This week's articles
Introducing LambdaGuard — a security scanner for AWS Lambda
Skyscanner built a tool which allows to visualise and audit the security of serverless assets. I'd recommend you to read the companion blog post as well, as it nicely describes different concepts related to AWS Lambda, as well as common pitfalls and vulnerabilities.
Continuous Auditing With CloudMapper
You might have already heard of it, but this time CloudMapper has been updated/redesigned to become a monitoring solution, so that it can run continuously to provide ongoing alerting and situational awareness in AWS without incurring significant cost or overhead.
How to evaluate community Ansible roles for your playbooks
This is the transcript of a presentation which covers the process of evaluating community content before incorporating it into automation playbooks, as well as the risks involved in including external dependencies and how to mitigate those risks. I particularly like this sentence: ''Another important component of relying on upstream packages is trust. If you're building infrastructure or setting up networking for an application important to your company's financial success, you better be sure you can trust the upstream maintainers''.
DevSecCon Seattle 2019 Round Up
This post from @clintgibler is a goldmine of useful information. It covers the talks delivered at DevSecCon Seattle, from continuous compliance to secure wrapper libraries and others.
A Compendium of Container Escapes
Slides from the Capsule8 talk at Black Hat USA 2019. Definitely not for beginners, as it goes in technical depth over concepts like Container Engine Vulnerabilities, Escapes via Insecure Configurations, and Kernel Exploitation.
Related to the previous post, kubectl-sudo is a kubectl plugin which allows users to run Kubernetes commands with the security privileges of another user. This way it should be possible to reduce the surface of unwanted or unexpected actions, by reducing the default privileges a cluster administrator to the level of an unprivileged account, and then give them the ability to impersonate users and groups when needed.
CCAT now supports GCP
If you haven't seen CCAT before, it is a tool for testing the security of container environments. Up to now it was AWS-specific, but this past week support for GCP (to each of the existing modules) has been added.