Release Date: 20/06/2021 | Issue: 92
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

🟠 Getting ISO 27001 certification as a SaaS Scale-up 🟠
A SaaS start-up can only go so far before it's time to consider certifications and compliance standards for advancement. We know compliance != security, and if you're stuck in between the two right now, here is a guide based on Detectify's use case for certification.
Detectify completed the journey in 2020 and share their use case for getting ISO 27001 certification as a SaaS company.
➑️ Go to the on-demand webinar and downloadable guide

This week's articles

Introducing SLSA, an End-to-End Framework for Supply Chain Integrity   #supply-chain
Supply chain Levels for Software Artifacts (SLSA) is an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. It is inspired by Google's internal "Binary Authorization for Borg" which has been in use for the past 8+ years.

Battle of Policy as Code Tools: OPA vs. Semgrep   #iac, #opa
Evaluating major Policy as Code tools for usability and performance.

Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs   #azure, #attack
Using a bug in Microsoft Power Apps and Microsoft Teams tabs to steal authentication tokens, emails, Teams messages, OneDrive and SharePoint files and more.

Key Kubernetes audit logs for monitoring cluster security   #kubernetes, #monitor
Post looking at audit log policies and how Kubernetes uses them to generate audit logs.

How to protect your ~/.kube/ configuration   #kubernetes, #defend
An hacky way to protect Kubernetes config files against accidental or malicious change or reading.

K8s Network Policies   #kubernetes, #explain
Post explaining what Kubernetes network policies are, their fundamentals, and how to use NetworkPolicy agents.

How does 'kubectl exec' work?   #kubernetes, #explain
Technical deep dive on what happens when you type "kubectl exec".

Azure DevOps Terraform Pipeline with Checkov & Approvals   #azure, #ci/cd, #build
A concrete example of a full Azure DevOps pipeline (along with Terraform code) leveraging Checkov and manual approval processes.

How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit   #gcp, #attack
An exploit which allowed to break out of the App Engine sandbox and get arbitrary code execution on a Google server.

Toward Vagrant 3.0   #hashicorp, #announcement
HaschiCorp is making changes to Vagrant that will maintain its Ruby-based features while being ported to Go.


The Codeowners Validator project validates the GitHub CODEOWNERS file based on specified checks.

SSM Tree is a tool that provides a tree visualization of the parameters hierarchy from AWS System Manager Parameter Store.

Run your GitHub Actions locally.

Deploy an IAP-secured application to Cloud Run using Terraform.

Sponsor CloudSecList

If you want to get yourΒ productΒ or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
πŸ“¨ [email protected] πŸ“¨

From the cloud providers

AWS Icon  Amazon EC2 adds new AMI property to flag outdated AMIs
You can now specify a new property called DeprecationTime on your Amazon Machine Images (AMIs) to indicate when the AMI will become outdated.

AWS Icon  Approaches to meeting Australian Government gateway requirements on AWS
This post examines the types of controls you need to provide a gateway that can meet Australian Government requirements defined in the Protective Security Policy Framework (PSPF) and the challenges of using traditional deployment models to support cloud-based solutions.

AWS Icon  Encrypt global data client-side with AWS KMS multi-Region keys
AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another.

GCP Icon  Cloud CISO Perspectives: June 2021
Google Cloud CISO Phil Venables shares his thoughts on ransomware, software supply chains, and RSA retrospectives.

Azure Icon  Introducing Azure AD access reviews for service principals
You can now govern Service Principals with Azure AD Access Reviews.

Azure Icon  Microsoft Defender Security Insights in Azure Sentinel
How you can leverage Azure Sentinel to gain visibility into Microsoft Secure Score alongside other security data.

Azure Icon  Enhanced Azure Sentinel Alert remediation in the SOC Process Framework
Microsoft's Azure Sentinel now provides a Timeline view within the Incident where alerts now display remediation steps.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.