructure and recommends best practices for preventing and responding to ransomware attacks in the cloud. | https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 | 2023/04/16 |
| From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys | How the Orca Security team discovered a critical exploitation path, utilizing Microsoft Azure shared key authorization, and provide key mitigation steps. | https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/ | 2023/04/16 |
| Privilege escalation in AWS Elastic Kubernetes Service | An interesting privilege escalation scenario in Kubernetes (EKS) involving NodeRestriction. | https://blog.calif.io/p/privilege-escalation-in-eks | 2023/04/16 |
| Announcing a white paper on Platforms for Cloud Native Computing | The CNCF's Platforms working group (WG) announced the first release of a whitepaper to provide guidance and clarity on the nature and benefits of platforms for cloud-native computing. | https://www.cncf.io/blog/2023/04/11/announcing-a-white-paper-on-platforms-for-cloud-native-computing/ | 2023/04/16 |
| Kubernetes v1.27 Released | This release consist of 60 enhancements. 18 of those enhancements are entering Alpha, 29 are graduating to Beta, and 13 are graduating to Stable. You can also checkout asummary of new security-related features. | https://kubernetes.io/blog/2023/04/11/kubernetes-v1-27-release/ | 2023/04/16 |
| 69 Ways to F*** Up Your Deploy | This post is a cursed compendium of 69 ways to f*** up your deploy. It is the irreverent Grimms Brothers version of deployment scenarios. | https://kellyshortridge.com/blog/posts/69-ways-to-mess-up-your-deploy/ | 2023/04/09 |
| Intro to forensics in the cloud: A container was compromised. What's next? | Learn what tools and data sources you need to use in cloud forensics investigation and how they come into practice in a real-life example. | https://www.wiz.io/blog/intro-to-forensics-in-the-cloud-a-container-was-compromised-whats-next | 2023/04/09 |
| Building Better Detection Systems: Introducing KRANG at Carta | The Carta team aimed to build an automated detection system that is adaptable, flexible, reproducible, and generates high-quality alerts for security teams to respond to. You can also refer to thecompanion tool. | https://medium.com/building-carta/building-better-detection-systems-introducing-krang-at-carta-55b08af5763e | 2023/04/09 |
| Containing Compromised EC2 Credentials Without (Hopefully) Breaking Things | There are multiple techniques for containing compromised instance credentials. The easy ones are the most likely to break things, but there are creative options to lock out attackers without breaking applications. | https://www.firemon.com/containing-compromised-ec2-credentials-without-hopefully-breaking-things/ | 2023/04/09 |
| Exploring Amazon VPC Lattice | AWS has recently released VPC Lattice to General Availability. This post walks through creating a simple VPC Lattice service using CloudFormation, and takes a look at the service overall. | https://onecloudplease.com/blog/exploring-amazon-vpc-lattice | 2023/04/09 |
| Docker Scout | Docker Desktop introduced Docker Scout, a tool that provides visibility into image vulnerabilities and recommendations for quick remediation. | https://www.docker.com/blog/docker-desktop-4-18/ | 2023/04/09 |
| WebAssembly on Kubernetes: Everything You Need to Know | This is the first article in a two-part series explaining everything you need to know about running WebAssembly workloads on Kubernetes. | https://nigelpoulton.com/webassembly-on-kubernetes-everything-you-need-to-know/ | 2023/04/09 |
| Two Minor Cross-Tenant Vulnerabilities in AWS App Runner | These vulnerabilities leaked configuration information across tenant boundaries. While they are both minor issues, they further demonstrate that undocumented AWS APIs have lacked the scrutiny of AWS as well as the cloud security community. | https://frichetten.com/blog/minor-cross-tenant-vulns-app-runner/ | 2023/04/09 |
| Helm completes fuzzing security audit | The fuzzing involved enrolling Helm in the OSS-Fuzz project and writing a set of fuzzers that further enriches the test coverage of Helm. In total, 38 fuzzers were written, and nine bugs were found (with eight fixed so far). | https://www.cncf.io/blog/2023/03/31/helm-completes-fuzzing-security-audit/ | 2023/04/09 |
| Announcing SLSA v1.0 Release Candidate 2 | SLSA v1.0 Release Candidate 2 has been announced. This is intended to be the final release candidate before marking v1.0 as an Approved Specification. | https://slsa.dev/blog/2023/04/slsa-v1-rc2 | 2023/04/09 |
| Attackers have better things to do than corrupt your builds | This posts clarifies the clucking and clamoring over attackers exploiting vulns or corrupting build pipelines (spoiler alert: it isn't worth their time and effort to). | https://kellyshortridge.com/blog/posts/attackers-have-better-things-to-do-than-corrupt-your-builds/ | 2023/04/02 |
| AWS KMS Threat Model | What are the threats in letting an AWS service manage the encryption of your data instead of creating a Customer Managed Key? | https://airwalkreply.com/aws-kms-threat-model | 2023/04/02 |
| A Guide to S3 Logging | Here's what you should do about S3 Logging. | https://ramimac.me/s3-logging | 2023/04/02 |
| Harvesting Logs for Fun and Profit | Post looking at the kinds of things you might find in your logs. The juicy bits are Personal Identifying Information (PII) or security credentials. | https://beny23.github.io/posts/harvesting_logs_for_fun_and_profit/ | 2023/04/02 |
| Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel | How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet. | https://blog.marcolancini.it/2023/blog-cloudflare-tunnel-zero-trust-ecs/ | 2023/04/02 |
| The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager | Post exploring why the tried-and-true SSM Parameter Store is still the preferred choice for many developers and dive into the advantages it has over Secrets Manager. | https://theburningmonk.com/2023/03/the-old-faithful-why-ssm-parameter-store-still-reigns-over-secrets-manager/ | 2023/04/02 |
| Identify and remediate common cloud risks with the Datadog Cloud Security Atlas | Datadog announced the release of theirCloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments. | https://securitylabs.datadoghq.com/articles/cloud-security-atlas-launch/ | 2023/04/02 |
| Public Access Key - 2023 | Timeline of events when an AWS IAM Access Key was published to GitHub. | https://www.chrisfarris.com/post/public-access-key-2023/ | 2023/04/02 |
| Vault Secrets Operator: A new method for Kubernetes integration | The Vault Secrets Operator implements a first-class Kubernetes Operator pattern for HashiCorp Vault along with a set of CRDs responsible for synchronizing Vault secrets to Kubernetes Secrets natively. | https://www.hashicorp.com/blog/vault-secrets-operator-a-new-method-for-kubernetes-integration | 2023/04/02 |
| Unauthorized access to organization secrets in GitHub | A security issue in GitHub's Security Advisory feature allowed researchers to access ANY organization's codespace secrets without authorization. | https://ophionsecurity.com/blog/access-organization-secrets-in-github | 2023/04/02 |
| Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle | Post exploring the details of the Azure vulnerability, "Super FabriXss," the risks it poses, as well as recommendations on how to mitigate it. | https://orca.security/resources/blog/super-fabrixss-azure-vulnerability/ | 2023/04/02 |
| Riding the Azure Service Bus (Relay) into Power Platform | A deserialization issue on the Azure Service Bus (Relay) service that allowed remote code execution on Microsoft servers. | https://www.netspi.com/blog/technical/vulnerability-research/azure-service-bus-power-platform/ | 2023/04/02 |
| Introducing self-service SBOMs | GitHub announced a new Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click. | https://github.blog/2023-03-28-introducing-self-service-sboms/ | 2023/04/02 |
| Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI | Security Copilot combines an advanced large language model (LLM) with a security-specific model from Microsoft. This security-specific model in turn incorporates a set of security-specific skills and is informed by Microsoft's unique global threat intelligence. Security Copilot runs on Azure's infrastructure. | https://blogs.microsoft.com/blog/2023/03/28/introducing-microsoft-security-copilot-empowering-defenders-at-the-speed-of-ai/ | 2023/04/02 |
| How we built DMARC Management using Cloudflare Workers | How Cloudflare built their new DMARC Management solution entirely on top of the Workers platform. | https://blog.cloudflare.com/how-we-built-dmarc-management/ | 2023/03/26 |
| A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management | A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account. | https://www.cloudquery.io/blog/guide-aws-org-delegation | 2023/03/26 |
| Using Service Control Policies to protect security baselines | Post illustrating a specific use case of SCPs that protects the security baseline, or landing zone, configuration you've created for accounts. | https://www.wiz.io/blog/using-service-control-policies-to-protect-security-baselines | 2023/03/26 |
| Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research | Public disclosure of a CloudTrail bypass in AWS Service Catalog and other logging research. | https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/ | 2023/03/26 |
| Mitigating SSRF in 2023 | Article reviewing the different ways of triggering SSRF and discussing which mitigation techniques are most effective. | https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/ | 2023/03/26 |
| Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide | A popular passwordless authentication method is magic links. Although this is not something that Cognito supports out of the box, it can be implemented using its Lambda hooks. | https://theburningmonk.com/2023/03/implementing-magic-links-with-amazon-cognito-a-step-by-step-guide/ | 2023/03/26 |
| The illustrated guide to S3 pre-signed URLs | Article discussing in great detail what pre-signed URLs are, how to use them, and some best practices to keep in mind. | https://fourtheorem.com/the-illustrated-guide-to-s3-pre-signed-urls/ | 2023/03/26 |
| Network policies are not the right abstraction (for developers) | Post examining multiple flaws that prevent network policies, on their own, from being an effective solution for a real-world use case. | https://otterize.com/blog/network-policies-are-not-the-right-abstraction | 2023/03/26 |
| The 4 Kubernetes policy types | Post introducing the four types of policies available in Kubernetes (API Objects, Admission Controllers, ValidatingAdmissionPolicy, and Dynamic Admission Controls) and provide guidance on how they should be used. | https://www.cncf.io/blog/2023/03/23/the-4-kubernetes-policy-types/ | 2023/03/26 |
| Top 15 Kubectl plugins for security engineers | This article aims to address the most common or useful Kubernetes plugins for improving your security posture. | https://sysdig.com/blog/top-15-kubectl-plugins-for-security-engineers | 2023/03/26 |
| Kubernetes Removals and Major Changes In v1.27 | Article identifying and describing some of the planned (breaking) changes for the Kubernetes v1.27 release. | https://kubernetes.io/blog/2023/03/17/upcoming-changes-in-kubernetes-v1-27/ | 2023/03/26 |
| Escalating Privileges with Azure Function Apps | Undocumented APIs used by the Azure Function Apps Portal menu allowed for arbitrary file reads on the Function App containers. | https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-function-apps/ | 2023/03/26 |
| Intro to Kubernetes - Containers at Scale Containerized Adventures | Kubernetes is all about containers at scale. But what does that mean? Learn more with this illustrated intro to Kubernetes! | https://kaslin.rocks/intro-to-kubernetes-containers-at-scale/ | 2023/03/19 |
| Building ClickHouse Cloud From Scratch in a Year | Have you ever wondered what it takes to build a serverless software as a service (SaaS) offering in under a year? In this blog post, ClickHouse describes how they built ClickHouse Cloud from the ground up. | https://clickhouse.com/blog/building-clickhouse-cloud-from-scratch-in-a-year | 2023/03/19 |
| The Many Ways to Access DynamoDB | Post discussing the many ways to restrict access to a DynamoDB instance at both a framework and implementation level, utilizing patterns and tools such as RBAC, IAM, Terraform. | https://blog.symops.com/2023/03/10/access-dynamodb/ | 2023/03/19 |
| Container security fundamentals part 2: Isolation & namespaces | A look at how Docker containers use namespaces for isolation. | https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2/ | 2023/03/19 |
| Monitoring Kubernetes Clusters on GKE | A hands-on guide to monitoring and logging at different layers in the GKE stack. | https://medium.com/google-cloud/gke-monitoring-84170ea44833 | 2023/03/19 |
| Forensic container analysis in Kubernetes | With the help of container checkpointing, it is possible to create a checkpoint of a running container without stopping the container and without the container knowing that it was checkpointed. | https://kubernetes.io/blog/2023/03/10/forensic-container-analysis/ | 2023/03/19 |
| awesome-detection-rules | A collection of threat detection rules / rules engines. | https://github.com/jatrost/awesome-detection-rules | 2023/03/19 |
| Service meshes: an in-depth introduction | An overview of service meshes that clarifies the benefits they offer as well as the extra complexity. | https://www.jetstack.io/blog/service-meshes-a-deeper-introduction/ | 2023/03/19 |
| Passwordless Authentication made easy with Cognito | A Step-by-Step Guide, including working demo and complete source code for both frontend and backend. | https://theburningmonk.com/2023/03/passwordless-authentication-made-easy-with-cognito-a-step-by-step-guide/ | 2023/03/19 |
