View this email in your browser
Release Date: 06/10/2019 | Issue: 6
"The Cloud Security Reading List" is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.

This week's articles

  • Introducing LambdaGuard — a security scanner for AWS Lambda Skyscanner built a tool which allows to visualise and audit the security of serverless assets. I'd recommend you to read the companion blog post as well, as it nicely describes different concepts related to AWS Lambda, as well as common pitfalls and vulnerabilities.
  • Continuous Auditing With CloudMapper You might have already heard of it, but this time CloudMapper has been updated/redesigned to become a monitoring solution, so that it can run continuously to provide ongoing alerting and situational awareness in AWS without incurring significant cost or overhead.
  • How to evaluate community Ansible roles for your playbooks This is the transcript of a presentation which covers the process of evaluating community content before incorporating it into automation playbooks, as well as the risks involved in including external dependencies and how to mitigate those risks. I particularly like this sentence: "Another important component of relying on upstream packages is trust. If you're building infrastructure or setting up networking for an application important to your company's financial success, you better be sure you can trust the upstream maintainers".
  • DevSecCon Seattle 2019 Round Up  This post from @clintgibler is a goldmine of useful information. It covers the talks delivered at DevSecCon Seattle, from continuous compliance to secure wrapper libraries and others.
  • Quantum Security and Cryptography in HashiCorp Vault HashiCorp exploring quantum cryptography, its implications, and how to integrate these concepts within Vault.
  • A Compendium of Container Escapes Slides from the Capsule8 talk at Black Hat USA 2019. Definitely not for beginners, as it goes in technical depth over concepts like Container Engine Vulnerabilities, Escapes via Insecure Configurations, and Kernel Exploitation.
  • Least Privilege in Kubernetes Using Impersonation How to enable a least-privilege type of access to a cluster using the concept of "impersonation", with the goal of reducing the likelihood of accidentally performing unwanted actions.
  • kubectl sudo Related to the previous post, kubectl-sudo is a kubectl plugin which allows users to run Kubernetes commands with the security privileges of another user. This way it should be possible to reduce the surface of unwanted or unexpected actions, by reducing the default privileges a cluster administrator to the level of an unprivileged account, and then give them the ability to impersonate users and groups when needed.
  • CCAT now supports GCP If you haven't seen CCAT before, it is a tool for testing the security of container environments. Up to now it was AWS-specific, but this past week support for GCP (to each of the existing modules) has been added.
Copyright © 2019 The Cloud Security Reading List, All rights reserved.