Post which can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks. These recommendations follow the SLSA framework and OpenSSF Scorecards rubric, and many can be implemented automatically by using the Allstar project.

In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD environment. This presentation shares a comprehensive summary of both the attack methods often used against CI/CD environments and Mercari's experience in securing CI/CD, learned the hard way. You can also check the companion repo.

Multicloud failover is complex and costly to the point of nearly almost always being impractical, and it's not an especially effective way to address cloud resilience risks.

Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them.

This post goes into some of the details about the standard container registry API, some abuse points, and some areas of attack pentesters or future malware writers can expose.

A set of recommendations regarding Docker containers configuration at build and runtime to improve your containers' security.

Container security best practices don't just include the delivered applications and the container image itself, but also the full component stack used for building, distributing, and specially executing the container. This includes: the host or VM, the container runtime, cluster technology, cloud provider configuration, and more.

Conjur helps you secure & manage your secrets centrally. This post talks about how to set up, run & integrate Conjur with Kubernetes to secure its secrets.

The new Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on the HashiCorp Consul service mesh.

A vulnerability scanner for container images and filesystems.

A small lambda script that will disable access keys older than a given amount of days.

Terraform Provider for cascading runs across multiple workspaces.

Detects orphan configmaps and secrets in a Kubernetes cluster.

Cronjobber is a cronjob controller for Kubernetes with support for time zones.

AWS Security Hub now allows you to designate an aggregation Region and link some or all Regions to that aggregation Region. This gives you a centralized view of all your findings across all of your accounts and all of your linked Regions.

An end-to-end Kubernetes-based DevSecOps software factory on AWS with continuous testing, continuous logging and monitoring, auditing and governance, and operations.

How to use AWS Database Migration Service (AWS DMS) to extract data from RDS, store it on S3, and then classify the data using Macie.

A best practice that implements a remote desktop gateway solution to access your domain controllers securely while using the minimum required ports.

Google announced they are making Cloud DLP automatic: automatic discovery, automatic inspection, automatic classification, automatic data profiling. Now available in preview for BigQuery, you can enable Cloud DLP across your entire organization to gain visibility into your data risk.

As part of the image's provenance, Cloud Build automatically records details like the images generated, the input sources, the build arguments, and the built time, and a new attestor allows you to deploy only trusted images using Binary Authorization.

Ubiquitous data encryption on Google Cloud provides unified control over data at-rest, in-use, and in-transit, with keys under customer control.

Azure Sentinel Threat Intelligence is based on the ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. This provides a starting point for building threat intelligence programs which require the ability to both ingest and correlate threat data across cloud workloads.