| What the fork: Imposter Commits in GitHub Actions and CI/CD | A vulnerability in GitHub Actions that bypasses allowed Workflow settings by using commits from forked repositories. | https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd | 2023/03/12 |
| From Pod Security Policies to Pod Security Standards, a Migration Guide | Pod Security Policies were removed in Kubernetes v1.25. Learn how to migrate from Pod Security Policies to Pod Security Standards. | https://www.wiz.io/blog/from-pod-security-policies-to-pod-security-standards-a-migration-guide | 2023/03/12 |
| Google Cloud Platform Exfiltration: A Threat Hunting Guide | Some security gaps that every organization using GCP should be aware of in order to protect itself from data exfiltration. | https://www.mitiga.io/blog/google-cloud-platform-exfiltration-a-threat-hunting-guide | 2023/03/12 |
| A New Incentive for Using AWS VPC Endpoints | If you haven't been using VPC endpoints until now, AWS's two new condition keys should make you consider doing so. | https://ermetic.com/blog/aws/a-new-incentive-for-using-aws-vpc-endpoints/ | 2023/03/12 |
| fun-with-vpc-endpoints | Two interactive demos of VPC endpoints, how to use them and how VPC Endpoint Policies can be used in practice. | https://github.com/christophetd/fun-with-vpc-endpoints | 2023/03/12 |
| Understanding the Integration Between KMS and Secrets Manager on AWS | Post covering the integration between KMS and Secrets Manager on AWS, to better understand how they work. | https://blog.lightspin.io/understanding-the-integration-between-kms-and-secrets-manager-on-aws | 2023/03/12 |
| Reducing Attack Surface with AWS Allowlisting | A detailed look at implementing Region and Service allowlisting in AWS. | https://ramimac.me/aws-allowlisting | 2023/03/12 |
| Pivoting with Azure Automation Account Connections | How Automation Accounts handle authenticating as other accounts within a runbook, and how to abuse those authentication connections to pivot to other Azure resources. | https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-automation-account-connections/ | 2023/03/12 |
| Vault 1.13 adds Kubernetes Operator, MFA improvements, and more | HashiCorp Vault 1.13 brings enhancements to team workflows, integrations, and visibility. | https://www.hashicorp.com/blog/vault-1-13-adds-kubernetes-operator-mfa-improvements-and-more | 2023/03/12 |
| The Audit Log Wall of Shame | A list of vendors that don't prioritize high-quality, widely-available audit logs for security and operations teams. | https://audit-logs.tax/ | 2023/03/05 |
| Five Things You Need to Know About Malware on Storage Buckets | An overview of malware in cloud storage buckets and mitigation best practices. | https://orca.security/resources/blog/the-risks-of-malware-in-storage-buckets/ | 2023/03/05 |
| How Attackers Can Exploit GCP's Multicloud Workload Solution | A deep dive into the inner workings of GCP Workload Identity Federation, taking a look at risks and how to avoid misconfigurations. | https://ermetic.com/blog/gcp/how-attackers-can-exploit-gcps-multicloud-workload-solution/ | 2023/03/05 |
| AWS EC2 IMDS - What You Need to Know | A technical review of IMDSv2. | https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/ | 2023/03/05 |
| How to secure Kubernetes Ingress? | How to secure Kubernetes Ingress resources by adding TLS and then procuring TLS/SSL certificates. | https://www.armosec.io/blog/kubernetes-ingress-security/ | 2023/03/05 |
| Introducing KWOK: Kubernetes WithOut Kubelet | Have you ever wondered how to set up a cluster of thousands of nodes just in seconds, how to simulate real nodes with a low resource footprint, and how to test your Kubernetes controller at scale without spending much on infrastructure? If you answered "yes" to any of these questions, then you might be interested in KWOK, a toolkit that enables you to create a cluster of thousands of nodes in seconds. | https://kubernetes.io/blog/2023/03/01/introducing-kwok/ | 2023/03/05 |
| Temporary policy exceptions in Kubernetes with Kyverno | Policy Exceptions are a way to provide even more control over which resources get excluded from the scope of a policy but, most importantly, they allow decoupling of the policy from those exclusions. | https://www.cncf.io/blog/2023/03/01/temporary-policy-exceptions-in-kubernetes-with-kyverno/ | 2023/03/05 |
| containerd completes fuzzing audit | The containerd project completed a comprehensive fuzzing audit which added 28 fuzzers covering a wide range of container runtime functionality. During this audit a vulnerability was uncovered in the OCI image importer. | https://www.cncf.io/blog/2023/03/02/containerd-completes-fuzzing-audit/ | 2023/03/05 |
| Down the Cloudflare / Stripe / OWASP Rabbit Hole: A Tale of 6 Rabbits Deep | A tale from Troy Hunt of firewalls, APIs and sifting through layers and layers of different services to sniff out the root cause of something that seemed very benign, but actually turned out to be highly impactful. | https://www.troyhunt.com/down-the-cloudflare-stripe-owasp-rabbit-hole-a-tale-of-6-rabbits-deep/ | 2023/02/26 |
| My CI/CD pipeline is my release captain | How Amazon continuously release changes to production by practicing trunk-based development, by using CI/CD pipelines to manage deployment artifacts and coordinate releases across multiple production environments, and by practicing proactive and automatic rollbacks. | https://aws.amazon.com/builders-library/cicd-pipeline/ | 2023/02/26 |
| Lateral movement risks in the cloud: from compromised cloud resource to Kubernetes cluster takeover | Post discussing lateral movement risks from the cloud to Kubernetes: it explains attacker TTPs, and outlines best practices for cloud builders and defenders to help secure their cloud environments and mitigate risk. | https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-3-from-compromis | 2023/02/26 |
| How to Achieve Application & Cloud Security Resilience | A guide to defining and maturing a truly resilient Application and Cloud Security program through automation and data. | https://betterappsec.com/how-to-scale-application-cloud-security-f31503182517 | 2023/02/26 |
| To DIY or Not to DIY; Key Kubernetes Security Considerations | Understand the security ramifications of doing Kubernetes with a managed service provider or DIY. | https://blog.ksoc.com/diy-kubernetes-security/ | 2023/02/26 |
| Container security fundamentals: Exploring containers as processes | A look at how containers work as Linux processes and what that means for security. | https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-1/ | 2023/02/26 |
| A role for all your EC2 instances | You can now pass an IAM role to every EC2 instance in your account + region. | https://awsteele.com/blog/2023/02/20/a-role-for-all-your-ec2-instances.html | 2023/02/26 |
| Securing Kubernetes Secrets with HashiCorp Vault | Secrets in Kubernetes are used to store sensitive information. This blog post will show how to secure Kubernetes secrets using Hashicorp vault. | https://www.infracloud.io/blogs/kubernetes-secrets-hashicorp-vault/ | 2023/02/26 |
| A retrospective on public cloud breaches of 2022 | Looking back on publicly disclosed cloud breaches of 2022, and what we can learn from them. | https://securitylabs.datadoghq.com/articles/public-cloud-breaches-2022-mccarthy-hopkins/ | 2023/02/26 |
| Under-documented Kubernetes Security Tips | There are some security practices which kinda don't fit into traditional hardening guides, don't get reported as CVEs, and just exist in the minds of expensive consultants. | https://www.macchaffee.com/blog/2022/k8s-under-documented-security-tips/ | 2023/02/19 |
| How Using Deprecated Policies Creates Overprivileged Permissions | AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. This post breaks down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies. | https://permiso.io/blog/s/deprecated-aws-policy-amazonec2roleforSSM/ | 2023/02/19 |
| 6 Keys to Securing User Uploads to Amazon S3 | How to architect AWS applications to securely enable user uploaded content, using pre-signed post URLs. | https://scalesec.com/blog/6-keys-to-securing-user-uploads-to-amazon-s3/ | 2023/02/19 |
| A Look at AWS API Protocols | An introduction to AWS API protocols and how they impact the structure of an AWS API request. | https://frichetten.com/blog/aws-api-protocols/ | 2023/02/19 |
| Kubernetes Security Checklist | A baseline checklist for ensuring security in Kubernetes clusters. | https://kubernetes.io/docs/concepts/security/security-checklist/ | 2023/02/19 |
| Azure B2C: Crypto Misuse and Account Compromise | Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow. | https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise/ | 2023/02/19 |
| Azure AD Kerberos Tickets: Pivoting to the Cloud | If you've ever been doing an Internal Penetration test where you've reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised. | https://www.trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud/ | 2023/02/19 |
| Canarytokens welcomes Azure Login Certificate Token | Canarytokens.org introduced the Azure Login Certificate Token (aka the Azure Token). You can sprinkle Azure tokens throughout your environment and receive high fidelity notifications whenever they're used. | https://blog.thinkst.com/2023/02/canarytokens-org-welcomes-azure-login-certificate-token.html | 2023/02/19 |
| Cloud drift detection: How to resolve out-of-state changes | The keys to a successful IaC to IaaS drift detection strategy are: understanding when drift becomes a risk, implementing drift detection automation relevant to your stack, and classifying and route their response to the right individual or team. | https://bridgecrew.io/blog/cloud-drift-detection/ | 2023/02/19 |
| Integrating threat modeling with DevOps | Reflections on how it is possible to adopt threat modeling more effectively and efficiently, integrating it with modern DevOps methodologies and tools, and focusing on the value provided to all the various actors involved with the Software Development Lifecycle. | https://learn.microsoft.com/en-us/security/engineering/threat-modeling-with-dev-ops | 2023/02/12 |
| threatmodel-for-azure-storage | A library of all the attack scenarios on Azure Storage, and how to mitigate them following a risk-based approach. | https://github.com/trustoncloud/threatmodel-for-azure-storage | 2023/02/12 |
| Privilege Escalation via storage accounts | Post explaining the risk of storage accounts and how to abuse them for lateral movement. | https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e | 2023/02/12 |
| Restricting cluster-admin Permissions | The cluster-admin ClusterRole gives the user access and permission to do all operations on all resources in the cluster. What if we need to block an action performed by cluster admins? We can't do it with RBAC, it only allows for adding of permissions, not taking them away. | https://marcusnoble.co.uk/2022-01-20-restricting-cluster-admin-permissions/ | 2023/02/12 |
| Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault | DigitalOcean's approach to securing CI/CD through GitHub Actions, OIDC, and HashiCorp Vault. | https://www.digitalocean.com/blog/fine-grained-rbac-for-github-action-workflows-hashicorp-vault | 2023/02/12 |
| Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console | Post discussing a weakness in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate limit. | https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/ | 2023/02/12 |
| Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation | Post discussing the details of six privilege escalation vulnerabilities found in Docker Desktop for Windows, and releasing a new tool namedPipeViewerthat scans for Windows named pipes with weak permissions. | https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-1 | 2023/02/12 |
| Know Your App Services Before Your Enemy Does | A look at Azure App Services, security advice, and how to use Azure Resource Graph Explorer and other tools to implement these recommendations. | https://miraisecurity.com/blog/know-your-app-services-before-your-enemy-does | 2023/02/12 |
| GitHub Actions - Updating the default GITHUB_TOKEN permissions to read-only | Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository. As a default, this is too permissive, so to improve security GitHub chnaged the default going forward to a read-only token. | https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/ | 2023/02/12 |
| Incident Response in Google Cloud: Forensic Artifacts | This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization. | https://blog.sygnia.co/incident-response-in-google-cloud-forensic-artifacts | 2023/02/05 |
| Threat Modelling Cloud Platform Services by Example: Google Cloud Storage | A threat modelling exercise from NCC which demonstrated that user/tenant configuration choices matter when evaluating the overall security posture of an instance of Google Cloud Storage, and that a number of relative weaknesses can be improved through deliberate choices on behalf of the user. | https://research.nccgroup.com/2023/01/31/threat-modelling-cloud-platform-services-by-example-google-cloud-storage/ | 2023/02/05 |
| 2023 identity security trends and solutions from Microsoft | Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks. | https://www.microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft/ | 2023/02/05 |
| Data exfiltration with native AWS S3 features | A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse. | https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 | 2023/02/05 |
| How Adversaries Can Persist with AWS User Federation | CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments. | https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/ | 2023/02/05 |
| Sigstore's cosign and policy-controller with GKE, Artifact Registry and KMS | Use Sigstore to sign container images and then enforce that only signed containers can run in GKE. | https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea | 2023/02/05 |
