This is an absolute must-read from Clint Gibler (@clintgibler), in which he tries to distill the best insights from a vast number of talks, blog posts, and conversations he had with security teams at a variety of companies. Things companies have found that systematically, scalably, raise their security bar. Not one-off wins.

This post describes how Skyscanner decided to adopt Falco to detect malicious activity in their Kubernetes clusters. Main factors while evaluating different solutions were the ability to scale as much as their most demanding services, and the option of having an automated way of mapping and contacting the owners of the affected services if anything were to happen.

Netflix open sourced riskquant, a library for quantifying risk and helping teams dig deeper into areas like loss scenarios and risk tolerance. Riskquant takes a list of loss scenarios, each with estimates of frequency, low loss magnitude, and high loss magnitude, and calculates and ranks the annualized loss for all scenarios.

Did you know that Elastic Block Store (Amazon EBS) has a "public" mode that makes your virtual hard disk available to anyone on the internet? Apparently, hundreds of thousands of others didn't either, because they're out there exposing secrets for everyone to see. To help identify these exposed EBS volumes and allow individuals and businesses to secure their secrets, the Bishop Fox team developed Dufflebag, an open source tool which searches exposed EBS volumes for secrets.

As perfectly summarized by Scott Piper, if an attacker compromises your AWS account, they can backdoor the DNS responses you'll get without you being able to detect it. It can be spotted in CloudTrail logs, but there is no API to review these, only manual web console browsing.

Both Transparent Logs and The Update Framework were designed to protect end-users from a compromise of package repositories, but ultimately reflect different assumptions about how security should be managed. Transparent Logs are better at providing an immutable history of packages, which lends itself to third-party auditing. The Update Framework is better at providing a higher degree of compromise resilience, as well as built-in procedures for recovering from a compromise. One can obtain the best of both worlds by combining both systems.

This article gives an overview of the native Activity Log service functionality within Azure and provides insights into how to detect many TTPs, as well as suggestions on how to acquire more details out of the Activity Log service.

This here's a story about how Alex Smolen tried (and failed) to get GSuite SAML plugged into ALB authentication with Cognito.

Kubeform provides auto-generated Kubernetes CRDs for Terraform resources and modules so that you can manage any cloud infrastructure in a Kubernetes native way. You write a CRD for a cloud infrastructure, apply it and Kubeform will create it for you.

Another explicative post from the Sysdig team, in which they explain how to properly set Kubernetes limits and requests.

AWS has published a whitepaper, "Architecting for PCI DSS Scoping and Segmentation on AWS", to provide guidance on how to properly define the scope of your PCI DSS workloads running on the AWS Cloud. The whitepaper looks at how to define segmentation boundaries between your in-scope and out-of-scope resources using cloud native AWS services.

AWS Security Hub is a service that gives you aggregated visibility into your security and compliance status across multiple AWS accounts. In addition to consuming findings from Amazon services and integrated partners, Security Hub gives you the option to create custom actions, which allow a customer to manually invoke a specific response or remediation action on a specific finding. You can send custom actions to Amazon CloudWatch Events as a specific event pattern, allowing you to create a CloudWatch Events rule that listens for these actions and sends them to a target service, such as a Lambda function or Amazon SQS queue.

AWS Secrets Manager introduced a client-side caching library for Java and a set of JDBC drivers that make it easier to distribute credentials to your applications.

Google announced the general availability of Config Connector, which lets you manage GCP resources as Kubernetes resources, giving you a single place to configure your entire application.

Google also introduced "Config Sync", which allows to sync Kubernetes objects and namespaces across multiple clusters in your fleet from a single source-of-truth (a Git repo).