#attack, #ci/cd, #supply-chain

On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.

#attack, #aws

PaloAlto identified severe security issues within AWS Log4Shell hot patch solutions. This article provides a root cause analysis and overview of fixes and mitigations.

#aws, #containers, #defend

Amazon's own security overview of Fargate, which is helpful for new adopters and deepens understanding of Fargate for current users.

#defend, #gcp

What the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments.

#explain, #gcp

In 2018 GCP released a feature called Cloud Asset Inventory. It allows one to search for all your resources globally: "$ gcloud asset search-all-resources".

#aws, #defend

Cloud Custodian enables us to define rules and remediation as one policy to facilitate a well-managed cloud infrastructure.

#aws, #opa

Learn more about AWS CloudFormation Hook and how Open Policy Agent may be used for CloudFormation policy enforcement.

#explain, #iam, #kubernetes

Kubernetes RBAC tutorial with two examples, using ServiceAccounts and openssl to create separate contexts for users.

#build, #kubernetes

How to incorporate the Kong Ingress Controller, KeyCloak and Kubernetes to have an initial OIDC flow to front external services (API or web endpoints).

#kubernetes, #monitor

Service mesh platforms can be used to provide insight into the container processes and their network operations within K8s clusters.

#attack, #azure

How one Azure service supporting DevOps can start in a very solid "secure by default" state, but then quickly descend into a very dangerous configured state.

#announcement, #supply-chain

OpenSSF announced the creation of the Securing Software Repositories Working Group, a community collaboration with a focus on the maintainers of software repositories, software registries, and tools (like package managers) that rely on them, at various levels including system, language, plugin, extensions and container systems.

Compares and analyzes GCP IAM roles.

A command line utility to help you investigate the sensitive data associated with Macie findings.

Smart SSH bastion that works with any SSH client.

Curiefense is a new application security platform, which protects sites, services, and APIs. It extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross site scripting (XSS), account takeovers (ATOs), application-layer DDoS, remote file inclusion (RFI), API abuse, and more.

A container runtime tool aimed at providing unprivileged sandboxes.

Post explaining the basics of the HMAC algorithm as a cryptographic building block, including how HMACs are used.

How to run OPA as a service within a container in Lambda using just the standard precompiled OPA binary. This will allow you take advantage of OPA's built-in REST API while still getting the performance and cost savings of Lambda with no code to customize or manage besides your actual Rego policy code.

Service Directory and Traffic Director integration for service based traffic management.

This functionality lets you SSH into your Arc machines without a public IP address or additional inbound ports.

Auditing has now been made an opt-in feature on Azure DevOps.