#security (2020-01)

https://news.google.com/articles/CBMieWh0dHBzOi8vYXJzdGVjaG5pY2EuY29tL2luZm9ybWF0aW9uLXRlY2hub2xvZ3kvMjAyMC8wMS9leHBsb2l0LXRoYXQtZ2l2ZXMtcmVtb3RlLWFjY2Vzcy1hZmZlY3RzLTIwMC1taWxsaW9uLWNhYmxlLW1vZGVtcy_SAX9odHRwczovL2Fyc3RlY2huaWNhLmNvbS9pbmZvcm1hdGlvbi10ZWNobm9sb2d5LzIwMjAvMDEvZXhwbG9pdC10aGF0LWdpdmVzLXJlbW90ZS1hY2Nlc3MtYWZmZWN0cy0yMDAtbWlsbGlvbi1jYWJsZS1tb2RlbXMvP2FtcD0x?hl=en-US&gl=US&ceid=US%3Aen

This is pretty scary. With the ability to overwrite DNS settings remotely, an attacker can easily setup phishing sites on any domain they choose.

Yeah that’s really bad

https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns

https://cloud.google.com/blog/products/identity-security/introducing-google-clouds-secret-manager

There an equivalent to something like teleport for ssh / kubectl access, but for access to SQL servers like Postgres and MySql?

That would be cool, but not really

Phpmyadmin doesn’t count :-)

(Ironically phone autocorrects that to “phony admin”)

If a web ui was what the interested parties needed, you could secure that up internally, put it behind SSO, etc. Was more hoping for a dynamic/audited tunnel for PSQL or other tools

https://github.com/shellhub-io/shellhub

(via digital ocean)

https://pages.news.digitalocean.com/n/SI0D3V0T62B0XEZ0j007Zms

Not sure if I should ask this here or in #terraform . Does anyone have experience with https://github.com/eerkunt/terraform-compliance? I’m curious if Sentinel is the only available way to check Terraform code for compliance with security rules.

@Joe Presley similar discussion came up recently

let me find it.

Thank you

https://sweetops.slack.com/archives/CB6GHNLG0/p1579649598026600

see the conversation surrounding this post

Thanks for the heads up. That was one of the solutions the client pointed me to.

Also, if you check out last week’s “office hours” we talk a little bit about using the Open Policy Agent with terraform

also @marcinw has a SaaS product that implements OPA

@marcinw has joined the channel

Awesome. Thanks a lot. That’s a huge help.

https://www.forbes.com/sites/zakdoffman/2020/01/30/severe-perfect-100-microsoft-flaw-confirmed-this-is-a-cloud-security-nightmare/amp/

Scary a.f.

his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs.

Makes you wonder what the isolation mechanism is at Azure for faas. Shows how important firecracker, gvisor, and others are… And that cold start isn’t going away because we need these things and these things take time to start.