Release Date: 13/10/2019 | Issue: 7
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.

This week's articles


Cloud Deployments at Netflix
Not properly a blog post, but an insightful thread about real-world continuous cloud deployments.


How Cloudflare Thinks About Security
The talk per se is really good, but I think the added value here are the insights on their company-wide security culture.


Firekube - Fast and Secure Kubernetes Clusters Using Weave Ignite
Firekube is a new open source Kubernetes distribution that uses Weave Ignite to run Kubernetes on Firecracker. Interesting to see how Firekube may also be seen as an alternative to KIND using Ignite and GitOps.


CVE-2019-11253: Kubectl/API Server YAML parsing vulnerable to 'Billion Laughs' Attack
CVE-2019-11253 is a YAML parsing vulnerability in the kube-apiserver, allowing users sending malicious YAML payloads to cause the kube-apiserver to consume excessive amounts of CPU and memory, potentially crashing and becoming unavailable. Probably worth upgrading your clusters...


How we built a queryable Application Inventory
We all know a good inventory is at the base of every security program, so Sqreen decided to share the journey that led them to the creation of their App Inventory and how they are bringing more security insights about micro-services/APIs/web apps in production.


policy_sentry
Writing security-conscious IAM Policies by hand can be very tedious and inefficient. That's why Salesforce released policy_sentry, an IAM Least Privilege Policy Generator, auditor, and analysis database which aims to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies.


Chamber
Chamber is a tool for managing secrets in AWS, which uses SSM Parameter Store as a backend.


AWS Firewall Manager Update – Support for VPC Security Groups
AWS updated their managed firewall service, which now finally allows to to define, manage, and audit organization-wide policies for the use of VPC Security Groups.


AWS ALB affected by HTTP Desync and Request Smuggling Attacks
Turns out that AWS Cloudfront protects against HTTP Desync/Request Smuggling attacks, but ALB is still vulnerable. If your backend server sitting behind an AWS ALB does not have any defenses implemented, you're likely vulnerable.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by SecurityBite LTD.
Created by Marco Lancini.