This week's articles
69 Ways to F*** Up Your Deploy
#attack, #ci/cd, #defend
This post is a cursed compendium of 69 ways to f*** up your deploy. It is the irreverent Grimms Brothers version of deployment scenarios.
Exploring Amazon VPC Lattice
#aws, #explain
AWS has recently released VPC Lattice to General Availability. This post walks through creating a simple VPC Lattice service using CloudFormation, and takes a look at the service overall.
Docker Scout
#announcement, #containers, #defend
Docker Desktop introduced Docker Scout, a tool that provides visibility into image vulnerabilities and recommendations for quick remediation.
Two Minor Cross-Tenant Vulnerabilities in AWS App Runner
#attack, #aws
These vulnerabilities leaked configuration information across tenant boundaries. While they are both minor issues, they further demonstrate that undocumented AWS APIs have lacked the scrutiny of AWS as well as the cloud security community.
Helm completes fuzzing security audit
#defend, #kubernetes
The fuzzing involved enrolling Helm in the OSS-Fuzz project and writing a set of fuzzers that further enriches the test coverage of Helm. In total, 38 fuzzers were written, and nine bugs were found (with eight fixed so far).
Announcing SLSA v1.0 Release Candidate 2
#announcement, #supply-chain
SLSA v1.0 Release Candidate 2 has been announced. This is intended to be the final release candidate before marking v1.0 as an Approved Specification.
|
|
Tools
auth
GitHub Action for authenticating to Google Cloud with GitHub Actions OIDC tokens and Workload Identity Federation.
trurl
Trurl is a command line tool for URL parsing and manipulation.
|
|
Sponsor
The 2023 Cloud Threat Report The Wiz cybersecurity research team uncovered dozens of new cloud risks across multiple AWS, Azure, and Google Cloud services. We’ve compiled their findings in this 12-page report including: - The latest cloud security threats
- Emerging cloud-native threat actors
- API-based vulnerabilities: Includes the full list of breaches in 2022 and best practices to safeguard your cloud
- Bonus: Free checklist to implement strategies adopted by leading cloud security organizations in the world
Get the complete report to adapt your security strategy in 2023 and beyond.
|
|
|
From the cloud providers
Public preview: Private Application Gateway v2
Application Gateway v2 is introducing support for private IP only frontend configurations, enhanced control over NSG rules, and support for forced tunneling/route table rules to virtual appliances.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|