| General availability of SLSA 3 Container Generator for GitHub Actions | The SLSA project announced the general availability of the SLSA 3 Container Generator for GitHub Actions, which allows any GitHub project to produce SLSA level 3 compliant provenance statements so users can verify the origin of container images they use. | https://slsa.dev/blog/2023/02/slsa-github-workflows-container-ga | 2023/02/05 |
| Kubernetes and Cloud Security Associate (KCSA) certification coming in Q3 2023 | CNCF and The Linux Foundation announced the upcomingKubernetes and Cloud Security Associate (KCSA)certification. | https://www.cncf.io/blog/2023/02/01/kubernetes-and-cloud-security-associate-kcsa-certification-coming-in-q3-2023/ | 2023/02/05 |
| Native OPA Support in Terraform Cloud Is Now Generally Available | Native Open Policy Agent (OPA) support allows customers who have standardized on OPA to bring their policies into Terraform Cloud. | https://www.hashicorp.com/blog/native-opa-support-in-terraform-cloud-is-now-generally-available | 2023/02/05 |
| Terraform Cloud Adds Dynamic Provider Credentials for Vault and Official Cloud Providers | Dynamic provider credentials for Terraform Cloud provide a simple and safe authentication workflow for Vault and official cloud providers. | https://www.hashicorp.com/blog/terraform-cloud-adds-dynamic-provider-credentials-vault-official-cloud-providers | 2023/02/05 |
| Security Drone: Scaling Continuous Security at Revolut | How Revolut uses a custom system to scale and improve their continuous security scanning. | https://medium.com/revolut/security-drone-scaling-continuous-security-at-revolut-862bcd55956e | 2023/01/29 |
| Elevating Security Alert Management Using Automation | A post that describes the Brex Detection and Response Team's approach to managing and automating security alerts at scale. | https://medium.com/brexeng/elevating-security-alert-management-using-automation-828004ad596c | 2023/01/29 |
| Enforcing Device AuthN & Compliance at Pinterest | How Pinterest enforced the use of managed and compliant devices in their Okta authentication flow, using a passwordless implementation, so that access to their tools always requires a healthy Pinterest device. | https://medium.com/pinterest-engineering/enforcing-device-authn-compliance-at-pinterest-a74938cb089b | 2023/01/29 |
| Tampering User Attributes In AWS Cognito User Pools | Post explaining AWS Cognito User Attributes tampering and introducing afree labto experiment with. | https://blog.doyensec.com/2023/01/24/tampering-unrestricted-user-attributes-aws-cognito.html | 2023/01/29 |
| GitHub Container Registry private repos sometimes weren't | GitHub Container Registry (GHCR) had an information leak bug, where names of private repos were exposed. Here's the background on how it was reported and fixed. | https://www.chainguard.dev/unchained/ghcr-private-repos-sometimes-werent | 2023/01/29 |
| Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms | A recap on privilege escalation and powerful permissions in Kubernetes and an analysis of the ways various platforms have addressed it. | https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation/ | 2023/01/29 |
| Enhancing Kubernetes security with user namespaces | Learn how to improve cluster security with user namespaces, a new feature introduced in Kubernetes v1.25. | https://www.wiz.io/blog/enhancing-kubernetes-security-with-user-namespaces | 2023/01/29 |
| A Guide to Running Sigstore Locally | How to stand up a Sigstore deployment on your own infrastructure on Kubernetes so that you will be able to take advantage of the benefits and the assurance of not exposing sensitive resources. | https://blog.sigstore.dev/a-guide-to-running-sigstore-locally-f312dfac0682 | 2023/01/29 |
| Provisioning Kubernetes clusters on AWS/GCP with Terraform | Learn how you can leverage Terraform and GKE orEKSto provision identical clusters for development, staging and production environments with a single click. | https://learnk8s.io/terraform-gke | 2023/01/29 |
| HCP Packer Adds Ancestry to Track Image Relationships | Ancestry tracking for HCP Packer provides visibility into image dependencies across your cloud environment for image lifecycle management. | https://www.hashicorp.com/blog/hcp-packer-adds-ancestry-to-track-image-relationships | 2023/01/29 |
| New Hires, Lost Keys & Lessons Learned (Passwordless Authentication Series) | The third in a series by Palantir InfoSec on their journey enforcing FIDO2 authentication via hardware authenticators (YubiKeys) across all of Palantir. | https://blog.palantir.com/new-hires-lost-keys-lessons-learned-passwordless-authentication-series-3-dfdd79e89fb6 | 2023/01/22 |
| CircleCI incident report for January 4, 2023 security incident | Read the complete incident report from CircleCI's January 4, 2023. | https://circleci.com/blog/jan-4-2023-incident-report/ | 2023/01/22 |
| Consider All Microservices Vulnerable - And Monitor Their Behavior | Although all deployed microservices are vulnerable, there is much that can be done to ensure microservices are not exploited. | https://kubernetes.io/blog/2023/01/20/security-behavior-analysis/ | 2023/01/22 |
| Leaking Secrets From GitHub Actions | Different areas that could help leaking secrets from GitHub Actions workflows vulnerable to command injection: reading files and environment variables, intercepting network/process communication, and dumping memory. | https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/ | 2023/01/22 |
| Crane: Uber's Next-Gen Infrastructure Stack | Post examining the original motivation and some key features behind Uber's been multi-year journey to reimagine their infrastructure stack for a hybrid, multi-cloud world. | https://www.uber.com/en-IN/blog/crane-ubers-next-gen-infrastructure-stack/ | 2023/01/22 |
| AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass | The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account, without leaving any trace of their actions in CloudTrail. | https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/ | 2023/01/22 |
| SSH key injection in Google Cloud Compute Engine | A bug which had the impact of a single-click RCE in a victim user's Compute Engine instance. | https://blog.stazot.com/ssh-key-injection-google-cloud/ | 2023/01/22 |
| Unauthenticated SSRF Vulnerability on Azure Functions | How the Orca Security team uncovered an SSRF Vulnerability in the Azure Functions app, allowing any unauthenticated user to request any URL by abusing the server. | https://orca.security/resources/blog/ssrf-vulnerabilities-azure-functions-app/ | 2023/01/22 |
| Azure Active Directory Flaw Allowed SAML Persistence | A vulnerability in Azure Active Directory (Azure AD) allowed a user to retain access to a targeted Security Assertion Markup Language (SAML) application. | https://www.secureworks.com/research/azure-active-directory-flaw-allowed-saml-persistence | 2023/01/22 |
| EmojiDeploy: Smile! Your Azure web service just got RCE'd | A remote code execution vulnerability affecting Azure cloud services and other cloud sovereigns including Function Apps, App Service and Logic Apps. | https://ermetic.com/blog/azure/emojideploy-smile-your-azure-web-service-just-got-rced/ | 2023/01/22 |
| AWS Phishing: Four Ways | Post looking at some common phishing tactics in AWS: Credential Phishing, Device Authentication Phishing, CloudFormation Stack Phishing, and ACM Email Validation Phishing. | https://ramimac.me/aws-phishing | 2023/01/15 |
| SES-pionage | What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it. | https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/ | 2023/01/15 |
| Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident | Learn how to detect malicious persistence techniques in AWS, GCP, and Azure after potential initial compromise, like with the CircleCI incident. | https://www.wiz.io/blog/hunting-for-signs-of-persistence-in-the-cloud-an-ir-guide | 2023/01/15 |
| Detecting Anomalous AWS Sessions From Temporary Credentials | Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised. | https://www.uptycs.com/blog/detecting-anomalous-aws-sessions-temporary-credentials | 2023/01/15 |
| Cedar: A new policy language | Cedar is a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. This post explains both why this language was created and how to author policies with it. | https://onecloudplease.com/blog/cedar-a-new-policy-language | 2023/01/15 |
| Improve GitHub Actions OIDC security posture with custom issuer | You can grant developers permission to invoke iam:CreateRole without worrying that an errant role trust policy has opened up access to the entirety of Github.com. | https://awsteele.com/blog/2023/01/11/improve-github-actions-oidc-security-posture-with-custom-issuer.html | 2023/01/15 |
| Responding to an attack in AWS | Post walking through the initial steps of an investigation following an incident in AWS. | https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac | 2023/01/15 |
| Cloud Native and Kubernetes Security Predictions 2023 | A speculative look into the perils and opportunities that 2023 holds for cloud native security. | https://control-plane.io/posts/kubernetes-predictions-for-2023/ | 2023/01/15 |
| How to Connect to Kubernetes Clusters Using Boundary | How to use HashiCorp Boundary to provide identity-based remote access and credential management for Kubernetes clusters. | https://www.hashicorp.com/blog/how-to-connect-to-kubernetes-clusters-using-boundary | 2023/01/15 |
| Supply-Chain Security: Evaluation of Threats and Mitigations | This blog details research into threat modeling for supply-chain, the evaluation of the effectiveness of each countermeasure such as SBOM, and the design of a centralized CI pipeline. | https://engineering.mercari.com/en/blog/entry/20221215-supplychain-security-reevaluation/ | 2023/01/08 |
| Incident Response Methodologies 2022 | CERT Societe Generale provides easy to use operational incident best practices. | https://github.com/certsocietegenerale/IRM | 2023/01/08 |
| Cloud penetration testing: Not your typical internal penetration test | A funny post where the author shares the stages of ignorance and awareness they encountered, so to help others progress through the early stages more quickly than they did. | https://sethsec.blogspot.com/2022/12/cloud-penetration-testing-not-your.html | 2023/01/08 |
| State of Azure IAM 2022 | Azure IAM has seen major growth with 2710 new permissions and 60 new built-in roles added in 2022. | https://davidokeyode.medium.com/state-of-azure-iam-2022-512e66881128 | 2023/01/08 |
| Cross-tenant network bypass in Azure Cognitive Search | How enabling a single vulnerable feature removed the entire network and identity perimeter around internet-isolated Azure Cognitive Search instances. | https://www.mnemonic.io/resources/blog/acsessed-cross-tenant-network-bypass-in-azure-cognitive-search | 2023/01/08 |
| Cloud Cred Harvesting Campaign | A credential harvesting campaign targeting cloud infrastructure. The majority of the victim system were running public facing Juptyer Notebooks. | https://permiso.io/blog/s/christmas-cloud-cred-harvesting-campaign/ | 2023/01/08 |
| Kubernetes 1.26: Introducing Validating Admission Policies | In Kubernetes 1.26, the 1st alpha release of validating admission policies is available. Validating admission policies use the Common Expression Language (CEL) to offer a declarative, in-process alternative to validating admission webhooks. | https://kubernetes.io/blog/2022/12/20/validating-admission-policies-alpha/ | 2023/01/08 |
| Kubernetes v1.26: GA Support for Kubelet Credential Providers | Kubernetes v1.26 introduced generally available (GA) support forkubelet credential provider plugins, offering an extensible plugin framework to dynamically fetch credentials for any container image registry. | https://kubernetes.io/blog/2022/12/22/kubelet-credential-providers/ | 2023/01/08 |
| A Roadmap to Zero Trust Architecture | This roadmap was built by security experts to provide a vendor agnostic Zero Trust architecture and example implementation timeline. | https://zerotrustroadmap.org/ | 2022/12/18 |
| Introducing PEACH, a tenant isolation framework for cloud applications | A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation by reducing your cloud applications' attack surface. | https://www.wiz.io/blog/introducing-peach-a-tenant-isolation-framework-for-cloud-applications | 2022/12/18 |
| AWS ECR Public Vulnerability | A vulnerability that allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions. | https://blog.lightspin.io/aws-ecr-public-vulnerability | 2022/12/18 |
| Announcing OSV-Scanner: Vulnerability Scanner for Open Source | Google releasedOSV-Scanner, a free tool that gives open source developers easy access to vulnerability information relevant to their project. | https://security.googleblog.com/2022/12/announcing-osv-scanner-vulnerability.html | 2022/12/18 |
| Redshift Security: Attack Surface Explained | Understand how an attacker can leverage Redshift default permissions to perform lateral movement and privilege escalation. | https://www.dig.security/post/redshift-security-attack-surface-explained | 2022/12/18 |
| Unusual Cache Poisoning between Akamai and S3 buckets | A post presenting an unusual way of Cache Poisoning which happens between Akamai and Amazon S3 Buckets. | https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ | 2022/12/18 |
| How DoorDash Secures Data Transfer Between Cloud and On-Premise Data Centers | How DoorDash built a secure data transfer to a new payment processing vendor by establishing a private network link using AWS Direct Connect. | https://doordash.engineering/2022/11/29/how-doordash-secures-data-transfer-between-cloud-and-on-premise-data-centers/ | 2022/12/18 |
| Detecting Cloud Account Takeover Attacks | The Splunk Threat Research Team shares a closer look at the telemetry available in Azure, AWS and GCP and the options teams have to ingest this data into Splunk. | https://www.splunk.com/en_us/blog/security/detecting-cloud-account-takeover-attacks-threat-research-release-october-2022.html | 2022/12/18 |
