This week's articles
Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure
#azure, #attack
Two vulnerabilities were discovered in Azure App Services. The first enabled an attacker with access to the server to take over the App Service's git repository and implant phishing pages accessible through the Azure Portal. The second vulnerability allowed an attacker with an existing low-severity vulnerability on the application (SSRF) to upgrade to full code execution on the App Service and trigger the first vulnerability.
Announcing HashiCorp Waypoint
#announcement, #hashicorp, #build
HashiCorp released Waypoint, a new open source project that provides developers a consistent workflow to build, deploy, and release applications across any platform. To really understand what Waypoint is (and isn't), I highly recommend this blog from @copyconstruct.
Announcing HashiCorp Boundary
#announcement, #hashicorp, #aws, #build
HashiCorp released Boundary, a new open source project that enables to securely access dynamic hosts and services with fine-grained authorization without requiring direct network access. The Boundary AWS Reference Architecture repo contains Terraform configuration for deploying Boundary in HA mode in AWS.
Introducing Cloudflare One
#announcement, #cloudflare
As stated by Cloudflare: "It provides secure, fast, reliable, cost-effective network services, integrated with leading identity management and endpoint security providers".
Fine-tune access to external (Github) Actions
#github, #ci/cd
Now enterprise, organization, and repository administrators can define an allow list and fine-tune access to external Github Actions, making it easier to achieve security and compliance goals.
|
|
Tools
sshizzle
Serverless, Zero-Trust SSH for Microsoft Azure.
wernicke
A redaction tool for structured data (like logs). Run wernicke with JSON on stdin, get redacted values out. Preserves structure and (to some extent) semantics.
gitlab-watchman
GitLab Watchman is an application that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally.
|
|
From the cloud providers
How to automatically archive expected IAM Access Analyzer findings
How to automatically archive Access Analyzer findings for expected events, such as authorized resource access. The benefit of automatically archiving expected findings is to help you reduce distraction from findings that don't require action, enabling you to concentrate on remediating any unexpected access to your shared resources.
Now, setting up continuous deployment for Cloud Run is a snap
Cloud Run now allows you to set up continuous deployment in just a few clicks: From the Cloud Run user interface, you can now easily connect to your Git repository and set up continuous deployment to automatically build and deploy your code to your Cloud Run and Cloud Run or Anthos services.
Static outbound IP address
Cloud Run now supports setting a static IP address for outbound (egress) connections from serverless containers. You can now connect to external DBs/APIs with a particular IP address you can whitelist.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|