This week's articles
IAM whatever you say IAM
Cartography introduced "Resource Permission Relationships": using the graph to evaluate a principal's resulting accesses to critical assets within your environments.
When LIST is a Lie in Kubernetes
For the Secrets resource, the "LIST" verb is a lie. When you "list" a secret, it goes out to the Kubernetes API, pulls down all the secrets including individual secret values themselves. This is a known and documented issue but many environments continue to rely on "LIST" to prevent access to secrets, compared to the "GET" verb.
Consuming Public Content
#docker, #build, #ci/cd
The Docker TOS updates give us an opportunity to focus on the larger challenges with consuming public content. If you depend on public content, it is recommended to configure a workflow that imports the content, security scans the content based on your organization's scanning policies, runs functional and integration tests to assure this most recent version of the content meets all expectations, then promote the validated content to a location your team(s) can utilize.
ACM for Nitro Enclaves - How Secure Are They?
Good overview on the "shape" of AWS Nitro Enclaves and how private material is protected. They even tried to access an ACM private key, but show how attestation prevents that.
Widespread injection vulnerabilities in Actions
Project Zero identified an interesting design flaw in Github Actions. Actions that print untrusted data to STDOUT are vulnerable to an injection attack that can be turned into code exec.
Detections as code: reliably scaling your detections library
A few ideas for all those who are building a detection team, showing how to get more than code review out of the "detections-as-code" model, and really make use of the power of committed, automatically parseable detection rules.