Release Date: 20/06/2021 | Issue: 92
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

๐ŸŸ  Getting ISO 27001 certification as a SaaS Scale-up ๐ŸŸ 
A SaaS start-up can only go so far before it's time to consider certifications and compliance standards for advancement. We know compliance != security, and if you're stuck in between the two right now, here is a guide based on Detectify's use case for certification.
Detectify completed the journey in 2020 and share their use case for getting ISO 27001 certification as a SaaS company.
โžก๏ธ Go to the on-demand webinar and downloadable guide

This week's articles


Introducing SLSA, an End-to-End Framework for Supply Chain Integrity
#supply-chain
Supply chain Levels for Software Artifacts (SLSA) is an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. It is inspired by Google's internal "Binary Authorization for Borg" which has been in use for the past 8+ years.


Battle of Policy as Code Tools: OPA vs. Semgrep
#iac, #opa
Evaluating major Policy as Code tools for usability and performance.


Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs
#azure, #attack
Using a bug in Microsoft Power Apps and Microsoft Teams tabs to steal authentication tokens, emails, Teams messages, OneDrive and SharePoint files and more.


Key Kubernetes audit logs for monitoring cluster security
#kubernetes, #monitor
Post looking at audit log policies and how Kubernetes uses them to generate audit logs.


How to protect your ~/.kube/ configuration
#kubernetes, #defend
An hacky way to protect Kubernetes config files against accidental or malicious change or reading.


K8s Network Policies
#kubernetes, #explain
Post explaining what Kubernetes network policies are, their fundamentals, and how to use NetworkPolicy agents.


How does 'kubectl exec' work?
#kubernetes, #explain
Technical deep dive on what happens when you type "kubectl exec".


Azure DevOps Terraform Pipeline with Checkov & Approvals
#azure, #ci/cd, #build
A concrete example of a full Azure DevOps pipeline (along with Terraform code) leveraging Checkov and manual approval processes.


How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit
#gcp, #attack
An exploit which allowed to break out of the App Engine sandbox and get arbitrary code execution on a Google server.


Toward Vagrant 3.0
#hashicorp, #announcement
HaschiCorp is making changes to Vagrant that will maintain its Ruby-based features while being ported to Go.

Tools


codeowners-validator
The Codeowners Validator project validates the GitHub CODEOWNERS file based on specified checks.


aws-ssm-tree
SSM Tree is a tool that provides a tree visualization of the parameters hierarchy from AWS System Manager Parameter Store.


act
Run your GitHub Actions locally.


cloud-run-iap-terraform-demo
Deploy an IAP-secured application to Cloud Run using Terraform.

If you want to get yourย productย or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
๐Ÿ“จ [email protected] ๐Ÿ“จ

From the cloud providers


AWS Icon  Amazon EC2 adds new AMI property to flag outdated AMIs
You can now specify a new property called DeprecationTime on your Amazon Machine Images (AMIs) to indicate when the AMI will become outdated.


AWS Icon  Approaches to meeting Australian Government gateway requirements on AWS
This post examines the types of controls you need to provide a gateway that can meet Australian Government requirements defined in the Protective Security Policy Framework (PSPF) and the challenges of using traditional deployment models to support cloud-based solutions.


AWS Icon  Encrypt global data client-side with AWS KMS multi-Region keys
AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another.


GCP Icon  Cloud CISO Perspectives: June 2021
Google Cloud CISO Phil Venables shares his thoughts on ransomware, software supply chains, and RSA retrospectives.


Azure Icon  Introducing Azure AD access reviews for service principals
You can now govern Service Principals with Azure AD Access Reviews.


Azure Icon  Microsoft Defender Security Insights in Azure Sentinel
How you can leverage Azure Sentinel to gain visibility into Microsoft Secure Score alongside other security data.


Azure Icon  Enhanced Azure Sentinel Alert remediation in the SOC Process Framework
Microsoft's Azure Sentinel now provides a Timeline view within the Incident where alerts now display remediation steps.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them ๐Ÿ™

If you have questions, comments, or feedback, just reply to this email orย let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser ยฉ 2019-present
The Cloud Security Reading List by SecurityBite LTD.