Release Date: 18/05/2025 | Issue: 288
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Your cloud data is only as secure as your code. Is your IaC leaving gaps?
Varonis breaks down how Infrastructure as Code (IaC) can quietly introduce misconfigurations that expose sensitive data. From Terraform to CloudFormation, IaC is powerful, but without the right guardrails, it can become a fast track to risk.
In their latest blog, you’ll learn:
  • How IaC templates expose data
  • Real-world misconfigurations
  • How to shift security left
Want to know if your cloud is at risk? Run a Free Cloud Data Risk Assessment

This week's articles


High Leverage Security Decisions
Essential security strategies for early-stage startups to minimize risks while facilitating smoother audits.   #strategy


SCIM Hunting - Beyond SSO
Post diving into the core aspects of SCIM (System for Cross-domain Identity Management), and the insecure design issues often found while testing its implementations.   #attack   #saas


The cryptography behind passkeys
Post examining the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates.   #explain


Demonstrably Secure Software Supply Chains with Nix
Post showing how Nix enables definitive proof that your system image is derived solely from a specific, trusted set of sources, including all dependencies and build tools.   #build   #ci/cd   #supply-chain


Tales from the cloud trenches: The Attacker doth persist too much
A cloud attack targeting Amazon SES and persistence via AWS Lambda, AWS IAM Identity Center and AWS IAM.   #attack   #aws   #defend


The 18-point secrets management checklist
This post provides a 9-step, 18-point checklist of secrets management best practices to use as a guide for your journey.   #build   #defend   #vault


Does AZNFS SUID your needs? A Path to Root Privilege Escalation on Azure AI and HPC
An Azure utility for mounting Azure Storage that comes preinstalled on Azure HPC/AI images allowed an unprivileged user on a Linux machine with this utility installed to escalate their privileges to root.   #attack   #azure


Why Prompts Are the New IOCs You Didn't See Coming
Post introducing the concept of LLM TTPs (Tactics, Techniques, and Procedures) to categorize how adversaries exploit LLMs, highlighting the importance of prompts in this context.   #ai   #defend


Kubernetes CRD Abstraction Risks in kro
Two bugs in kro (Kube Resource Orchestrator) where an attacker could introduce a malicious CustomResourceDefinition (CRD).   #attack   #kubernetes

Sponsor

Datadog Detect: Scale your Security Operations with Detection Engineering
Register now for Datadog Detect - a virtual mini-conference focused on modernizing detection and response through engineering principles. You’ll hear from industry leaders, including detection engineers at Datadog, Firemon, Snowflake, and more!

Register Now

Tools


customer-detections
A collection of detection rules for security monitoring and detailed descriptions of log fields used for threat analysis within Okta environments.


cariddi
Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more.


vapi
VAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.


http-mcp-bridge
An HTTP server that acts as a bridge between HTTP/1.1 requests and Server-Sent Events (SSE) using the mcp python library. You can also refer to the companion blog post.

From the cloud providers


#AWS   AI lifecycle risk management: ISO/IEC 42001:2023 for AI governance
Post explaining how ISO/IEC 42001 enables effective AI governance, review the risk management requirements, and explore how you can use threat modeling as a practical technique to meet those expectations.


#AWS   Implementing safety guardrails for applications using Amazon SageMaker
Post explaining guardrail implementation strategies.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini