Great write up of Istio's security misconfigurations and bypasses of policies. In particular, it focuses on Istio's security features that are used to control service network interactions. The post also walks through lab-based examples in order to concretely illustrate the limits of each of these features, possible misconfigurations, and what can be done to ensure operators’ intended security goals are met.

CashApp's first blog post in a series on how they are making App-Layer Encryption easy for engineers building services in the cloud.

AppSec Cali 2020 talk which provides a summary of Continuous Cloud Security Monitoring (CCSM) strategies, techniques, and best practices so you don't have to spend the next 12 months reading AWS white papers. Takeaways from this presentation will be methods to immediately apply logging, monitoring, alerting, and Honey[Things] to detect and respond to threats in AWS environments.

By default, Kubernetes is fairly secure: every namespace gets a default service account, which has no assigned permissions. But many apps and manifests people blindly deploy into their clusters affect the RBAC controls in ways the users may not even understand. k8s-pod-rbac-breakout is a project meant to demonstrate how one particular Kubernetes visualization tool gives every pod running in the default namespace full cluster-admin privileges, so any pod would then be able to do almost anything to almost any resource in the cluster!

As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. What could an attacker who understands Kubernetes at a deep level be capable of? This talk explores the dark corners of clusters and shine a light on several new advanced attacks on Kubernetes.

The k8s-security-configwatch GitHub Action aims to help secure your GitOps workloads by detecting changes on your Kubernetes security configuration.

Slides covering some of the Attack Surface of Kubernetes as well as some hardening.

This repository gives an overview of some (GCP specific) metadata API attack and defence patterns.

scan.vulnerablecontainers.org is an open python API built using Trivy, Flask, Gunicorn, and Nginx that for now has two public endpoints (more endpoints and tools coming): the first provides a trivy report of all opened vulnerabilities for the container specified, whereas the second provides a list of open CVEs on the container.

The Istio project just consolidated its control plane services (Pilot, Citadel, Galley, and the sidecar injector) into a single binary, Istiod.

Self-paced, free, online course to learn fundamental AWS security concepts, including access control, data encryption methods, and how network access to your AWS infrastructure can be secured.

When the service first launched, many customers ran CloudHSM workloads on EC2. Today, people who are interested in leveraging CloudHSM for serverless workloads using AWS Lambda, but when using Lambda there is no instance to install the CloudHSM client on. This blog post shows a workaround that can be used to satisfy the CloudHSM client installation requirement on Lambda functions to be able to run CloudHSM workloads within these Lambda functions.

Want to learn how to implement consistent logging across your containerized applications? This blog post explains how to do it with AWS App Mesh, Envoy and Fluent Bit.

An anomaly detection solution using Dataflow, BigQuery, Pub/Sub and Cloud DLP has been open sourced, implementing a Telco network traffic use case.

Microsoft announced the general availability of vulnerability scanning for Containers in Azure Security Center.

Microsoft announced the preview of Azure Files Active Directory (AD) authentication. You can now mount your Azure Files using AD credentials with the exact same access control experience as on-premises. You may leverage an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files.