This week's articles
Thinking Outside the Box: Or, how I learned to stop worrying and love the cloud
These are the slides from Dino's keynote at H2HC. It starts with the mentality shift from thinking about the security of single machines ('box') to the security of many all at once, as fleet-wide scale security is incredibly powerful and makes some hard problems simple. Another main take-away is that in the cloud there are many somewhat overlapping, but mutually inconsistent, security models. Among them, the cloud provider's IAM (like AWS IAM) is the only security model that really matters, with everything else being 'defence in depth' at best.
App Identity and Access Adapter with Istio
A blog post describing how to use Istio to secure multi-cloud Kubernetes applications, with zero code changes or redeployments, by leveraging the App Identity and Access Adapter.
NCC released a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure with Terraform. Sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to assess AWS-related security tools.
Native Container Image Scanning in Amazon ECR
AWS playing catch up with GCP, this time deciding to use CoreOS Clair
in ECR to carry out static analysis of vulnerabilities. The ECR API, the AWS CLI and SDKs have been extended with image scanning functionalities, and a managed service has been implemented for use in a CI pipeline. AWS also put together a sample available on GitHub
that shows how you can utilize the new image scanning-related ECR APIs to perform scheduled re-scans of container images.