View this email in your browser
Release Date: 13/10/2019 | Issue: 7
"The Cloud Security Reading List" is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.

This week's articles

  • Cloud Deployments at Netflix Not properly a blog post, but an insightful thread about real-world continuous cloud deployments.
  • How Cloudflare Thinks About Security The talk per se is really good, but I think the added value here are the insights on their company-wide security culture.
  • Firekube - Fast and Secure Kubernetes Clusters Using Weave Ignite Firekube is a new open source Kubernetes distribution that uses Weave Ignite to run Kubernetes on Firecracker. Interesting to see how Firekube may also be seen as an alternative to KIND using Ignite and GitOps.
  • CVE-2019-11253: Kubectl/API Server YAML parsing vulnerable to "Billion Laughs" Attack CVE-2019-11253 is a YAML parsing vulnerability in the kube-apiserver, allowing users sending malicious YAML payloads to cause the kube-apiserver to consume excessive amounts of CPU and memory, potentially crashing and becoming unavailable. Probably worth upgrading your clusters...
  • How we built a queryable Application Inventory We all know a good inventory is at the base of every security program, so Sqreen decided to share the journey that led them to the creation of their App Inventory and how they are bringing more security insights about micro-services/APIs/web apps in production.
  • policy_sentry Writing security-conscious IAM Policies by hand can be very tedious and inefficient. That's why Salesforce released policy_sentry, an IAM Least Privilege Policy Generator, auditor, and analysis database which aims to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies.
  • Chamber Chamber is a tool for managing secrets in AWS, which uses SSM Parameter Store as a backend.
  • AWS Firewall Manager Update – Support for VPC Security Groups AWS updated their managed firewall service, which now finally allows to to define, manage, and audit organization-wide policies for the use of VPC Security Groups.
  • AWS ALB affected by HTTP Desync and Request Smuggling Attacks Turns out that AWS Cloudfront protects against HTTP Desync/Request Smuggling attacks, but ALB is still vulnerable. If your backend server sitting behind an AWS ALB does not have any defenses implemented, you're likely vulnerable.
Copyright © 2019 The Cloud Security Reading List, All rights reserved.