Release Date: 13/08/2023 | Issue: 200
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

JupiterOne: Know What You’re Defending
Perhaps the biggest problem in cybersecurity today is that companies don’t have a good understanding of what they’re defending. JupiterOne solves this foundational issue by collecting everything you own into a single system of record that includes cloud infrastructure, endpoints, DNS, SaaS apps, and more.
It connects the dots using graph-based technologies, allowing you to ask complex Attack Surface Questions, like “Show me all VMware-based systems associated with our crown jewels and that have something facing the internet.”
Learn more

This week's articles


AWS Security Monitoring in 2023: Untangle the chaos
This post provides recommendations for implementing an effective security monitoring strategy in AWS.   #aws   #monitor


Application Architecture as Code
Cloud automation isn't just about infrastructure anymore. This also affects automation language design.   #iac   #strategy


SSRF Tricks - Thread
Some tricks @rhynorater picked up over the past 5 years of web app testing.   #attack   #aws


Hacking Github AWS integrations again
Another post looking at the perils of unproperly scoping access provided by OIDC.   #attack   #aws   #ci/cd


VS Code Token Security: Keeping Your Secrets... Not So Secretly
Apparently VSCode's secret manager allows any extension to extract all the secrets, including built-in authentication tokens for Microsoft and GitHub.   #attack


Kubernetes Exposed: One Yaml away from Disaster
The AquaSec team found two misconfigurations in Kubernetes clusters belonging to more than 350 organizations openly accessible and largely unprotected.   #attack   #kubernetes


Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform
A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets).   #attack   #azure


Knocking on the Front Door (client side desync attack on Azure CDN)
A write-up on a Browser-Powered Desync bug discovered in the Azure CDN service known as Front Door.   #attack   #azure


HashiCorp Vault observability: Monitoring Vault at scale
How to implement a mature Vault monitoring and observability strategy to simplify finding answers to important Vault questions.   #monitor   #vault


HashiCorp adopts Business Source License
HashiCorp is changing its source code license from Mozilla Public License v2.0 (MPL 2.0) to the Business Source License (BSL, also known as BUSL) v1.1 on all future releases of HashiCorp products. HashiCorp APIs, SDKs, and almost all other libraries will remain MPL 2.0.   #announcement   #hashicorp

Sponsor

AWS Security Foundations for Dummies
Keep up with the speed of the cloud and unlock everything you need to know to protect your AWS environment. Learn the most important principles for effective AWS security in this user-friendly book.
Get the FREE eBook today!

Tools


noir
Noir is an attack surface detector form source code.


wstunnel
Tunneling over websocket protocol.


AWSGoat
A Damn Vulnerable AWS Infrastructure.


conftest-policy-packs
Rego policies for enterprise-scale Compliance-as-Code with OPA Conftest.


kubefuzz
Generative and mutative fuzzer for Kubernetes admission controller chains by automatically parsing the cluster api specification.

From the cloud providers


#AWS   AWS Cloud service considerations for designing multi-tenant SaaS solutions
How to optimize your cloud-based SaaS design to reduce operating expenses, increase resiliency, and offer a high-performing experience for your customers.


#AWS   Mountpoint for Amazon S3 - Generally Available and Ready for Production Workloads
Mountpoint for Amazon S3 is an open source file client that makes it easy for your file-aware Linux applications to connect directly to S3 buckets.


#AWS   Introducing AWS Backup logically air-gapped vault
Amazon announced the public preview of AWS Backup logically air-gapped vault, a new type of vault that can be shared for recovery with other accounts using AWS Resource Access Manager (RAM).


#AWS   Network Load Balancer now supports security groups
Network Load Balancers (NLB) now supports security groups, enabling you to filter the traffic that your NLB accepts and forwards to your application.


#GCP   CyberShield: helping governments stand united against cyber attackers
The article discusses Cybershield, a new initiative by Google Cloud that aims to help governments collaborate and defend against cyber attacks.


#GCP   Introducing new capabilities in Workforce Identity Federation to help you effectively manage identity and access to Google Cloud
New capabilities and services in Workforce Identity Federation can make it easier to manage your identity and access across multiple Google Cloud services.


#AZURE   Automate tasks management to protect your organization against threats
New playbooks with tasks for BEC, Ransomware, and Phishing investigation.

Jobs

Hiring? Feature your listings below - reach out now at [email protected]

Security Engineering Manager, Cloud Security - Dropbox
Dropbox is looking for an experienced Security Engineering Manager to lead their Cloud Security team.


Senior Software Engineer, Cloud Security - Block
Block is looking for a senior engineer with an understanding of securing infrastructure and services in a cloud-native world.


Sr. Staff Cloud Security Engineer - Verkada
Verkada is looking for a Sr. Staff Cloud Security Engineer in California.


Cloud Security Assurance - Coalfire
Coalfire is looking for an Associate to support their Cloud Assurance team, assessing the security and compliance of client firms against regulatory and industry requirements and standards.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini