Release Date: 13/10/2019 | Issue: 7
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Cloud Deployments at Netflix
Not properly a blog post, but an insightful thread about real-world continuous cloud deployments.

How Cloudflare Thinks About Security
The talk per se is really good, but I think the added value here are the insights on their company-wide security culture.

Firekube - Fast and Secure Kubernetes Clusters Using Weave Ignite
Firekube is a new open source Kubernetes distribution that uses Weave Ignite to run Kubernetes on Firecracker. Interesting to see how Firekube may also be seen as an alternative to KIND using Ignite and GitOps.

CVE-2019-11253: Kubectl/API Server YAML parsing vulnerable to 'Billion Laughs' Attack
CVE-2019-11253 is a YAML parsing vulnerability in the kube-apiserver, allowing users sending malicious YAML payloads to cause the kube-apiserver to consume excessive amounts of CPU and memory, potentially crashing and becoming unavailable. Probably worth upgrading your clusters...

How we built a queryable Application Inventory
We all know a good inventory is at the base of every security program, so Sqreen decided to share the journey that led them to the creation of their App Inventory and how they are bringing more security insights about micro-services/APIs/web apps in production.

Writing security-conscious IAM Policies by hand can be very tedious and inefficient. That's why Salesforce released policy_sentry, an IAM Least Privilege Policy Generator, auditor, and analysis database which aims to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies.

Chamber is a tool for managing secrets in AWS, which uses SSM Parameter Store as a backend.

AWS Firewall Manager Update – Support for VPC Security Groups
AWS updated their managed firewall service, which now finally allows to to define, manage, and audit organization-wide policies for the use of VPC Security Groups.

AWS ALB affected by HTTP Desync and Request Smuggling Attacks
Turns out that AWS Cloudfront protects against HTTP Desync/Request Smuggling attacks, but ALB is still vulnerable. If your backend server sitting behind an AWS ALB does not have any defenses implemented, you're likely vulnerable.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.