| Signatus, ergo securus? Who can sign what with TUF and Sigstore | A signature is only useful if consumers verify it correctly. One common failure mode is to verify that some software was signed, but not check who signed it. | https://blog.sigstore.dev/signatus-ergo-securus-who-can-sign-what-with-tuf-and-sigstore-ea4d3d84b8b6 | 2022/12/18 |
| Kubernetes v1.26: Electrifying | Kubernetes v1.26 will see some security-related improvements, like signing release artifacts with cosign, and the introduction of CEL (Common Expression Language) to make admission controllers easier to develop. | https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/ | 2022/12/18 |
| Compromised Cloud Compute Credentials: Case Studies From the Wild | A walk-through of attacks in the wild that abuse stolen cloud compute credentials in cloud environments. | https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ | 2022/12/11 |
| Vulnerability Inbox Zero | Love them or hate them, vulnerability scanners aren't going anywhere. You should tame the avalanche of findings with a noise-suppressing processing pipeline. Think in shovels, not in teaspoons. | https://alsmola.medium.com/vulnerability-inbox-zero-f9a73463e397 | 2022/12/11 |
| Building the Threat Detection Ecosystem at Brex | Brex's approach to building threat detection systems is to abstract the capabilities that allow for high-quality detections and then adapt to the best platforms that are available and appropriate for the team. | https://medium.com/brexeng/building-the-threat-detection-ecosystem-at-brex-215e98b2f1bc | 2022/12/11 |
| Palantir's FIDO2 secure implementation rollout | The second in a series by Palantir InfoSec on their journey enforcing FIDO2 authentication via hardware authenticators (YubiKeys) across all of Palantir. | https://blog.palantir.com/technical-controls-rollout-and-edge-cases-passwordless-authentication-series-2-c9b6dcd349e | 2022/12/11 |
| Visualizing Multi Cloud IAM Concepts | Some diagrams to understand key AWS, Azure and GCP IAM concepts and terminology. | https://julian-wieg.medium.com/visualizing-multi-cloud-iam-concepts-63525967c0a7 | 2022/12/11 |
| Forensic container checkpointing in Kubernetes | Forensic container checkpointing is based on Checkpoint/Restore In Userspace (CRIU) and allows the creation of stateful copies of a running container without the container knowing that it is being checkpointed. | https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/ | 2022/12/11 |
| Prioritization of the Detection Engineering Backlog | The detection engineering backlog is a vital starting point for every detection engineering function. By providing an area of input into the detection engineering backlog, cross-functional efficiency can enhance the capability of the detection engineering function. | https://posts.specterops.io/prioritization-of-the-detection-engineering-backlog-dcb18a896981 | 2022/12/11 |
| Dynamic Secrets for Waypoint with Vault | Learn how to source dynamic secrets from HashiCorp Vault in your Waypoint deployments using dynamic configuration. | https://www.hashicorp.com/blog/dynamic-secrets-for-waypoint-with-vault | 2022/12/11 |
| Recap of AWS re:Invent 2022: An Honest Review | Properly assess whether all those announcements should mean anything to you; here's the ultimate AWS re:Invent 2022 recap you were looking for. | https://www.resmo.com/blog/aws-reinvent-2022-recap | 2022/12/11 |
| Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention | The TokenRequest API in Kubernetes can be misused to create backdoors in clusters. This blog looks the how to secure and audit its use. | https://securitylabs.datadoghq.com/articles/kubernetes-tokenrequest-api/ | 2022/12/04 |
| Yet Another Azure VM Persistence Using Bastion Shareable Links | These links have no additional authentication and are publicly accessible. | https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html | 2022/12/04 |
| registry.k8s.io: faster, cheaper and Generally Available (GA) | Starting with 1.25, Kubernetes' container image registry has changed from k8s.gcr.io to registry.k8s.io. This new registry spreads the load across multiple Cloud Providers & Regions, functioning as a sort of CDN for Kubernetes container images. | https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/ | 2022/12/04 |
| Using Sigstore to meet FedRAMP Compliance at Autodesk | One of the more difficult challenges faced by platform developers: striking the right balance between freedom and security. How do you give product developers the tools to build apps while securing those projects at scale? | https://blog.sigstore.dev/using-sigstore-to-meet-fedramp-compliance-at-autodesk-6f645a920abc | 2022/11/27 |
| The Palantir's journey to passwordless FIDO2 auth | The first in a series by Palantir InfoSec on our journey enforcing FIDO2 authentication via hardware authenticators (YubiKeys) across all of Palantir. | https://blog.palantir.com/hardware-selection-and-logistics-passwordless-authentication-series-1-cef0a4550fab | 2022/11/27 |
| AWS pre:Invent 2022 | Chris Farrishighlights AWS's interesting and impactful security announcements in the lead-up to AWS re:Invent. | https://steampipe.io/blog/pre-invent-2022 | 2022/11/27 |
| Email Graffiti: hacking old email | Hacking images in old Emails, by registering the buckets or domains they point to, allows to vandalize old emails. | https://trufflesecurity.com/blog/email-graffiti/ | 2022/11/27 |
| How to Bypass Cloudflare: A Comprehensive Guide | A guide which covers what is Cloudflare Bot Management, how Cloudflare detects bots, and how to reverse engineer and bypass Cloudflare. | https://www.zenrows.com/blog/bypass-cloudflare | 2022/11/27 |
| A Confused Deputy Vulnerability in AWS AppSync | A cross-tenant vulnerability in AWS AppSync, which allowed an attacker to access data in victims' accounts. | https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosure/ | 2022/11/27 |
| A dive into Microsoft Defender for Identity | Synacktiv recently analyzed the detection capabilities of Microsoft Defender for Identity, a cloud-based security solution which is the successor of Microsoft Advanced Threat Analytics and part of Microsoft Defender 365. | https://www.synacktiv.com/publications/a-dive-into-microsoft-defender-for-identity.html | 2022/11/27 |
| Kubernetes 1.25: KMS V2 Improvements | With Kubernetes v1.25, SIG Auth is introducing a new v2alpha1 version of the Key Management Service (KMS) API. KMS provides an interface for a provider to utilize a key stored in an external key service to perform encryption operations. | https://kubernetes.io/blog/2022/09/09/kms-v2-improvements/ | 2022/11/27 |
| Cloud Security Table Top Exercises | Really interesting table top exercises designed to start a conversation. Although they are focused towards AWS and not all of them will be applicable to every environment, I highly recommend to try them with your monitoring team. | https://levelup.gitconnected.com/cloud-security-table-top-exercises-629d353c268e | 2022/11/20 |
| Vulnerability Management at Lyft: Enforcing the Cascade | Blog detailing the systems Lyft built to address OS and OS-package level vulnerabilities in a timely manner across hundreds of services run on Kubernetes. | https://eng.lyft.com/vulnerability-management-at-lyft-enforcing-the-cascade-part-1-234d1561b994 | 2022/11/20 |
| SLSA: The Source of the problem | A well-written article on software supply chain security, covering: SLSA, different strategies for attacking Source Code Management (SCM), and attack trees. | https://medium.com/boostsecurity/slsa-dip-source-of-the-problem-a1dac46a976 | 2022/11/20 |
| The Many Ways to Access RDS | An overview of RDS access management capabilities along with examples using Terraform. | https://blog.symops.com/2022/11/17/rds-access/ | 2022/11/20 |
| A Deep Dive on AWS KMS Key Access and AWS Key Grants | A deep dive on KMS Key Access via KMS Key Grants and best practices with KMS Key Grants. Access via KMS Key Grants can be a forgotten means of allowing unauthorized applications, users, and other undesired access to use and manage KMS Keys. | https://www.cloudquery.io/blog/aws-kms-key-grants-deep-dive | 2022/11/20 |
| Token tactics: How to prevent, detect, and respond to cloud token theft | As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. | https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/ | 2022/11/20 |
| Layers Of Cloud Azure And The Mis-Storage Of Secrets | Ever wondered how storing secrets in the cloud can go wrong? This talk by@_sigilat BSides Toronto 2022 looks at common ways passwords should be stored. | https://www.youtube.com/watch?v=SmxEvVg6Fe8 | 2022/11/20 |
| Abusing tcp tunneling in Azure Bastion | How Azure Bastion Native Client support works, and how an adversary could abuse this feature to perform attacks against Azure VMs over private IP addresses, without having direct network connectivity to the VM. | https://codyburkard.com/blog/bastionabuse/ | 2022/11/20 |
| Getting Started With Ephemeral Containers | If you're following the latest news on Kubernetes, you probably would have heard about Ephemeral Containers. Not sure? This blog post sheds some light on this new feature soon to be stable in Kubernetes v1.25. | https://metalbear.co/blog/getting-started-with-ephemeral-containers/ | 2022/11/20 |
| Infosys leaked FullAdminAccess AWS keys on PyPi for over a year | They appear to issue AWS keys to developers that are not rotated for several years and store these keys in git. They also don't have a clear place to report security issues like this. | https://tomforb.es/infosys-leaked-fulladminaccess-aws-keys-on-pypi-for-over-a-year/ | 2022/11/20 |
| Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms | A paper which provides a systematic study on real-world illicit cryptomining on public CI platforms, and proposes a novel approach which suppresses the miner's revenues, rendering them unprofitable, but only has negligible impacts on the performance of CI jobs and developer productivity. | https://www.xiaojingliao.com/uploads/9/7/0/2/97024238/sp22-devops.pdf | 2022/11/13 |
| An AWS account just for getting into other AWS accounts | This is the AWS account that makes having lots of AWS accounts efficient and safe. It's the most important account in your organization. | https://src-bin.com/an-aws-account-just-for-getting-into-other-aws-accounts/ | 2022/11/13 |
| From zero to production in sixty minutes: Building a cloud platform for product development | How GSK set out to build a cloud platform to enable their product team to work in short cycles. | https://medium.com/gsktech/from-zero-to-production-in-sixty-minutes-building-a-cloud-platform-for-product-development-1d7e9bcd995d | 2022/11/13 |
| FivexL's Reaction to the AWS Security Baseline for Startups | FivexL shares its outlook on AWS Security Guidelines for startups. Find out how to improve your AWS security efficiently. | https://fivexl.io/blog/fivexl-reaction/ | 2022/11/13 |
| GitOps Certification | Some courses (and certifications) that teach the theory of GitOps and how to apply all of these practices in your application using the Argo project family. | https://learning.codefresh.io/home | 2022/11/13 |
| AWS Network Firewall Workshop | A workshop teaching how to deploy Network Firewall using infrastructure as code. | https://catalog.us-east-1.prod.workshops.aws/workshops/58df66b5-ffd5-42dc-9e2c-d5a8ebe360d8/en-US | 2022/11/13 |
| Bypassing Azure AD home tenant MFA and CA | Because of the Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants. | https://aadinternals.com/post/ests/ | 2022/11/13 |
| OCI as attestations storage for your packages | A post showing an approach to store SBOMs and Provenance in an OCI registry for software release assets. | https://marcofranssen.nl/oci-as-attestations-storage-for-your-packages | 2022/11/13 |
| Tracee Newly Released Rules Detect Attackers Out-of-the-Box | Tracee now detects suspicious behavior at runtime with an extensive data collection and rules engine with a revised signature library for an array of scenarios. | https://blog.aquasec.com/tracee-rules-detect-attackers-out-of-the-box | 2022/11/13 |
| Internet Egress Filtering of Services at Lyft | How the Security team of Lyft achieved egress network traffic filtering for all their services. | https://eng.lyft.com/internet-egress-filtering-of-services-at-lyft-72e99e29a4d9 | 2022/11/06 |
| Exploiting Static Site Generators: When Static Is Not Actually Static | The Assetnote security research team found vulnerabilities in static site generators (such as GatsbyJS and NextJS) and associated platforms (Netlify and GatsbyJS Cloud), which enabled SSRF. | https://blog.assetnote.io/2022/10/28/exploiting-static-site-generators/ | 2022/11/06 |
| How We Use Terraform At Slack | Post looking at how the Slack team uses Terraform to build their infrastructure. | https://slack.engineering/how-we-use-terraform-at-slack/ | 2022/11/06 |
| CosMiss: Azure Cosmos DB Vulnerability | The Orca Research team has discovered CosMiss, a vulnerability in Microsoft Azure Cosmos DB where authentication checks were missing from Cosmos DB Notebooks. | https://orca.security/resources/blog/cosmiss-vulnerability-azure-cosmos-db/ | 2022/11/06 |
| Kubernetes: Securing a Cluster | This document covers topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security. | https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/ | 2022/11/06 |
| Vault DR with AWS Lambda for Sub-Minute Recovery | How YNAP used AWS Lambda functions to reduce the disaster recovery time for HashiCorp Vault to mere seconds. | https://www.hashicorp.com/resources/vault-dr-with-aws-lambda-for-sub-minute-recovery | 2022/11/06 |
| Learning by auditing Kubernetes manifests | An example of how you could learn about Kubernetes security and architecture by reviewing reports from Chekov. | https://blog.frankel.ch/learning-auditing-kubernetes-manifests/ | 2022/11/06 |
