2024

October 07, 2024 Answering "Dumb Security Questionnaires"

Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.

September 19, 2024 πŸ”— [fwd:cloudsec] How to 10X Your Cloud Security (Without the Series D)
September 16, 2024 FinOps 🀝 Security

Cloud Security's overlap with FinOps benefits.

September 12, 2024 Scorecarding Security

A survey of approaches to scorecarding in security programs.

September 10, 2024 πŸ”— [Tracebit] The Security Canary Maturity Model
August 27, 2024 Industrial IAM Service Role Creation

A guide to tools for creating AWS IAM service roles.

August 16, 2024 An AWS IAM Security Tooling Reference [2024]

A guide to tools for auditing AWS IAM.

August 13, 2024 πŸ”— [Tracebit] Canary Infrastructure vs. Real World TTPs
July 31, 2024 Poisoning the SSM Command Document Well

Responsibly disclosing risks in using SSM Command Docs for software distribution.

July 30, 2024 Flying Prompt Airlines

A spoiler-heavy walkthrough of Wiz's promptairlines.com

July 23, 2024 πŸ”— [CrowdAlert] Tips for SOCLess Oncall
July 16, 2024 πŸ”— [Tracebit] A hard look at GuardDuty shortcomings
July 12, 2024 Thwacking DDOS with AWS WAF

AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.

July 09, 2024 πŸ”— [tweet] Minor security disclosure in RDS Snapshot Public Sharing
June 26, 2024 Publicly Exposed AWS SSM Command Documents

An analysis of the thousands of public SSM Command documents, including identification of secret leakage.

June 21, 2024 AWS OIDC Provider Enumeration

Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.

June 18, 2024 πŸ”— [fwd:cloudsec] The Path to Zero Touch Production
June 12, 2024 πŸ”— [tl;dr sec] Sub-Venture Scale Security Problems
June 10, 2024 Building to Prevent Subdomain Takeovers

Four controls platforms can use when building a custom-domain feature to make it resilient to subdomain takeover down the road

June 05, 2024 πŸ”— [tl;dr sec] The Race to Make a Business of Secure Defaults
June 03, 2024 What happened to RASP?
May 29, 2024 πŸ”— [tl;dr sec] Don’t Security Engineer Asymmetric Workloads
May 28, 2024 πŸ”— [Venture in Security] Challenges in Security Engineering Programs
May 24, 2024 Publicly Exposed AWS Document DB Snapshots
May 15, 2024 πŸ”— [tl;dr sec] Wiring a Winning Security Organization
May 13, 2024 *AST and *SPM: Acquisition Magnets
May 01, 2024 πŸ”— [tl;dr sec] open source - prompt-injection-defenses
April 29, 2024 Semgrep for Terraform Security
April 25, 2024 Intentionally Leaking AWS Access Keys - GitLab
April 24, 2024 πŸ”— Security is a Team Sport
April 21, 2024 10 Things Your First Security Hire Shouldn’t Do
April 10, 2024 πŸ”— [tl;dr sec] open source - awesome-secure-defaults
April 10, 2024 πŸ”— [Venture in Security] Customer Love
April 01, 2024 Deciding on S3 Intelligent Tiering
February 25, 2024 The state of ABAC on AWS (in 2024)
February 14, 2024 Did your research: Prior Art for "15 ideas for cloud security research"

2023

December 09, 2023 Steampipe + Access Advisor
December 05, 2023 Quick Tip: Minimizing Terraformed SCPs
November 07, 2023 A History of Human Interaction Proofs
October 20, 2023 AWS SES Verification Phishing: A Fifth Way
August 03, 2023 Risk in AWS SSM Port Forwarding
July 25, 2023 Shipping RDS IAM Authentication (with a bastion host & SSM)
July 10, 2023 πŸ”— [tl;dr sec] How to securely build product features using AI APIs
June 12, 2023 πŸ”— [fwd:cloudsec] Beyond the AWS Security Maturity Roadmap
April 29, 2023 πŸ”— BSidesSF 2023 Panel (video)
April 20, 2023 πŸ”— [Return on Security] Signal v. Noise in the RSA Innovation Sandbox
March 29, 2023 A Guide to S3 Logging
March 07, 2023 Reducing Attack Surface with AWS Allowlisting
January 18, 2023 πŸ”— Startup Security Starter Pack
January 18, 2023 πŸ”— AWS Lambda Risks and Threats
January 17, 2023 AWS Could Do More About SSO Device Auth Phishing

2022

December 24, 2022 AWS Phishing: Four Ways
December 22, 2022 πŸ”— [Datadog Security Labs] A retrospective on public cloud breaches of 2022, with Rami McCarthy and Houston Hopkins
December 06, 2022 πŸ”— [tl;dr sec] StaffEng Security Stories
December 06, 2022 πŸ”— [tl;dr sec] Buying Security
November 23, 2022 πŸ”— Breach List Database
July 31, 2022 Removing sensitive data from a Github repository
June 04, 2022 Buying Security: Bibliography
May 15, 2022 OWASP DevSlop: AWS (Customer) Security Incidents [2022]
February 03, 2022 [Cedar] Defining Cedar's Security Values

2021

August 24, 2021 [tl;dr sec] Cloud Security Orienteering
August 08, 2021 [DEFCON Cloud Village] Cloud Security Orienteering

2020

November 14, 2020 [BSidesCT] Learning from AWS (Customer) Security Incidents
September 26, 2020 [BSides Boston] AWS Security - Easy Wins and Enterprise Scale
August 18, 2020 An AWS IAM Security Tooling Reference
July 11, 2020 πŸ”— [NCC Group] An offensive guide to the Authorization Code grant
July 03, 2020 Path to CCSK: Security Guidance v4 (Domains 1-7)
July 02, 2020 Path to CCSK: ENISA
April 28, 2020 Brandeis MS in Information Security Leadership
April 28, 2020 πŸ”— [NCC Group] The Extended AWS Security Ramp-Up Guide
April 18, 2020 $ git blame 4: Quitten/Autorize

2019

November 09, 2019 [BSidesCT] Building Castles in the Cloud: AWS Security and Self-Assessment
October 28, 2019 sadcloud: Templating cloud misconfigurations
October 20, 2019 [BASC] AWS Cloud Security Fundamentals
July 31, 2019 πŸ”— [NCC Group] Hardening Enterprise Chromebooks Part 3: Chrome Browser Configuration
July 31, 2019 πŸ”— [NCC Group] Hardening Enterprise Chromebooks Part 2: ChromeOS Hardening
July 29, 2019 πŸ”— [NCC Group] Hardening Enterprise Chromebooks Part 1: Baseline Security Posture
July 19, 2019 πŸ”— [NCC Group] One Thousand Misspelled Security Headers

2017

December 07, 2017 Methodology: Learn Android Application Security Testing
December 06, 2017 $ git blame 3: MobSF/Mobile-Security-Framework-MobSF
December 06, 2017 $ git blame 1: michenriksen/bucketlist
December 06, 2017 $ git blame 2: michenriksen/aquatone