Release Date: 24/10/2021 | Issue: 110
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

πŸ¦™ Compliance That Doesn't SOC 2 Much πŸ¦™
Are you in the throws of a painstaking SOC 2 panic? We know the feeling -- and we're here to help. Vanta restores trust in internet businesses by giving startups an easy-to-use platform to prove security. Nearly 2,000 businesses rely on Vanta to automate their SOC 2, ISO 27001, HIPAA, or (very soon!) PCI compliance.
Let Vanta automate your compliance.

This week's articles


Protect your open source project from supply chain attacks
#ci/cd, #defend
Post which can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks. These recommendations follow the SLSA framework and OpenSSF Scorecards rubric, and many can be implemented automatically by using the Allstar project.


Attacking and Securing CI/CD Pipelines
#ci/cd, #attack, #defend
In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD environment. This presentation shares a comprehensive summary of both the attack methods often used against CI/CD environments and Mercari's experience in securing CI/CD, learned the hard way. You can also check the companion repo.


Multicloud failover is almost always a terrible idea
#aws, #azure, #gcp, #strategy
Multicloud failover is complex and costly to the point of nearly almost always being impractical, and it's not an especially effective way to address cloud resilience risks.


Github Actions Security Best Practices
#ci/cd, #defend
Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them.


Abusing Registries For Exfil And Droppers
#attack, #containers
This post goes into some of the details about the standard container registry API, some abuse points, and some areas of attack pentesters or future malware writers can expose.


How to improve your Docker containers security - [cheat sheet]
#containers, #defend
A set of recommendations regarding Docker containers configuration at build and runtime to improve your containers' security.


Container security best practices: Comprehensive guide
#containers, #defend
Container security best practices don't just include the delivered applications and the container image itself, but also the full component stack used for building, distributing, and specially executing the container. This includes: the host or VM, the container runtime, cluster technology, cloud provider configuration, and more.


Securing Kubernetes Secrets with Conjur
#build, #kubernetes
Conjur helps you secure & manage your secrets centrally. This post talks about how to set up, run & integrate Conjur with Kubernetes to secure its secrets.


Introducing the Consul API Gateway
#announcement, #hashicorp, #kubernetes
The new Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on the HashiCorp Consul service mesh.

Tools


grype
A vulnerability scanner for container images and filesystems.


aws-key-disabler
A small lambda script that will disable access keys older than a given amount of days.


terraform-provider-multispace
Terraform Provider for cascading runs across multiple workspaces.


kubexplorer
Detects orphan configmaps and secrets in a Kubernetes cluster.


cronjobber
Cronjobber is a cronjob controller for Kubernetes with support for time zones.

From the cloud providers


AWS Icon  AWS Security Hub adds support for cross-Region aggregation of findings
AWS Security Hub now allows you to designate an aggregation Region and link some or all Regions to that aggregation Region. This gives you a centralized view of all your findings across all of your accounts and all of your linked Regions.


AWS Icon  Building an end-to-end Kubernetes-based DevSecOps software factory on AWS
An end-to-end Kubernetes-based DevSecOps software factory on AWS with continuous testing, continuous logging and monitoring, auditing and governance, and operations.


AWS Icon  Enabling data classification for Amazon RDS database with Macie
How to use AWS Database Migration Service (AWS DMS) to extract data from RDS, store it on S3, and then classify the data using Macie.


AWS Icon  Securely extend and access on-premises Active Directory domain controllers in AWS
A best practice that implements a remote desktop gateway solution to access your domain controllers securely while using the minimum required ports.


GCP Icon  Cloud Data Loss Prevention is now automatic
Google announced they are making Cloud DLP automatic: automatic discovery, automatic inspection, automatic classification, automatic data profiling. Now available in preview for BigQuery, you can enable Cloud DLP across your entire organization to gain visibility into your data risk.


GCP Icon  Using signed provenance and Binary Authorization
As part of the image's provenance, Cloud Build automatically records details like the images generated, the input sources, the build arguments, and the built time, and a new attestor allows you to deploy only trusted images using Binary Authorization.


GCP Icon  Trust Google Cloud more with ubiquitous data encryption
Ubiquitous data encryption on Google Cloud provides unified control over data at-rest, in-use, and in-transit, with keys under customer control.


Azure Icon  Azure Sentinel Threat Intelligence Workbook
Azure Sentinel Threat Intelligence is based on the ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. This provides a starting point for building threat intelligence programs which require the ability to both ingest and correlate threat data across cloud workloads.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.