| Announcing GUAC, a great pairing with SLSA (and SBOM) | Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database, normalizing entity identities and mapping standard relationships between them. | https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html | 2022/11/06 |
| From Self-Hosted GitHub Runner to Self-Hosted Backdoor | As CI/CD pipelines become more prevalent, their attack surface and abuse are being leveraged more and more by advanced red teams and real-world APTs. | https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/ | 2022/10/30 |
| Solving common problems with Kubernetes | This article is aimed at engineers who need to deploy their code using Kubernetes, but have no idea what Kubernetes is or how it works. | https://blog.adamchalmers.com/kubernetes-problems/ | 2022/10/30 |
| Three Kubernetes events worth investigating | Whether you run Kubernetes yourself or use a managed provider like GKE, EKS, or AKS, certain events are worth investigating: successful authorisation of an anonymous request, default service account bound to privileged cluster role, and Pod created with an unusual image. | https://expel.com/blog/three-kubernetes-events-worth-investigating/ | 2022/10/30 |
| Best Practices for Network Perimeter Security in Cloud-Native Environments | The evolution of network perimeters in modern cloud environments as well as some best practices for securing them. | https://www.datadoghq.com/blog/securing-cloud-native-infrastructure-network-perimeter/ | 2022/10/30 |
| AWS Security Groups Guide | Knowing how security groups & NACLs work together is extremely important for controlling network traffic to your instances & subnets. | https://sysdig.com/blog/aws-security-groups-guide/ | 2022/10/30 |
| AWS security assessment: what scanners are missing and how threat modeling may help you? | Without a doubt security tools are very helpful in automating security checks, but they should be treated as a complement only, and never as a replacement for the assessor. | https://towardsaws.com/aws-security-assessment-what-scanners-are-missing-and-how-threat-modeling-may-help-you-6a76c1c843f3 | 2022/10/30 |
| Sigstore project announces general availability and v1.0 releases | The Sigstore community announced the general availability of their free, community-operated certificate authority and transparency log services. In addition, two of Sigstore's foundational projects, Fulcio and Rekor, published v1.0 releases denoting a commitment to API stability. | https://opensource.googleblog.com/2022/10/sigstore-project-announces-general-availability-and-v1-releases.html | 2022/10/30 |
| The State of Vault and Kubernetes, and Future Plans | An overview of the most common ways to use HashiCorp Vault and Kubernetes together, and a preview of a new method HashiCorp is considering. | https://www.hashicorp.com/blog/the-state-of-vault-and-kubernetes-and-future-plans | 2022/10/30 |
| Trivy Now Supports NSA Kubernetes Compliance | Trivy, now supporting NSA compliance guideline, lets you outline reports to curate hundreds of checks for different components and configurations. | https://blog.aquasec.com/trivy-now-supports-nsa-kubernetes-compliance | 2022/10/30 |
| The Danger of Falling to System Role in AWS SDK Client | Writeup of a vulnerability identified in a web application that was using the AWS SDK for Go (v1) to implement an "Import Data From S3" functionality. | https://blog.doyensec.com/2022/10/18/cloudsectidbit-dataimport.html | 2022/10/23 |
| How to list all resources in your AWS account | You may have been there before: you got access to an AWS account and just want to list which resources are configured in it. The seemingly simple task of listing all resources quickly turns out to be complicated. | https://awstip.com/how-to-list-all-resources-in-your-aws-account-c3f18061f71b | 2022/10/23 |
| Untangling Azure Active Directory Principals & Access Permissions | Post untangling the question of 'who has access to what' in an Azure Active Directory environment. APowerShell toolwas also released to automatically enumerate this. | https://csandker.io/2022/10/19/Untangling-Azure-Permissions.html | 2022/10/23 |
| Azure Active Directory - Security Overview | A nice diagram providing an overview of the endpoints/integrations/connections/features in the Azure AD ecosystem. | https://msandbu.org/azure-active-directory-security-overview/ | 2022/10/23 |
| PCI Compliance for Kubernetes in detail - Part 3 - Workload Security | This is the 3rd part of an in-depth look at how companies running Kubernetes can approach implementing the recommendation of PCI’s guidance for container orchestration. | https://raesene.github.io/blog/2022/10/15/PCI-Kubernetes-Section3-workload-security/ | 2022/10/23 |
| Guide to AWS Lambda Function URLs | Post explaining AWS Lambda Function URLs - a new feature in AWS Lambda that allows you to call a Lambda function without an API Gateway. | https://cloudash.dev/blog/guide-to-lambda-function-urls | 2022/10/23 |
| FabriXss: How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer | The Orca Research Pod has discovered FabriXss a vulnerability in Azure Service Fabric Explorer that allows attackers to gain full Administrator permissions. | https://orca.security/resources/blog/fabrixss-vulnerability-azure-fabric-explorer/ | 2022/10/23 |
| Enrich AWS account data in Microsoft Sentinel | As organisations are integrating Amazon Web Services data sources with Microsoft Sentinel, many are facing a common problem: how to identify AWS resources and handle contextual data such as AWS account information for alerts and incidents? | https://secopslab.fi/2022-10-microsoftsentinel-awswatchlist/ | 2022/10/23 |
| Pod Security Policies are dead, long live Pod Security Admission! | How can we enforce security best-practices at cluster or namespace level? | https://faun.pub/pod-security-policies-are-dead-long-live-pod-security-admission-a7431a764ba3 | 2022/10/23 |
| Lateral movement risks in the cloud and how to prevent them - Part 1: the network layer (VPC) | Post introducing lateral movement as it pertains to VPCs. It discusses attacker TTPs, and outlines best practices for security practitioners and cloud builders to help secure their cloud environment and reduce risk. | https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-1-the-network-layer | 2022/10/16 |
| Security Logging in Cloud Environments - GCP | Another update to my "Security Logging in Cloud Environments - GCP" post, this time adding the new Sensitive Actions Service to the SCC section. | https://blog.marcolancini.it/2021/blog-security-logging-cloud-environments-gcp/ | 2022/10/16 |
| On Bypassing eBPF Security Monitoring | How Doyensec managed to bypass eBPF-based controls, along with some ideas on how red teams or malicious actors could evade these new intrusion detection mechanisms. | https://blog.doyensec.com//2022/10/11/ebpf-bypass-security-monitoring.html | 2022/10/16 |
| You should have lots of AWS accounts | Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure. | https://src-bin.com/you-should-have-lots-of-aws-accounts/ | 2022/10/16 |
| Associating security metadata with multi-architecture container images | This post explores a common mistake made when assessing the security of multi-arch container images. | https://www.jetstack.io/blog/supply-chain-security-multi-arch/ | 2022/10/16 |
| PCI Compliance for Kubernetes in detail - Part 2 - Authorization | The 2nd part of an in-depth look at how companies running Kubernetes can approach implementing the recommendation of PCI's guidance for container orchestration. | https://raesene.github.io/blog/2022/10/08/PCI-Kubernetes-Section2-Authorization/ | 2022/10/16 |
| Public Network Access to Azure Resources Is Too Easy to Configure | For some types of Azure resources and subnets, it's extremely easy to configure what is essentially public network access. This post describes some examples and how to reduce such risks. | https://ermetic.com/blog/azure/public-network-access-to-azure-resources-is-too-easy-to-configure/ | 2022/10/16 |
| Restructuring the Kubernetes Threat Matrix and Evaluating Attack Detection by Falco | Post talking about some attack methods missing from the Threat matrix for Kubernetes published by Microsoft. | https://engineering.mercari.com/en/blog/entry/20220928-kubernetes-threat-matrix-and-attack-detection-by-falco/ | 2022/10/16 |
| HashiCorp Vault 1.12 Adds New Secrets Engines, ADP Updates, and More | Vault 1.12 focuses on improving Vault's core workflows as well as adding new features such as Redis and Amazon ElastiCache secrets engines, a new PKCS#11 provider, improved Transform secrets engine usability, updated resource quotas, expanded PKI revocation and telemetry capabilities. | https://www.hashicorp.com/blog/vault-1-12 | 2022/10/16 |
| Unofficial list of free resources to learn AWS for absolute beginners | An unofficial list offreeresources to learn AWS forabsolute beginners. This will be a living document. | https://docs.google.com/document/d/1fDTumqm5oc_nLAQBUnW8c6hAGmGx95a8-BZ92GqlbUs/edit | 2022/10/09 |
| Diving Deeply into IAM Policy Evaluation | A post going through confounding conditions, double and triple negatives, and principals matched and unmatched to explain a more accurate model of how IAM evaluates permissions internally. | https://ermetic.com/blog/aws/diving-deeply-into-iam-policy-evaluation-highlights-from-aws-reinforce-session-iam433/ | 2022/10/09 |
| State of AWS Security in 2022: A Look Into Real-World AWS Environments | Datadog analyzed trends in the implementation of security best practices and took a closer look at various types of misconfigurations that contribute to the most common causes of security breaches. | https://www.datadoghq.com/state-of-aws-security/ | 2022/10/09 |
| AWS Permission Boundaries for Dummies | Tl;dr: if you want someone to admin some IAM in an account but not all the IAM, then you might need one. | https://www.firemon.com/aws-permission-boundaries-for-dummies/ | 2022/10/09 |
| What your scanner doesn't know **can** hurt you | This post explains how most vulnerability scanners for containers work, and highlights a few challenges this approach has that can lead to blind spots in your infrastructure. | https://www.chainguard.dev/unchained/what-your-scanner-doesnt-know-cant-hurt-you | 2022/10/09 |
| Kubernetes 1.25: alpha support for running Pods with user namespaces | This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new security layer to protect from other pods running on the same system. | https://kubernetes.io/blog/2022/10/03/userns-alpha/ | 2022/10/09 |
| Terraform Gains Visibility, Self-Service, and Compliance Upgrades | Continuous validation, no-code provisioning, native OPA support for Terraform Cloud, and other new features are key upgrades to HashiCorp Terraform introduced at HashiConf Global 2022. | https://www.hashicorp.com/blog/terraform-gains-visibility-self-service-and-compliance-upgrades | 2022/10/09 |
| Cyber Security Career Pathways | A first attempt at grouping security-related roles into macro-functions commonly found in tech companies. | https://blog.marcolancini.it/2022/blog-cyber-security-career-pathways/ | 2022/10/09 |
| A Guide To Identify Authorization Vulnerabilities At Scale Using Semgrep | Some ideas on how to effectively identify, remediate and eliminate authorization vulnerabilities at scale in your org, via an example scenario and some SAST rules. | https://www.anshumanbhartiya.com/posts/detect-authz-at-scale-nestjs | 2022/10/09 |
| Ramblings from Jessie: Hard Multi-Tenancy in Kubernetes | A design proposal for how to do hard multi-tenancy in Kubernetes. | https://blog.jessfraz.com/post/hard-multi-tenancy-in-kubernetes/ | 2022/10/09 |
| Best practices on rolling out code scanning at enterprise scale | Some best practices on how to roll out centrally managed, developer-centric application security with a third party CI/CD system like Jenkins or ADO. | https://github.blog/2022-09-28-best-practices-on-rolling-out-code-scanning-at-enterprise-scale/ | 2022/10/02 |
| 26 AWS Security Best Practices to Adopt in Production | There are many things you must set up if you want your solution to be operative, secure, reliable, performant, and cost effective. And, first things first, the best time to do that is now - right from the beginning, before you start to design and engineer. | https://sysdig.com/blog/26-aws-security-best-practices/ | 2022/10/02 |
| Vulnerability Scanning at Palantir | Effective vulnerability management is a cornerstone of any security program. This post explains how Palantir streamlines and automates vulnerability remediation efforts. | https://blog.palantir.com/how-palantir-manages-continuous-vulnerability-scanning-at-scale-9fbe25039ff5 | 2022/10/02 |
| Our Application Security Journey | A 2 part series on the state of Application Security at Wise, describing their integration of security in the Software Development Lifecycle (part 1,part 2). | https://medium.com/wise-engineering/our-application-security-journey-part-1-fb7d449a7126 | 2022/10/02 |
| Executive Order on Secure Supply Chain - in Plain English | You may have heard about EO 14028, the "Executive Order on Improving the Nation's Cybersecurity", which mandates the establishment of minimum supply chain security standards for all software consumed by the US government. This post tries to lay it out in plain English and share steps to help you get ready to meet the timelines. | https://slsa.dev/blog/2022/09/eo-in-plain-english | 2022/10/02 |
| Introducing workerd: the Open Source Workers runtime | workerd is the JavaScript/Wasm runtime code that powers Cloudflare Workers, now open source under the Apache 2.0 license. | https://blog.cloudflare.com/workerd-open-source-workers-runtime/ | 2022/10/02 |
| Kubernetes Multi-tenancy | An overview of available configuration options and best practices for cluster multi-tenancy. | https://kubernetes.io/docs/concepts/security/multi-tenancy/ | 2022/10/02 |
