This week's articles
Attacking and Securing CI/CD Pipelines
#ci/cd, #attack, #defend
In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD environment. This presentation shares a comprehensive summary of both the attack methods often used against CI/CD environments and Mercari's experience in securing CI/CD, learned the hard way. You can also check the companion repo.
Github Actions Security Best Practices
#ci/cd, #defend
Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them.
Abusing Registries For Exfil And Droppers
#attack, #containers
This post goes into some of the details about the standard container registry API, some abuse points, and some areas of attack pentesters or future malware writers can expose.
Container security best practices: Comprehensive guide
#containers, #defend
Container security best practices don't just include the delivered applications and the container image itself, but also the full component stack used for building, distributing, and specially executing the container. This includes: the host or VM, the container runtime, cluster technology, cloud provider configuration, and more.
Securing Kubernetes Secrets with Conjur
#build, #kubernetes
Conjur helps you secure & manage your secrets centrally. This post talks about how to set up, run & integrate Conjur with Kubernetes to secure its secrets.
Introducing the Consul API Gateway
#announcement, #hashicorp, #kubernetes
The new Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on the HashiCorp Consul service mesh.
|
|
Tools
grype
A vulnerability scanner for container images and filesystems.
aws-key-disabler
A small lambda script that will disable access keys older than a given amount of days.
kubexplorer
Detects orphan configmaps and secrets in a Kubernetes cluster.
cronjobber
Cronjobber is a cronjob controller for Kubernetes with support for time zones.
|
|
From the cloud providers
Cloud Data Loss Prevention is now automatic
Google announced they are making Cloud DLP automatic: automatic discovery, automatic inspection, automatic classification, automatic data profiling. Now available in preview for BigQuery, you can enable Cloud DLP across your entire organization to gain visibility into your data risk.
Using signed provenance and Binary Authorization
As part of the image's provenance, Cloud Build automatically records details like the images generated, the input sources, the build arguments, and the built time, and a new attestor allows you to deploy only trusted images using Binary Authorization.
Azure Sentinel Threat Intelligence Workbook
Azure Sentinel Threat Intelligence is based on the ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. This provides a starting point for building threat intelligence programs which require the ability to both ingest and correlate threat data across cloud workloads.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|