Release Date: 06/10/2019 | Issue: 6
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles

Introducing LambdaGuard — a security scanner for AWS Lambda
Skyscanner built a tool which allows to visualise and audit the security of serverless assets. I'd recommend you to read the companion blog post as well, as it nicely describes different concepts related to AWS Lambda, as well as common pitfalls and vulnerabilities.

Continuous Auditing With CloudMapper
You might have already heard of it, but this time CloudMapper has been updated/redesigned to become a monitoring solution, so that it can run continuously to provide ongoing alerting and situational awareness in AWS without incurring significant cost or overhead.

How to evaluate community Ansible roles for your playbooks
This is the transcript of a presentation which covers the process of evaluating community content before incorporating it into automation playbooks, as well as the risks involved in including external dependencies and how to mitigate those risks. I particularly like this sentence: ''Another important component of relying on upstream packages is trust. If you're building infrastructure or setting up networking for an application important to your company's financial success, you better be sure you can trust the upstream maintainers''.

DevSecCon Seattle 2019 Round Up
This post from @clintgibler is a goldmine of useful information. It covers the talks delivered at DevSecCon Seattle, from continuous compliance to secure wrapper libraries and others.

Quantum Security and Cryptography in HashiCorp Vault
HashiCorp exploring quantum cryptography, its implications, and how to integrate these concepts within Vault.

A Compendium of Container Escapes
Slides from the Capsule8 talk at Black Hat USA 2019. Definitely not for beginners, as it goes in technical depth over concepts like Container Engine Vulnerabilities, Escapes via Insecure Configurations, and Kernel Exploitation.

Least Privilege in Kubernetes Using Impersonation
How to enable a least-privilege type of access to a cluster using the concept of 'impersonation', with the goal of reducing the likelihood of accidentally performing unwanted actions.

kubectl sudo
Related to the previous post, kubectl-sudo is a kubectl plugin which allows users to run Kubernetes commands with the security privileges of another user. This way it should be possible to reduce the surface of unwanted or unexpected actions, by reducing the default privileges a cluster administrator to the level of an unprivileged account, and then give them the ability to impersonate users and groups when needed.

CCAT now supports GCP
If you haven't seen CCAT before, it is a tool for testing the security of container environments. Up to now it was AWS-specific, but this past week support for GCP (to each of the existing modules) has been added.

View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.