| Vulnerable GitHub Actions Workflows: Privilege Escalation Inside Your CI/CD Pipeline | Post walking through the risks of using the workflow_run GitHub trigger, with concrete examples. | https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability | 2022/10/02 |
| Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3 | Post covering the steps to take in order to use Kyverno to automatically configure the annotations that enable access logs for an AWS Network Load Balancer (NLB) to be forwarded to an S3 bucket. | https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0 | 2022/10/02 |
| Run a Tailscale VPN relay on ECS/Fargate | A step by step tutorial on how to run Tailscale in ECS. | https://platformers.dev/log/2022/tailscale-ecs/ | 2022/10/02 |
| How we Abused Repository Webhooks to Access Internal CI Systems at Scale | Any internet originating attacker can leverage an SCM webhook infrastructure to send traffic towards internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits and fully compromising the CI. | https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/ | 2022/09/25 |
| How DoorDash Ensures Velocity and Reliability through Policy Automation | How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments. | https://doordash.engineering/2022/09/20/how-doordash-ensures-velocity-and-reliability-through-policy-automation/ | 2022/09/25 |
| AWS IAM Identity Center Access Tokens are Stored in Clear Text and No, That's Not a Critical Vulnerability | Assuming constant full compromise of all machines is probably going to lead to controls where users can't reasonably do work. | https://itnext.io/aws-iam-identity-center-access-tokens-are-stored-in-clear-text-and-no-thats-not-a-critical-68a48c1e398 | 2022/09/25 |
| AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes | Before it was patched, AttachMe could have allowed attackers to access and modify any other users' OCI storage volumes without authorization, thereby violating cloud isolation. Upon disclosure, the vulnerability was fixed within hours by Oracle. No customer action was required. | https://www.wiz.io/blog/attachme-oracle-cloud-vulnerability-allows-unauthorized-cross-tenant-volume-access | 2022/09/25 |
| Azure Cloud Shell Command Injection: Stealing User's Access Tokens | This post describes how a researcher took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users' terminals. | https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens | 2022/09/25 |
| The Challenges of Assessing Kubernetes clusters for PCI Compliance | There's some complexities that auditors and assessors should be aware of if they're new to Kubernetes, and this blog takes a quick look at them. | https://raesene.github.io/blog/2022/09/20/Assessing-Kubernetes-Clusters-for-PCI-Compliance/ | 2022/09/25 |
| Azure Attack Paths | Post shedding some light on known attack paths in an Azure environment. | https://cloudbrothers.info/azure-attack-paths/ | 2022/09/25 |
| A Guide to Improving Security Through Infrastructure-as-Code | This article aims to make an attempt to collect the main starting points, creating a guide on how to integrate security into infrastructure as a code and show how these security checks and gates, tools and procedures secures the infrastructure. | https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-through-infrastructure-as-code/ | 2022/09/25 |
| Serverless Ad Blocking with Cloudflare Gateway | How I blocked advertisements in my home office, mimicking the Pi-hole's behaviour, using only serverless technologies (Cloudflare Gateway, to be precise). | https://blog.marcolancini.it/2022/blog-serverless-ad-blocking-with-cloudflare-gateway/ | 2022/09/25 |
| Terraform 1.3 Improves Extensibility and Maintainability of Terraform Modules | Now generally available, HashiCorp Terraform 1.3 introduces optional object type attributes with defaults, and enhancements to moved blocks, improving extensibility and maintainability of Terraform modules. | https://www.hashicorp.com/blog/terraform-1-3-improves-extensibility-and-maintainability-of-terraform-modules | 2022/09/25 |
| AWS Ramp-Up Guide: Security | A guide that can help you prepare for the "AWS Certified Security - Specialty" certification exam. | https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-Up_Guide_Security.pdf | 2022/09/18 |
| What's Inside Of a Distroless Container Image: Taking a Deeper Look | What are these distroless images, really? Why are they needed? What's the difference between a container started from a distroless base and a container started from scratch? Let's take a deeper look. | https://iximiuz.com/en/posts/containers-distroless-images/ | 2022/09/18 |
| Kubernetes Security For CISOs | The top five security measures that CISOs should be thinking about for any Kubernetes implementation. | https://blog.ksoc.com/kubernetes-security-for-cisos/ | 2022/09/18 |
| SBOMs are just a means to an end | The industry movement towards SBOMs needs material interventions to be usable at scale for exceedingly basic use cases. This post hopes to begins a discussion at the industry level that brings us closer to our desired state and to challenge the notion of what that desired state even is. | https://www.endorlabs.com/blog/sbom-is-just-a-means-to-an-end | 2022/09/18 |
| Announcing the Auto-refreshing Official Kubernetes CVE Feed | A long-standing request from the Kubernetes community has been to have a programmatic way for end users to keep track of Kubernetes security issues (CVEs). Accompanying the release of Kubernetes v1.25, suchfeedis now an alpha feature. | https://kubernetes.io/blog/2022/09/12/k8s-cve-feed-alpha/ | 2022/09/18 |
| Open Source Software (OSS) Secure Supply Chain (SSC) Framework | This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer's workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. | https://github.com/microsoft/oss-ssc-framework | 2022/09/18 |
| Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads | The Falco-gVisor integration means that gVisor users now only need to instrument each host for monitoring, rather than every application, enabling Falco to monitor both containers and nodes. | https://sysdig.com/press-releases/falco-extends-to-gvisor/ | 2022/09/18 |
| Azure Active Directory Pass-Through Authentication Flaws | Secureworks researchers analyzed how the protocols used by Pass-Through Authentication (PTA) could be exploited. The result? A compromised PTA agent certificate gives threat actors persistent and undetectable access to a target organization. | https://www.secureworks.com/research/azure-active-directory-pass-through-authentication-flaws | 2022/09/18 |
| What's New for Security in Kubernetes 1.25 | A recap of some of the interesting new security changes in Kubernetes 1.25. | https://securitylabs.datadoghq.com/articles/whats-new-for-security-in-kubernetes-125/ | 2022/09/18 |
| Shifting (even further) Left on Kubernetes Resource Compliance | An example on how to use OPA and Gatekeeper to automate security and compliance in Kubernetes. | https://medium.com/google-cloud/shifting-even-further-left-on-kubernetes-resource-compliance-8f96fb8c72eb | 2022/09/18 |
| PCI Guidance for Containers and Container Orchestration Tools | The PCI Council has published their best practice guidance for containers and container orchestration tools, super useful if you're using Kubernetes in PCI environments. On this topic,@raesenereleased ablog postwhich looks at some of the implications. | https://blog.pcisecuritystandards.org/new-information-supplement-guidance-for-containers-and-container-orchestration-tools | 2022/09/11 |
| Attacking Firecracker: AWS' microVM Monitor Written in Rust | Firecracker is a microVM manager in Rust that powers AWS services like Lambda and Fargate. Here's how a red team team attacked a vulnerability in Firecracker. | https://www.graplsecurity.com/post/attacking-firecracker | 2022/09/11 |
| Zuckerpunch - Abusing self hosted github runners at Facebook | How a security researcher abused Github Actions to get full root into the PyTorch CI runners. | https://marcyoung.us/post/zuckerpunch/ | 2022/09/11 |
| A Federated Approach To Providing User Privacy Rights | How Lyft approaches managing user privacy in order to seamlessly handle compliance, data export, and deletion. | https://eng.lyft.com/a-federated-approach-to-providing-user-privacy-rights-3d9ab73441d9 | 2022/09/11 |
| Istio - Introducing Ambient Mesh | The Istio team announced Istio ambient mesh, a new dataplane mode for Istio without sidecars. | https://istio.io/latest/blog/2022/introducing-ambient-mesh/ | 2022/09/11 |
| Kubernetes API Server Bypass Risks | This page describes the ways in which the security controls built into the Kubernetes API server can be bypassed, so that cluster operators and security architects can ensure that these bypasses are appropriately restricted. | https://kubernetes.io/docs/concepts/security/api-server-bypass-risks/ | 2022/09/11 |
| 5 tools for generating SBOM - Which is the best tool? | Post comparing CycloneDX, Syft (by Anchore), Microsoft.Sbom.Tool, Fossa, and Snyk (snyk2spdx). | https://mergebase.com/blog/best-tools-for-generating-sbom/ | 2022/09/11 |
| Fun with Windows Containers - Popping Calc | Popping calc.exe on a Kubernetes Windows cluster node with hostprocess containers. | https://raesene.github.io/blog/2022/09/03/Fun-With-Windows-Containers-Popping-Calc/ | 2022/09/11 |
| The Complete Guide to AWS KMS | An intro guide to AWS Key Management Service (AWS KMS), its different key types, and access (IAM) best practices. | https://blog.lightspin.io/the-complete-guide-to-aws-kms | 2022/09/11 |
| Falco Driverkit with Docker on Debian | First of a series of posts where explaining how Falco generates its much needed driver and how to make it available to deployments. | https://falco.org/blog/falco-driverkit-debian-docker/ | 2022/09/11 |
| Vault, Kubernetes, and the Graduation of vault-k8s to Version 1.0 | HashiCorp announced the graduation ofvault-k8sto version 1.0. | https://www.hashicorp.com/blog/vault-kubernetes-and-the-graduation-of-vault-k8s-to-version-1-0 | 2022/09/11 |
| Incident Response in AWS | Post intended to help those already familiar with the principles of Incident Response to understand what to do when the incident involves the AWS Control Plane. | https://www.chrisfarris.com/post/aws-ir/ | 2022/09/04 |
| Implementing Quarantine Pattern for Container Images | Post describing some ways to implement a quarantine pattern for container images or other artifacts stored in OCI registries. | https://toddysm.com/2022/08/30/implementing-quarantine-pattern-for-container-images/ | 2022/09/04 |
| AWS IAM Interview Questions | Some AWS IAM interview questions to help understand how much an engineer might know about AWS IAM, and how to apply it. | https://www.k9security.io/docs/aws-iam-interview-questions/ | 2022/09/04 |
| Refresh Secrets for Kubernetes Applications with Vault Agent | Post describing the system signal and live reload methods for updating Kubernetes applications when secrets change. | https://www.hashicorp.com/blog/refresh-secrets-for-kubernetes-applications-with-vault-agent | 2022/09/04 |
| General availability of SLSA3 Generic Generator for GitHub Actions | The SLSA community announced that they're adding a new tool to generate provenance documents for projects developed in any programming language, while keeping your existing building workflows. | https://slsa.dev/blog/2022/08/slsa-github-workflows-generic-ga | 2022/09/04 |
| Learn Istio - How to Manage, Monitor, and Secure Microservices | A thorough introduction to Istio, showing what it does under the hood. | https://www.freecodecamp.org/news/learn-istio-manage-microservices | 2022/09/04 |
| SMTP Matching Abuse in Azure AD | How SMTP matching can be abused to obtain privileged access via eligible role assignments, and how to prevent it. | https://www.semperis.com/blog/smtp-matching-abuse-in-azure-ad/ | 2022/09/04 |
| Automating Azure Abuse Research - Part 2 | Second part of a series, this time focusing on how to use the BloodHound Attack Research Kit (BARK) to perform so-called "continuous abuse primitive validation". | https://posts.specterops.io/automating-azure-abuse-research-part-2-3e5bbe7a20c0 | 2022/09/04 |
| OWASP Kubernetes Top 10 | The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system admistrators, and software developers prioroitze risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity. | https://github.com/OWASP/www-project-kubernetes-top-ten | 2022/08/28 |
| A Kubernetes User's Guide to HashiCorp Nomad Secret Management | A comparison of the native secrets management functionality of Kubernetes to HashiCorp Vault and how it is possible for HashiCorp Nomad to integrate with Vault vs Kubernetes+Vault integration. | https://www.hashicorp.com/blog/a-kubernetes-user-s-guide-to-hashicorp-nomad-secret-management | 2022/08/28 |
| Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster | How to restrict access to certain client source IPs for a service deployed to an AKS cluster. | https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6 | 2022/08/28 |
| Crawl, walk, run: Operationalizing your IaC security program | Learn how to operationalize your infrastructure as code security program with our rollout timeline and guidance for your first ninety days. | https://bridgecrew.io/blog/how-to-implement-an-infrastructure-as-code-security-program/ | 2022/08/28 |
| GitHub - SSH commit verification now supported | GitHub now supports SSH commit verification, so you can sign commits and tags locally using a self-generated SSH public key, which will give others confidence about the origin of a change you have made. | https://github.blog/changelog/2022-08-23-ssh-commit-verification-now-supported/ | 2022/08/28 |
| Kubernetes v1.25: Pod Security Admission Controller in Stable | The release of Kubernetes v1.25 marks a major milestone for Kubernetes out-of-the-box pod security controls: Pod Security admission (PSA) graduated to stable, and Pod Security Policy (PSP) has been removed. | https://kubernetes.io/blog/2022/08/25/pod-security-admission-stable/ | 2022/08/28 |
