Why Your Team Should Be Using Just-in-Time Access
- Adam Buggia tl;dr: Least privilege in the cloud is hard, but progress can be made by taking a risk-based approach. Consider an attacker who obtained one of your developer’s credentials; what access would they have? By adding a temporal dimension to developer access policies, the attack surface can be significantly reduced for many security-breach scenarios. That’s where just-in-time access comes in.featured in #382
How To Completely Own An Airline In 3 Easy Steps
- Maia Arson Crimew tl;dr: "I had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it. I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of results".featured in #382
I Scanned Every Package On PyPi And Found 57 Live AWS Keys
- Tom Forbes tl;dr: "This post outlines the way I scanned PyPi, showcases a project I’ve built that automatically scans all new PyPi releases to notify AWS of potentially leaked keys, presents some analysis of the keys I’ve found and draws a few conclusions at the end."featured in #379
Building Secure, Compliant Containers
- Elliot Volkman tl;dr: Containers are ideal for cloud-first organizations. However, as their use has grown, so have security incidents in container environments. Learn how to build secure containers that support business objectives.featured in #376
featured in #367
Accidental $70k Google Pixel Lock Screen Bypass
- David Schütz tl;dr: "I found a vulnerability affecting seemingly all Google Pixel phones where if you gave me any locked Pixel device, I could give it back to you unlocked. The bug just got fixed in the November 5, 2022 security update. The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain access to the user’s device."featured in #367
featured in #366
Without Prep, Even The Most Scalable And Reliable Developer Tools Can Be Hit With Outages
tl;dr: Get actionable tactics from the experts who built incident response frameworks for Snyk, PagerDuty, New Relic, Netflix, Chef, and Amazon at the DevGuild: Incident Response conference on Nov 15-17. Avoid costly outages - secure your free ticket.featured in #365
How To Prevent Secrets From Ending Up On Developer's Machines
- Ryan Blunden tl;dr: Even with environment variable storage offered by modern hosting platforms and secrets managers provided by every cloud, developer's machines are still littered with secrets in unencrypted text files because local development was left out of the picture. Learn how to prevent secrets from ending up on developer's machines.featured in #357
featured in #354