A blog post describing some of the nuances of auditing Falco during security assessments, and demonstrating how to think through some bypasses. The post goes through common approaches taken while auditing runtime security tools, and, as bonus points, even provide a couple of bypasses (for terminal alert, sensitive volume alert, and privileged container alert).

Slides from the talk @iancoldwater and @mauilion presented at Black Hat USA 2019. Takeaway: 'check your assumptions, neither kubernetes nor the apps deployed on it are secure by default'.

Azure Sentinel, a cloud-native SIEM that provides intelligent security analytics at cloud scale for enterprises of all sizes and workloads, is now generally available. It is also interesting to read design considerations related to Sentinel.

Another interesting piece of research by @raesene, this time on attackers squatting on common Docker Hub accounts to try and trick users into pulling malicious images. A process made somewhat easier by the fact that you can register organization names on Quay.io. Some mitigations are provided if you’re planning to adopt podman.

PoC script by @rhinosecurity that uses AWS VPC Traffic Mirroring to mirror and exfiltrate network traffic in AWS VPCs. Malicious VPC traffic mirroring can be extremely impactful because network traffic moving around within VPCs often contains sensitive information. The likelihood of malicious VPC traffic mirroring is also very high because there are often large amounts of cleartext traffic flowing through a VPC. One reason for the common use of cleartext traffic is that before traffic mirroring, it was very unlikely that the traffic would be sniffed, so it wasn’t very risky (think ok TLS termination for NLBs). Related script: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror/.

As pointed out by Dino Dai Zovi: 'If you're running JIRA on AWS, consider this SSRF to be RCE'.

A repository that contains sample code vulnerable to Server-Side Request Forgery attacks. But, why in PHP?!

Nice and compact.

If you really really really want to store your secrets within your source code, this post describes techniques useful to use Git to keep your Kubernetes secrets secure.