| Characterizing the Security of Github CI Workflows | Paper comparing 6 popular CI/CD platforms and how they enforce security properties like: Admittance Control, Execution Control, Code Control, and Access to Secrets. |
https://www.usenix.org/system/files/sec22-koishybayev.pdf | 2022/08/21 |
| Auditing RBAC - Redux | Tools are a great way to get started with understanding cluster rights, but we always have to be aware that they can only tell you what they can see within the scope of their operation. | https://raesene.github.io/blog/2022/08/14/auditing-rbac-redux/ | 2022/08/21 |
| Three Guardrails for AWS Lambda | Three guardrails you can put in place around that Lambda code: code signing, function versions and aliases, and Amazon CodeGuru Reviewer. | https://blog.symops.com/2022/08/17/lambda-guardrails/ | 2022/08/21 |
| Automating Insecurity In Azure | Slides of the homonym talk at@cloudvillage_dc. | https://notpayloads.blob.core.windows.net/slides/DC-AzureAutomationAccounts.pdf | 2022/08/21 |
| GCP: Monitor IAM role assignments via Log Alerts in GCP | How to create Log alerts in GCP to track specific IAM role assignments. | https://medium.com/google-cloud/audit-iam-role-assignments-in-gcp-through-log-alerts-3bcdf3d7a504 | 2022/08/21 |
| GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes | A starting point for secrets management in Kubernetes by using simpler ideas and minimal tooling. | https://opssorry.substack.com/p/gitops-a-simple-approach-to-using | 2022/08/21 |
| How to setup geofencing and IP allow-list for Cognito user pool | AWS announced a new feature this week that lets you enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists. | https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/ | 2022/08/21 |
| Modern workload identity with SPIFFE & Trust Domains | How to configure SPIFFE workload identities using cert-manager. | https://www.jetstack.io/blog/workload-identity-with-spiffe-trust-domains/ | 2022/08/21 |
| Open Cybersecurity Schema Framework | A number of organizations (like AWS) announced the release of the Open Cybersecurity Schema Framework (OCSF) project, which includes an open specification for the normalization of security telemetry across a wide range of security products and services, as well as open-source tools that support and accelerate the use of the OCSF schema. | https://github.com/ocsf | 2022/08/14 |
| The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors | How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others. | https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities | 2022/08/14 |
| Controlling the Source: Abusing Source Code Management Systems | Post detailing a few ways to abuse some of the most popular source code management systems to perform various attack scenarios, like: reconnaissance, manipulation of user roles, repository takeover, pivoting to other DevOps systems, user impersonation, and maintaining persistent access. | https://securityintelligence.com/posts/abusing-source-code-management-systems/ | 2022/08/14 |
| How to manage Route53 hosted zones in a multi-account environment | How to manage Route53 hosted zones in a multi-account environment so each account has full authority over its subdomain. | https://theburningmonk.com/2021/05/how-to-manage-route53-hosted-zones-in-a-multi-account-environment/ | 2022/08/14 |
| AWS Account Setup and Root User | A guide through the introductory steps to configure contacts for an AWS account & secure the root user. | https://wellarchitectedlabs.com/security/100_labs/100_aws_account_and_root_user | 2022/08/14 |
| Scaling our security detection pipeline with Sigma | This post explains how Monzo scaled their detection rules using Sigma. | https://monzo.com/blog/2022/08/05/scaling-our-security-detection-pipeline-with-sigma | 2022/08/14 |
| Load external data into OPA: The Good, The Bad, and The Ugly | There are several ways to create a data fetching mechanism for OPA - each of them has its pros and cons. | https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc | 2022/08/14 |
| Security Considerations For Hosting Domain Controllers In Cloud | While Domain Controllers might not be something that new organizations, those born in the cloud, would rely on today, it seems common for most existing organizations that seek to migrate. | https://blog.karims.cloud/2022/08/09/security-considerations-for-hosting-domain-controllers-in-cloud.html | 2022/08/14 |
| Introducing Sentinel Policies to the Terraform Registry (Beta) | Terraform Sentinel policies are now available in the Terraform Registry so you can publish policies you want to share and search the Registry for policies you need. | https://www.hashicorp.com/blog/introducing-sentinel-policies-to-the-terraform-registry | 2022/08/14 |
| Cloud DNS Security - How to protect DNS in the Cloud | For cloud architects interested in learning about deployment, security best practices, and the advantages of a cloud approach for DNS including performance, security, and reliability. | https://sysdig.com/blog/dns-security-cloud-protection/ | 2022/08/07 |
| Uncomplicate Security for developers using Reference Architectures | Post walking through some of the salient features of a meaningful security reference architecture and the process required to develop one, as well as looking at the challenges that one might expect to face. | https://anunay-bhatt.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d | 2022/08/07 |
| Exploring the Kubernetes Operator Pattern | A nice intro to Kubernetes operators. | https://iximiuz.com/en/posts/kubernetes-operator-pattern/ | 2022/08/07 |
| Adopting Sigstore Incrementally | Post outlining strategies to ease adoption of Sigstore while still using existing signing approaches. | https://blog.sigstore.dev/adopting-sigstore-incrementally-1b56a69b8c15 | 2022/08/07 |
| Why you should avoid Sealed Secrets in your GitOps deployment | Eschew sealed secrets, start your GitOps practice right, and use a managed key service. | https://dnastacio.medium.com/why-you-should-avoid-sealed-secrets-in-your-gitops-deployment-e50131d360dd | 2022/08/07 |
| Dependency confusion in AWS CodeArtifact | At the time of the finding Code Artifact did not have any features to specify which packages were internal and therefore should not be pulled from public repositories. | https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d | 2022/08/07 |
| Setup GitHub Codespaces with AWS IAM Roles Anywhere | Demonstration of how you could leverage IAM Roles Anywhere to authenticate your GitHub Codespaces. | https://devopstar.com/2022/08/01/github-codespaces-and-iam-roles-anywhere | 2022/08/07 |
| How to secure Kubernetes deployment with signature verification | How to set up a solution ensuring nothing runs in your cluster without a signature verification by a known authority and verified by an admission controller. | https://sysdig.com/blog/secure-kubernetes-deployment-signature-verification/ | 2022/08/07 |
| Exploiting GitHub Actions on open source projects | GitHub Actions is phenomenal in many aspects. But its commonality can make it a target for bad actors. Here's how Tinder Security Labs detects security risks and what they recommend to identify potential vulnerabilities in workflows. | https://medium.com/tinder/exploiting-github-actions-on-open-source-projects-5d93936d189f | 2022/07/31 |
| Protecting GCP Services with VPC Service Controls and Terraform | Post exploring VPC Service Controls through an example of a common use case of VPC Service Control perimeters, deep dive on some key concepts, and learn how to automate administration with Terraform. | https://blog.scalesec.com/protecting-gcp-services-with-vpc-service-controls-and-terraform-858019d8b4ff | 2022/07/31 |
| Container Security Considerations: Security Best Practices and Common Threats | Understand container security challenges and learn about critical container security best practices, such as securing images, registries, etc. | https://www.returnonsecurity.com/container-security-considerations/ | 2022/07/31 |
| Identify Google Groups vulnerable to spam and spoofing | Google Groups deliver some unauthenticated emails to user inboxes which puts group members at a higher risk of receiving spoofing and malicious emails and presents additional risk to the organization. | https://material.security/blog/identify-google-groups-vulnerable-to-spam-and-spoofing | 2022/07/31 |
| Attesting Image Scans With Kyverno | Using Sigstore Cosign, Trivy, GitHub Actions, and Kyverno to attest and verify continual vulnerability scans in container images run under Kubernetes. | https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/ | 2022/07/31 |
| Hacking an AWS hosted Kubernetes backed product, and failing | Tales from a recent pentest of a product hosted on the AWS cloud backed by Kubernetes (EKS) and a whole lot of secure design goodness that withstood attack attempts. | https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d | 2022/07/31 |
| The Kubernetes Networking Guide | The purpose of this website is to provide an overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality. | https://www.tkng.io/ | 2022/07/24 |
| Azure's Security Vulnerabilities Are Out of Control | Azure's multiple security vulnerabilities are highly concerning, for both customer data and the cloud's reputation. It's time we put public pressure on Azure. | https://www.lastweekinaws.com/blog/azures_vulnerabilities_are_quack/ | 2022/07/24 |
| Abusing the Replicator: Silently Exfiltrating Data | A comprehensive backup strategy is a cornerstone of any DR plan. But how would you distinguish between legitimate backup activity and malicious data exfiltration? | https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service | 2022/07/24 |
| User and workload identities in Kubernetes | Article explaining how users and workloads can authenticate with the Kubernetes API server. | https://learnk8s.io/authentication-kubernetes | 2022/07/24 |
| Minimal Container Images: Towards a More Secure Future | This post walks through the typical approaches in this space: minimal distributions, scratch and distroless. | https://blog.chainguard.dev/minimal-container-images-towards-a-more-secure-future | 2022/07/24 |
| 2022 Argo external security audit: Lessons learned | Twenty-six issues were identified: seven in Argo CD, six in Argo Workflows, and thirteen in Argo Events. If you are curious, you can read thefull report. | https://www.cncf.io/blog/2022/07/19/2022-argo-external-security-audit-lessons-learned/ | 2022/07/24 |
| MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Part 1 | Learn about the first four threat vectors in Kubernetes: initial access, execution, persistence, and privilege escalation. | https://www.weave.works/blog/mitre-att-ck-matrix-for-kubernetes-tactics-techniques-explained-part-1 | 2022/07/17 |
| Awesome Cloud Native Trainings | All the free trainings (with and without certificates) released from different companies supporting CNCF Projects and Kubernetes. | https://github.com/joseadanof/awesome-cloudnative-trainings | 2022/07/17 |
| Cloud design patterns | Design patterns for building reliable, scalable, secure applications in the cloud by walking through examples based on Microsoft Azure. | https://docs.microsoft.com/en-us/azure/architecture/patterns/ | 2022/07/17 |
| Transparently Immutable Tags using Sigstore's Rekor | A nice approach to verifying container image (im)mutability using a transparency log, which allows to verify if a tag has changed since the last time it was seen. | https://blog.chainguard.dev/transparently-immutable-tags-using-rekor/ | 2022/07/17 |
| How attackers use exposed Prometheus server to exploit Kubernetes clusters | More ways to compromise Kubernetes via a publicly exposed service. This time it's Prometheus. | https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/ | 2022/07/17 |
| How to think about threat detection in the cloud | Detecting cybersecurity threats in the cloud is different from on-premises. Here's why. | https://cloud.google.com/blog/products/identity-security/how-to-think-about-threat-detection-in-the-cloud | 2022/07/17 |
| Exploiting Authentication in AWS IAM Authenticator for Kubernetes | This blog post explains three vulnerabilities detected in the AWS IAM Authenticator where all of them were caused by the same code line. | https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator | 2022/07/17 |
| A Practical Guide to Capturing Production Traffic with eBPF | This blog explores the main concepts behind eBPF technology and provides step by step instructions on how to build your own eBPF-based traffic capturing tool. | https://www.seekret.io/blog/a-practical-guide-to-capturing-production-traffic-with-ebpf/ | 2022/07/17 |
| Datadog Security Labs | Datadog announced the "Datadog Security Labs", a new dedicated place for their security research content. It will host the release of new open source tools, research projects, emerging threat reports, deep dives, telemetry studies, and more. | https://securitylabs.datadoghq.com/articles/welcome-datadog-security-labs/ | 2022/07/17 |
| Optimizing CI/CD Credential Hygiene - A Comparison of CI/CD Solutions | Post discussing the strengths and weaknesses of four of the most popular CI vendors (Jenkins, GitHub Actions, CircleCI and GitLab CI/CD) around common credential hygiene issues. | https://www.cidersecurity.io/blog/research/optimizing-ci-cd-credential-hygiene-a-comparison-of-ci-cd-solutions/ | 2022/07/10 |
| Let's talk about Kubernetes on the Internet | Post providing information about Kubernetes network attack surface, some tricks for identifying Kubernetes clusters based on their responses to basic requests, and what information is visible on the Internet relating to exposed Kubernetes services. | https://raesene.github.io/blog/2022/07/03/lets-talk-about-kubernetes-on-the-internet/ | 2022/07/10 |
| Terraform Cloud Security Model | Document explaining the authorization model, potential security threats, and HashiCorp's recommendations for securely using Terraform Cloud. | https://www.terraform.io/cloud-docs/architectural-details/security-model | 2022/07/10 |
