#security (2020-01)

Archive: https://archive.sweetops.com/security/

2020-01-30

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Severe ‘Perfect 10.0’ Microsoft Flaw Confirmed: ‘This Is A Cloud Security Nightmare’ attachment image

This patched critical flaw is the first remote code execution threat to a major cloud platform, undermining the security layers that isolate shared resources.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Scary a.f.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)


his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs.

kskewes avatar
kskewes

Makes you wonder what the isolation mechanism is at Azure for faas. Shows how important firecracker, gvisor, and others are… And that cold start isn’t going away because we need these things and these things take time to start.

2020-01-29

Joe Presley avatar
Joe Presley

Not sure if I should ask this here or in #terraform . Does anyone have experience with https://github.com/eerkunt/terraform-compliance? I’m curious if Sentinel is the only available way to check Terraform code for compliance with security rules.

eerkunt/terraform-compliance

a lightweight, security focused, BDD test framework against terraform. - eerkunt/terraform-compliance

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@Joe Presley similar discussion came up recently

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

let me find it.

Joe Presley avatar
Joe Presley

Thank you

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Terraform

Policy-based control for cloud native environments

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

see the conversation surrounding this post

Joe Presley avatar
Joe Presley

Thanks for the heads up. That was one of the solutions the client pointed me to.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Also, if you check out last week’s “office hours” we talk a little bit about using the Open Policy Agent with terraform

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

also @marcinw has a SaaS product that implements OPA

marcinw avatar
marcinw

That’s right @Joe Presley - https://spacelift.io - let me know if you’d like to give it a golang

:--1:1
marcinw avatar
marcinw
12:23:24 AM

@marcinw has joined the channel

Joe Presley avatar
Joe Presley

Awesome. Thanks a lot. That’s a huge help.

2020-01-27

Alex Siegman avatar
Alex Siegman

There an equivalent to something like teleport for ssh / kubectl access, but for access to SQL servers like Postgres and MySql?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That would be cool, but not really

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Phpmyadmin doesn’t count :-)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(Ironically phone autocorrects that to “phony admin”)

troll2
1
Alex Siegman avatar
Alex Siegman

If a web ui was what the interested parties needed, you could secure that up internally, put it behind SSO, etc. Was more hoping for a dynamic/audited tunnel for PSQL or other tools

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
shellhub-io/shellhub

ShellHub enables teams to easily access any Linux device behind firewall and NAT. - shellhub-io/shellhub

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(via digital ocean)

2020-01-24

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Store and manage sensitive data with Secret Manager | Google Cloud Blog attachment image

Secret Manager is a new GCP product that securely and conveniently stores API keys, passwords, certificates, and other sensitive data.

2020-01-15

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Security architecture anti-patterns

Six design patterns to avoid when designing computer systems.

:--1:2

2020-01-14

loren avatar
loren

Yeah that’s really bad

    keyboard_arrow_up