Release Date: 28/07/2024 | Issue: 248
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

The cloud security tax is real. Panoptica's got your back (and your wallet)
Cloud security should not be exorbitantly expensive. Our research shows that most organizations won’t spend much more than 10% of their cloud spend on a cloud security tool. So if you’re running $100K USD per month, you will be shilling out about $10K/mo ($120K/yr in a SaaS CSPM / CNAPP tool).
Panoptica starts at $99/mo. Or you can start for free. Check us out.
Say NO to the cloud security tax

This week's articles


Mapping the Attack Surface from the Inside
Mercari sharing their experiences with creating a system to map the company's attack surface, discussing the difference between internal and external perspectives, as well as the pitfalls of relying on IaC.   #defend   #strategy


A gentle introduction to SAML
The SAML spec is an absolute beast. We've each read it multiple times. Here's a simpler explanation.   #explain   #iam


Anyone can Access Deleted and Private Repository Data on GitHub
You can access data from deleted forks, deleted repositories and even private repositories on GitHub. And it is available forever. This is known by GitHub, and intentionally designed that way.   #attack   #ci/cd


Repo Jacking: The Great Source-code Swindle
Snyk's research into Repo Jacking has shown the current measures provided by SCM providers are not always sufficient, and that the implications of abusing the way certain providers handle renaming organizations can result in significant problems for third-party ecosystems that rely upon SCM-hosted artifacts.   #attack   #ci/cd


ConfusedFunction: A Privilege Escalation Vulnerability Impacting GCP Cloud Functions
Organizations that have used GCP's Cloud Functions could be impacted by a privilege escalation vulnerability discovered by Tenable and dubbed as ConfusedFunction.   #attack   #gcp


Recursive Amplification Attacks: Botnet-as-a-Service
How a self-sign-up user could utilize an ETL platform to spawn a botnet and launch a DDoS attack against anyone.   #attack   #saas


Azure Run Command Forensics
A forensic analysis of Azure Run Command activities, focusing on how to detect and investigate potential misuse.   #azure   #monitor

πŸ“™ The CloudSec Engineer is out now!

The CloudSec Engineer is a practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.

You can head over to engineer.cloudsecbooks.com to find more information about the book, its contents, and where to buy it.

Tools


automated-security-helper
A tool to conduct preliminary security check as early as possible within your development process.


gatekeeper-library
A community-owned library of policies for the OPA Gatekeeper project.


terraform-pr-commenter
A GitHub Action that adds opinionated comments to a PR from Terraform fmt/init/plan output.

From the cloud providers


#AWS   How to use the AWS Secrets Manager Agent
The Secrets Manager Agent is a client-side agent that allows you to standardize consumption of secrets from Secrets Manager across your AWS compute environments.


#GCP   Zero Trust and BeyondCorp Google Cloud
Some sketchnotes on Zero Trust and BeyondCorp Google Cloud.


#GCP   Announcing VPC Service Controls with private IPs to extend data exfiltration protection
VPC Service Controls (VPC-SC) creates isolation perimeters around cloud resources and networks in Google Cloud, helping you limit access to your sensitive data.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present CloudSecList Β· Marco Lancini