Any internet originating attacker can leverage an SCM webhook infrastructure to send traffic towards internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits and fully compromising the CI.

How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.

Assuming constant full compromise of all machines is probably going to lead to controls where users can't reasonably do work.

Before it was patched, AttachMe could have allowed attackers to access and modify any other users' OCI storage volumes without authorization, thereby violating cloud isolation. Upon disclosure, the vulnerability was fixed within hours by Oracle. No customer action was required.

This post describes how a researcher took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users' terminals.

There's some complexities that auditors and assessors should be aware of if they're new to Kubernetes, and this blog takes a quick look at them.

Post shedding some light on known attack paths in an Azure environment.

This article aims to make an attempt to collect the main starting points, creating a guide on how to integrate security into infrastructure as a code and show how these security checks and gates, tools and procedures secures the infrastructure.

How I blocked advertisements in my home office, mimicking the Pi-hole's behaviour, using only serverless technologies (Cloudflare Gateway, to be precise).

Now generally available, HashiCorp Terraform 1.3 introduces optional object type attributes with defaults, and enhancements to moved blocks, improving extensibility and maintainability of Terraform modules.

You can now have Scout Suite scan not only your cloud environments, but your Kubernetes clusters. You can also refer to the companion blog post.

Wolfi is a lightweight GNU software distribution which is designed around minimalism, making it well-suited for containerized environments built with apko. You can also refer to the companion blog post.

dexter is an OIDC (OpenId Connect) helper to create a hassle-free Kubernetes login experience powered by Google or Azure as Identity Provider.

MerLoc is a live AWS Lambda function development and debugging tool. It allows to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.

varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.

AWS is changing role assumption behavior to always require self-referential role trust policy grants.

AWS introduced DNS resource record set permissions, enabling customers to define IAM create, edit, and delete policies for individual or groups of DNS record sets within a Route 53 public or private hosted zone.

Amazon announced a new import feature which will allow customers to copy existing trail events to a CloudTrail Lake event data store which were recorded prior to event data store creation.

Custom organization policy for GKE can improve security and efficiency using guardrails you define tailored to your organization's needs, and it's offered to Google Cloud customers at no additional cost.

The combination of the new policy structures and the IAM-governed Tags delivers a consistent firewall experience across the Google Cloud resource hierarchy, simplifying operations, while also achieving more granular control, enabling a more least-privilege environment, while allowing more self-service for devops for each group or app.

With the Container Scanning API enabled, any containers including Java (in Maven repositories) and Go language packages that are uploaded to an Artifact Registry repository will be scanned for vulnerabilities.

Updates from Cloud External Key Manager, automatic data risk management for BigQuery using DLP, error Remediation with Security Command Center, Cloud Armor.

Azure Payment HSM has achieved Payment Card Industry Personal Identification Number (PCI PIN), offering customers secure digital payments solutions in the cloud.

You can now use separate encryption keys for each customer in a single hierarchical namespace enabled storage account.