Release Date: 13/10/2019 | Issue: 7
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles

Cloud Deployments at Netflix
Not properly a blog post, but an insightful thread about real-world continuous cloud deployments.

How Cloudflare Thinks About Security
The talk per se is really good, but I think the added value here are the insights on their company-wide security culture.

Firekube - Fast and Secure Kubernetes Clusters Using Weave Ignite
Firekube is a new open source Kubernetes distribution that uses Weave Ignite to run Kubernetes on Firecracker. Interesting to see how Firekube may also be seen as an alternative to KIND using Ignite and GitOps.

CVE-2019-11253: Kubectl/API Server YAML parsing vulnerable to 'Billion Laughs' Attack
CVE-2019-11253 is a YAML parsing vulnerability in the kube-apiserver, allowing users sending malicious YAML payloads to cause the kube-apiserver to consume excessive amounts of CPU and memory, potentially crashing and becoming unavailable. Probably worth upgrading your clusters...

How we built a queryable Application Inventory
We all know a good inventory is at the base of every security program, so Sqreen decided to share the journey that led them to the creation of their App Inventory and how they are bringing more security insights about micro-services/APIs/web apps in production.

Writing security-conscious IAM Policies by hand can be very tedious and inefficient. That's why Salesforce released policy_sentry, an IAM Least Privilege Policy Generator, auditor, and analysis database which aims to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies.

Chamber is a tool for managing secrets in AWS, which uses SSM Parameter Store as a backend.

AWS Firewall Manager Update – Support for VPC Security Groups
AWS updated their managed firewall service, which now finally allows to to define, manage, and audit organization-wide policies for the use of VPC Security Groups.

AWS ALB affected by HTTP Desync and Request Smuggling Attacks
Turns out that AWS Cloudfront protects against HTTP Desync/Request Smuggling attacks, but ALB is still vulnerable. If your backend server sitting behind an AWS ALB does not have any defenses implemented, you're likely vulnerable.

Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.