This week's articles
Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
How to leverage Cartography
to detect, identify, categorize, and visualize all the assets being deployed in your estate. (Disclaimer: I wrote this post!)
Attacking and Defending Kubernetes Clusters
A Guided Walkthrough Guide to help you create your own Kubernetes environment so you can take on the role of two attacking personas looking to make some money and one defending persona working hard to keep the cluster safe and healthy.
Enumerating Docker Registries with go-pillage-registries
Use GitHub actions at your own risk
In order to take full advantage of compromised Docker registries, NCC Group has developed go-pillage-registries
. This repository contains a tool called pilreg
, which provides a pentester-focused interface for these registries. pilreg
allows attackers to easily enumerate images stored in a registry in order to obtain their metadata and filesystems.
Classic supply chain attack: malicious code can be inserted into any GitHub action, even those which are tagged. Instead of checking out a branch or a tag (both are not safe), you could use a commit hash instead.
preflight - Automatically perform Kubernetes configuration checks using OPA
Preflight Packages are a very thin wrapper around OPA's policies. A package is made of Rego files (OPA's high-level declarative language) and a Policy Manifest. The Policy Manifest is a YAML file intended to add metadata to the rules, so the tool can display useful information when a rule doesn't pass.
Terraform Your Deployment of Vault on Kubernetes
Learn how to get multiple Vault clusters up and running on Kubernetes in a few clicks with Terraform.
VirusTotal released a set of changes and improvements to their VirusTotal Graph, which aims to provide a tool which understands the relationship between files, URLs, domains and IP addresses, and an easy interface to pivot and navigate over them. Plus, it also has an API
From the cloud providers
Create a centralized and automated workflow that creates and validates AWS IAM policies for application teams working in various environments.
Analyze AWS WAF logs and build multiple dashboards without booting up servers.
Introducing Google Cloud's Secret Manager
is a new Google Cloud service that provides a secure and convenient method for storing API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
Exploring container security: Navigate the security seas with ease in GKE v1.15
As GKE moved from v1.12 to v1.15 over the past year, here's an overview of what security changes Google made to the platform (to improve security behind the scenes), as well as advice added to the GKE hardening guide