This week's articles
Catalog of Supply Chain Compromises
CNCF SIG Security is creating a catalog of software supply chain compromises. The goal is not to catalog every known supply chain attack, but rather to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.
Software Libraries Are Terrifying
Still on the topic of supply chain security, this is a nice post describing how easy it is to end up with malicious libraries in your codebase.
Demystifying AWS' AssumeRole and sts:ExternalId
AWS AssumeRole accepts an optional parameter called "sts:ExternalId" which is intended to mitigate certain types of attacks. However, both the attacks that sts:ExternalId mitigates and how to properly use it are widely misunderstood, resulting in large numbers of vulnerable AWS-based applications. This post aims to describe what sts:ExternalId does, when to use it, and how to use it.
kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).
kube-query is an extension for osquery
, letting you visualize your cluster using SQL queries.