2024

State of 'State of Cloud Security' Reports: Insights or Self-Owns?

Dozens of hours reading State of Cloud Security reports that I think miss the mark.

The First Security Hire Rule of Thumb

When should you hire that first security person?

Answering "Dumb Security Questionnaires"

Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.

FinOps 🀝 Security

Cloud Security's overlap with FinOps benefits.

Scorecarding Security

A survey of approaches to scorecarding in security programs.

Industrial IAM Service Role Creation

A guide to tools for creating AWS IAM service roles.

An AWS IAM Security Tooling Reference [2024]

A guide to tools for auditing AWS IAM.

Poisoning the SSM Command Document Well

Responsibly disclosing risks in using SSM Command Docs for software distribution.

Flying Prompt Airlines

A spoiler-heavy walkthrough of Wiz's promptairlines.com

Thwacking DDOS with AWS WAF

AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.

Publicly Exposed AWS SSM Command Documents

An analysis of the thousands of public SSM Command documents, including identification of secret leakage.

AWS OIDC Provider Enumeration

Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.

Building to Prevent Subdomain Takeovers

Four controls platforms can use when building a custom-domain feature to make it resilient to subdomain takeover down the road

What happened to RASP?

2023

Steampipe + Access Advisor
A Guide to S3 Logging

2022

AWS Phishing: Four Ways
πŸ”— Breach List Database

2021

2020

Path to CCSK: ENISA

2019

2017