| Everything and Anything You Need To Know About SOC 2 | What is SOC 2? SOC 2 is a cybersecurity compliance reporting framework that companies from all industries can use to prove security to interested third parties such as potential customers or investors. If you've been looking for SOC 2 content, look no further. | https://www.linkedin.com/pulse/everything-anything-you-need-know-soc-2-aj-yawn/ | 2022/07/10 |
| Where Do I Sign? Step-by-step Sigstore Adoption | Using Sigstore, we can iteratively improve our supply chain security, starting with signed attestations and moving toward signed provenance to protect the build. | https://blog.chainguard.dev/where-do-i-sign-adopting-sigstore-in-pieces/ | 2022/07/10 |
| Suspecting the Unsuspected. Extracting and Analyzing Log Anomalies | Post exploring key points in log anomaly detection with some techniques used to identify log events of interest. | https://engineering.mercari.com/en/blog/entry/20220527-suspecting-the-unsuspected-extracting-and-analyzing-log-anomalies/ | 2022/07/10 |
| Kubernetes Workload Identity with AKS | Post explaining how workload identity federation on AKS works, and how to set it up. | https://blog.baeke.info/2022/01/31/kubernetes-workload-identity-with-aks/ | 2022/07/10 |
| The Open Cloud Vulnerability & Security Issue Database | An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues. | https://www.cloudvulndb.org/ | 2022/07/03 |
| MiTM at the Edge - Abusing Cloudflare Workers | An attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data. | https://blog.christophetd.fr/abusing-cloudflare-workers/ | 2022/07/03 |
| Learnings from 5 years of tech startup code audits | Some of the more surprising things learned while auditing Series A/B startups. | https://kenkantzer.com/learnings-from-5-years-of-tech-startup-code-audits/ | 2022/07/03 |
| Vault Logging and Alerting on Day 1 | A step-by-step guide to building a free solution for Day 1 Vault logging and alerting on AWS. | https://www.hashicorp.com/blog/vault-logging-and-alerting-on-day-1 | 2022/07/03 |
| Sky's the Limit: Stratus Red Team for Azure | A write-up on using Stratus Red Team for testing threat detection rules. | https://blog.detect.dev/posts/azure_for_stratus.html | 2022/07/03 |
| FabricScape: Escaping Service Fabric and Taking Over the Cluster | FabricScape (CVE-2022-30137) is a privilege escalation vulnerability in Microsoft's Service Fabric, which allowed cross tenant root access built out of unprivileged processes. | https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/ | 2022/07/03 |
| CloudGoat Scenario: Avoiding AWS Security Detection and Response | This will walk through the CloudGoat AWS detection_evasion scenario, detailing how to avoid AWS security detection and response services, such as in Lambda. | https://rhinosecuritylabs.com/cloud-security/cloudgoat-detection_evasion-walkthrough/ | 2022/07/03 |
| Get Started with Sigstore (Free Course!) | Learn how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. | https://blog.chainguard.dev/get-started-with-sigstore-free-course/ | 2022/06/26 |
| Painting a Threat Detection Landscape | Post discussing challenges/nuances associated with measuring MITRE ATT&CK technique detection coverage. | https://www.netspi.com/blog/technical/adversary-simulation/painting-a-threat-detection-landscape/ | 2022/06/26 |
| Cloud Risk Encyclopedia | 1200+ cloud security risks, 3 cloud platforms, 47 compliance frameworks, 18 risk categories, 4 risk levels. | https://orca.security/resources/cloud-risk-encyclopedia/ | 2022/06/26 |
| Anatomy of an Attack: Exposed keys to Crypto Mining | Blog detailing the activity associated with a low sophistication crypto mining incident caused by exposed keys. | https://permiso.io/blog/s/anatomy-of-attack-exposed-keys-to-crypto-mining/ | 2022/06/26 |
| General Availability of SLSA 3 Go native builder for GitHub Actions | How to use the newly releasedtrusted buildersfor Go applications, and examples of how you can use the generated information. | https://slsa.dev/blog/2022/06/slsa-github-workflows | 2022/06/26 |
| Terraform Cloud Adds Drift Detection for Infrastructure Management | Drift Detection for Terraform Cloud continuously checks infrastructure state to detect and notify operators of any changes, minimizing risk, downtime, and costs. | https://www.hashicorp.com/blog/terraform-cloud-adds-drift-detection-for-infrastructure-management | 2022/06/26 |
| HashiCorp Vault 1.11 Adds Kubernetes Secrets Engine, PKI Updates, and More | In this release, Vault adds a new Kubernetes secrets engine to dynamically generate credentials, improves the KV (key-value) secrets engine's usability, adds support for the PKI engine for non-disruptive rotation, enables bring your own key (BYOK) for Transit, and brings many other improvements. | https://www.hashicorp.com/blog/vault-1-11 | 2022/06/26 |
| Office 365 Functionalities that can Ransom Files | Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive. | https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality | 2022/06/26 |
| Establish security boundaries in your on-prem AD and Azure environment | A high-level explanation of how to implement security boundaries in an on-prem AD and Azure environment to protect your critical assets based on the principle of tiered administration, including how BloodHound can help you in the process. | https://posts.specterops.io/establish-security-boundaries-in-your-on-prem-ad-and-azure-environment-dcb44498cfc2 | 2022/06/26 |
| Incident report: Spotting an attacker in GCP | A walk through of how an attacker gained access to a customer's GCP environment, Expel's investigative process, and some key takeaways for securing your organization. | https://expel.com/blog/incident-report-spotting-an-attacker-in-gcp/ | 2022/06/19 |
| Introducing Gitsign | The Sigstore project has created a new tool calledGitsign, which aims to bring the best of Sigstore to Git with "keyless" signing and transparency log support, making it easy to get started with signing without the need to generate and manage long-term keys. | https://blog.sigstore.dev/introducing-gitsign-9fd3f1b682aa | 2022/06/19 |
| Going secretless and keyless with Spiffe Vault | Post introducing a small command line utility (spiffe-vault) that enables a whole bunch of usecases like: Secretless deployments, Keyless codesigning, Keyless encryption. | https://marcofranssen.nl/going-secretless-and-keyless-with-spiffe-vault | 2022/06/19 |
| The cloud gray zone: secret agents installed by cloud service providers | Wiz Research details how cloud middleware use across cloud service providers can expose customers' virtual machines to new attack vectors. | https://www.wiz.io/blog/the-cloud-gray-zone-secret-agents-installed-by-cloud-service-providers/ | 2022/06/19 |
| SynLapse - Technical Details for Critical Azure Synapse Vulnerability | This blog describes the technical details of SynLapse, a critical Synapse Analytics vulnerability in Microsoft Azure which allowed attackers to bypass tenant separation. | https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/ | 2022/06/19 |
| Public Travis CI Logs (Still) Expose Users to Cyber Attacks | The Aqua Security team found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. | https://blog.aquasec.com/travis-ci-security | 2022/06/19 |
| Unwanted Permissions that may impact security when using the ReadOnlyAccess policy in AWS | With this analysis, Tempest researchers identified at least 41 actions that can lead to improper data access. | https://sidechannel.blog/en/unwanted-permissions-that-may-impact-security-when-using-the-readonlyaccess-policy-in-aws/ | 2022/06/19 |
| How to Write Your First Rules in Rego, the Policy Language for OPA | Rego is the purpose-built declarative policy language that supports Open Policy Agent (OPA). It's used to write policy that is easy to read and easy to write. | https://blog.styra.com/blog/how-to-write-your-first-rules-in-rego-the-policy-language-for-opa | 2022/06/19 |
| AWS IAM Security Best Practices | A post going through a few top rules and best practices in AWS IAM. | https://blog.gitguardian.com/aws-iam-security-best-practices/ | 2022/06/19 |
| Integrating Kubernetes into Traditional Infrastructure with HA Egress Gateway | Cilium HA Egress Gateway can integrate legacy applications with Kubernetes based workloads, by allowing you to specify which nodes should be used by a pod to reach the outside world. | https://isovalent.com/blog/post/2022-05-static-egress-gateway/ | 2022/06/19 |
| A Deep Dive into Temporal's Access Control Strategy in AWS | Some insights into Temporal's strategy for securing their cloud environment, as well as a call for attention to an unexpected facet of AWS access policies encountered along the way. | https://docs.temporal.io/blog/deep-dive-temporal-access-control-strategy-aws/ | 2022/06/12 |
| Guide to Digital Forensics Incident Response in the Cloud | Post covering the differences between cloud forensics and forensics in on-premises systems. | https://www.intezer.com/blog/cloud-security/guide-to-digital-forensics-incident-response-in-the-cloud/ | 2022/06/12 |
| The Philosophy of Prevention | An interesting post covering some limitations and use-cases for SCPs and auto-remediation tools. | https://www.chrisfarris.com/post/philosphy-of-prevention/ | 2022/06/12 |
| Introducing Entitlements: GitHub's open source Identity and Access Management solution | Github open sourced their Identity and Access Management solution (called "Entitlements"), which uses a Git repository for the source-of-truth, declarative authorizations, and seamless integration with GitHub.com for approvals and audits. | https://github.blog/2022-06-09-introducing-entitlements-githubs-open-source-identity-and-access-management-solution/ | 2022/06/12 |
| MongoDB Field Level Encryption with HashiCorp Vault KMIP Secrets Engine | With MongoDB releasing client-side field level encryption with KMIP support, Vault users can now use its KMIP secrets engine to supply the encryption keys. This allows to be in full control of the keys. | https://www.hashicorp.com/blog/mongodb-field-level-encryption-with-hashicorp-vault-kmip-secrets-engine | 2022/06/12 |
| cloud-middleware-dataset | This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP). | https://github.com/wiz-sec/cloud-middleware-dataset | 2022/06/12 |
| Awesome-Azure-Pentest | A collection of resources, tools and more for penetration testing and securing Microsoft's cloud platform. | https://github.com/Kyuu-Ji/Awesome-Azure-Pentest | 2022/06/12 |
| Managed Identity Attack Paths | A three part blog series exploring attack paths that emerge out of Managed Identity assignments in three Azure services. | https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a | 2022/06/12 |
| Bypassing eBPF-based Security Enforcement Tools | Post explaining the limitations of eBPF security enforcement tools and demonstrates bypass techniques with Tetragon. | https://www.form3.tech/engineering/content/bypassing-ebpf-tools | 2022/06/12 |
| Use CloudTrail to Pivot to AWS Accounts | How to utilize the AWS CloudTrail service to discover other AWS accounts that you could pivot to. | https://bishopfox.com/blog/cloudtrail-pivot-to-aws-accounts | 2022/06/12 |
| An Easy Misconfiguration to Make: Hidden Dangers in the Cloud Control Plane | The biggest risk in cloud development is not recognizing the differences between cloud and traditional definitions of common architecture terms. | https://www.mitiga.io/blog/misconfiguration-hidden-dangers-cloud-control-plane | 2022/06/12 |
| Enumeration and lateral movement in GCP environments | A pentest write up describing how it was possible to compromise a hybrid GCP hosted infrastructure using native GCP tools. | https://infosecwriteups.com/enumeration-and-lateral-movement-in-gcp-environments-c3b82d342794 | 2022/06/12 |
| Terraform as part of the software supply chain | Post examining the supply chain aspects of Terraform, starting with a closer look at malicious Terraform modules and providers and how you can better secure them. | https://about.gitlab.com/blog/2022/06/01/terraform-as-part-of-software-supply-chain-part1-modules-and-providers/ | 2022/06/05 |
| Democratizing Security Detection | Security detection programs face significant scaling challenges. This post shares Palantir's learnings and suggests actionable detection strategies. | https://blog.palantir.com/democratizing-security-detection-71c689b667a5 | 2022/06/05 |
| Purpose-based access controls at Palantir | Tracking who has access to what information and why, across thousands of datasets and users, is an intractable challenge. Here's how Palantir solved it. | https://blog.palantir.com/purpose-based-access-controls-at-palantir-f419faa400b3 | 2022/06/05 |
| The State of Secrets Sprawl 2022 | The 2022 State of Secrets Sprawl report measures the exposure of secrets within GitHub, Docker and internal repos and how it is evolving year to year. | https://www.gitguardian.com/state-of-secrets-sprawl-report-2022 | 2022/06/05 |
| How to use Atomic Red Team to test Falco rules in K8s | How to install and run the Atomic Red Team environment on a Kubernetes system for testing Falco rules. | https://sysdig.com/blog/atomic-red-team-falco/ | 2022/06/05 |
| The Hitchhiker's Guide to Pod Security | Presentation covering the key concepts of Pod Security along with how to use it walking through practical examples. | https://www.youtube.com/watch?v=gcz5VsvOYmI | 2022/06/05 |
| Dockerfile best practices | Dockerfile best-practices for writing production-worthy Docker images. | https://github.com/hexops/dockerfile | 2022/06/05 |
| Securing Cloud Services against Squatting Attacks | Post discussing the root causes of cloud squatting from an IT practitioner's perspective, and demonstrates the steps companies can take to harden their infrastructure. | https://pauley.me/post/2022/secure-cloud-decomissioning/ | 2022/06/05 |