Release Date: 13/08/2023 | Issue: 200
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

JupiterOne: Know What You’re Defending
Perhaps the biggest problem in cybersecurity today is that companies don’t have a good understanding of what they’re defending. JupiterOne solves this foundational issue by collecting everything you own into a single system of record that includes cloud infrastructure, endpoints, DNS, SaaS apps, and more.
It connects the dots using graph-based technologies, allowing you to ask complex Attack Surface Questions, like “Show me all VMware-based systems associated with our crown jewels and that have something facing the internet.”
Learn more

This week's articles


AWS Security Monitoring in 2023: Untangle the chaos   #aws, #monitor
This post provides recommendations for implementing an effective security monitoring strategy in AWS.


Application Architecture as Code   #iac, #strategy
Cloud automation isn't just about infrastructure anymore. This also affects automation language design.


SSRF Tricks - Thread   #attack, #aws
Some tricks @rhynorater picked up over the past 5 years of web app testing.


Hacking Github AWS integrations again   #attack, #aws, #ci/cd
Another post looking at the perils of unproperly scoping access provided by OIDC.


VS Code Token Security: Keeping Your Secrets... Not So Secretly   #attack
Apparently VSCode's secret manager allows any extension to extract all the secrets, including built-in authentication tokens for Microsoft and GitHub.


Kubernetes Exposed: One Yaml away from Disaster   #attack, #kubernetes
The AquaSec team found two misconfigurations in Kubernetes clusters belonging to more than 350 organizations openly accessible and largely unprotected.


Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform   #attack, #azure
A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets).


Knocking on the Front Door (client side desync attack on Azure CDN)   #attack, #azure
A write-up on a Browser-Powered Desync bug discovered in the Azure CDN service known as Front Door.


HashiCorp Vault observability: Monitoring Vault at scale   #monitor, #vault
How to implement a mature Vault monitoring and observability strategy to simplify finding answers to important Vault questions.


HashiCorp adopts Business Source License   #announcement, #hashicorp
HashiCorp is changing its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL, also known as BUSL) v1.1 on all future releases of HashiCorp products. HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0.

Tools


noir
Noir is an attack surface detector form source code.


wstunnel
Tunneling over websocket protocol.


AWSGoat
A Damn Vulnerable AWS Infrastructure.


conftest-policy-packs
Rego policies for enterprise-scale Compliance-as-Code with OPA Conftest.


kubefuzz
Generative and mutative fuzzer for Kubernetes admission controller chains by automatically parsing the cluster api specification.

Sponsor

AWS Security Foundations for Dummies
Keep up with the speed of the cloud and unlock everything you need to know to protect your AWS environment. Learn the most important principles for effective AWS security in this user-friendly book.
Get the FREE eBook today!

From the cloud providers


AWS Icon  AWS Cloud service considerations for designing multi-tenant SaaS solutions
How to optimize your cloud-based SaaS design to reduce operating expenses, increase resiliency, and offer a high-performing experience for your customers.


AWS Icon  Mountpoint for Amazon S3 - Generally Available and Ready for Production Workloads
Mountpoint for Amazon S3 is an open source file client that makes it easy for your file-aware Linux applications to connect directly to S3 buckets.


AWS Icon  Introducing AWS Backup logically air-gapped vault
Amazon announced the public preview of AWS Backup logically air-gapped vault, a new type of vault that can be shared for recovery with other accounts using AWS Resource Access Manager (RAM).


AWS Icon  Network Load Balancer now supports security groups
Network Load Balancers (NLB) now supports security groups, enabling you to filter the traffic that your NLB accepts and forwards to your application.


GCP Icon  CyberShield: helping governments stand united against cyber attackers
The article discusses Cybershield, a new initiative by Google Cloud that aims to help governments collaborate and defend against cyber attacks.


GCP Icon  Introducing new capabilities in Workforce Identity Federation to help you effectively manage identity and access to Google Cloud
New capabilities and services in Workforce Identity Federation can make it easier to manage your identity and access across multiple Google Cloud services.


Azure Icon  Automate tasks management to protect your organization against threats
New playbooks with tasks for BEC, Ransomware, and Phishing investigation.

Jobs

Hiring? Feature your listings below - reach out now at [email protected]

Security Engineering Manager, Cloud Security - Dropbox
Dropbox is looking for an experienced Security Engineering Manager to lead their Cloud Security team.


Senior Software Engineer, Cloud Security - Block
Block is looking for a senior engineer with an understanding of securing infrastructure and services in a cloud-native world.


Sr. Staff Cloud Security Engineer - Verkada
Verkada is looking for a Sr. Staff Cloud Security Engineer in California.


Cloud Security Assurance - Coalfire
Coalfire is looking for an Associate to support their Cloud Assurance team, assessing the security and compliance of client firms against regulatory and industry requirements and standards.

Thanks for reading!
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.