Cloud Security Podcast

Can Honeytokens be used in your supply chain security? Turns out we can! We spoke to Mackenzie Jackson ( @advocatemack ) from  @GitGuardian  about the benefits of using Honeytokens, which organisations can benefit from them and whats involved in deploying them and next steps once they are triggered. Episode YouTube: ⁠ ⁠⁠Video Link⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Mackenzie Jackson (⁠ @advocatemack ⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (02:01) A bit about Mackenzie Jackson (02:37) What are Honeytokens? (03:35) Traditional threat detection (05:29) Honeytoken in action (07:02) Deployments for Honeytokens (09:46) Role of Honeytoken in Supply Chain (11:02) Deploying and managing Honeytokens (13:12) Incident response with Honeytokens (15:01) What companies should use Honeytokens? (16:05) What if the key is deleted ! Resources: You can find out more about Honeytokens & GitGuardian here! See you at the next episode!

Penetration Test of a Web Application hosted on Google Cloud in 2023 is quite different to just a simple/traditional web app pentesting.Cloud Penetration testing is misunderstood to be just config review in Google Cloud. In this video, we have Kat Traxler who is a cloud security researcher, SANS Course author and has worked in the Google Cloud space to even build open source tools that can be used to perform cloud security testing. Episode YouTube: ⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Kat Traxler (⁠⁠ Kat Traxler's Linkedin ⁠⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (04:17) A bit about Kat Traxler (05:56) Pentesting in GCP vs AWS (08:07) Config review vs cloud pentesting (09:24) Cloud pentest vs Traditional Pentest (10:28) Starting to do GCP pentesting (12:35) Common services used in GCP (14:10) Low hanging fruits in GCP (15:25) What are default service accounts? (17:52) You may already have google cloud (20:00) How to persist access in Google Cloud? (21:56) Shared responsibility in GCP (24:01) Common TTPs in GCP (28:05) Is there SSRF in GCP? (30:19) Open source tools for cloud pentest (33:59) Fun questions Resources that Kat shared during the episode The Google Cloud Adoption Framework Google Cloud Org Policy Bot GCAT Threat Horizons Report Pacu Microburst DeRF Stratus See you at the next episode!

Cloud Security Pentest is not just a Cloud configuration review ! Blackhat 2023 & Defcon 31 conversations included Cloud Security Podcast asking traditional and experienced pentesters about their opinion on cloud security pentesting and the divide was between it being a config review or a product pentest. For this episode we have Seth Art from Bishop Fox to clarify the myth. Episode YouTube: ⁠ ⁠Video Link⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Seth Art's Linkedin ⁠⁠⁠⁠⁠⁠(⁠⁠Seth Art Linkedin) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (05:17) A bit about Seth Art (06:44) Network vs Infrastructure Security Pentest (08:00) Internal vs External Network Security Pentest (10:26) Assumed vs Objective Based Pentest (12:51) Is network pentest dead? (14:04) How to approach network and cloud pentests? (20:12) Cloud pentest is more than config review (24:04) Examples of cloud pentest findings (30:07) Scaling pentests in cloud (32:25) Traditional skillsets to cloud pentest (36:58) A bit about cloudfoxable (39:31) Cloud pentest and Zero Trust (40:54) Staying ahead of CSP releases (44:31) Third party shared responsibility (47:35) 1 fun question (48:36) Boundary for cloud pentest (52:21) Last 2 fun questions These are some of the resources that Seth shared during the episode along with the tools he has created ⁠CloudFox CloudFoxable flAWS flAWS 2 iamvulnerable Cloud Goat See you at the next episode!

Google cloud hacking or pentesting is very different to other popular cloud service providers like aws or azure. In this episode we had Shannon McHale (Mandiant now Google Cloud) to talk about how she approaches pentesting a google cloud environment and how you can too. Episode YouTube: ⁠ Video Link⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Shannon McHale's Linkedin ⁠⁠⁠⁠(⁠Shannon's Linkedin⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠⁠⁠⁠ (00:00) Introduction (03:38) A bit about Shannon McHale (05:31) What is Red Teaming? (06:42) Red Teaming in the Cloud (07:50) Methodology behind Red Teaming (09:32) Pentesting in Goole Cloud (10:28) Low hanging fruits in Google Cloud (14:36) GCP storage (16:09) Red Team Assessment in Google Cloud (17:08) The importance of Metadata (18:17) Recommendations for Blue Teamers (22:03) How to get started in Red Teaming? (26:06) Tools or Research that stood out for Shannon (27:42) GCP Resources that can be exposed (29:15) Resources to learn about Cloud Red Teaming (30:37) The Fun Questions These are some of the resources Shannon found helpful to learn about Pentesting in Cloud along with her own GitHub link HackTricks for GCP Littlehack3r See you at the next episode!

CISOs in organizations that are going through digital transformation have a responsibility of educating the board on how Cloud Security is measured and improved on to manage the risk posture of the organization. We had Phil Venables, CISO of Google Cloud share from his experience of serving as a CISO for so many years on how to best share cybersecurity and cloud security metrics with the c-suite and the board. ⁠⁠Episode YouTube Video Link⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠) Guest Socials: Phil Venable's Linkedin ⁠⁠(Phil's Linkedin) Podcast Twitter - ⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠ - ⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠⁠⁠ (00:00) Introduction (03:02) A bit about Phil Venables (04:17) Are boards talking about Cloud Security? (05:47) Security Metrics to show to the board (07:48) Are Security Metrics seasonal? (10:23) Aligning security metrics to business goals (13:59) Educating the board about Cloud Security (15:50) CISOs should be braver (18:42) 3 Security Metrics to start with (25:25) Setting the risk appetite as a organisation (27:11) Essential attributes for a CISO (29:14) What makes a successful security program? (32:18) Skillsets required to become a CISO (36:49) The fun questions See you at the next episode!

Google Cloud Security Assessment from a pentester's lens. Anjali from NotSoSecure will be sharing her research into Google Cloud IAP & finding ways to assess the use of Google Cloud IAP in your environment and what are some of the low hanging fruits that you can remove today to reduce any potential risk from the service to your Google Cloud environment. Episode YouTube Video Link Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠) Guest Socials: Anjali S's Linkedin (Anjali S) Podcast Twitter - ⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠ - ⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠⁠ (00:00) Introduction (04:31) A bit about Anjali Shukla (05:23) What is GCP IAP? (07:18) Why is IAP so important? (09:55) IAP and Identity Federation (11:34) SSH vs Jump Box (13:57) GCP IAP vs AWS Cognito (16:22) Misconfigurations in GCP IAP (23:17) Potential security scenarios (25:45) Cloud Security Assessment in GCP (28:13) Doing your own cloud security assessment (30:49) The Fun Questions See you at the next episode!

AWS Landing zones are well known but not as much in the Google Cloud space. In this episode we have Jimmy Barber shares how controls can be automated in GCP to create landing zone to manage security across a large google environment. Episode YouTube Video Link Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠) Guest Socials: Jimmy Barber's Linkedin Jimmy Barber Podcast Twitter - ⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠ - ⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠⁠ (00:00) Introduction (03:10) A bit about Jimmy Barber (05:42) Transitioning from on-prem to cloud (07:26) How are things different in GCP? (09:01) Building blocks of working with GCP (14:15) What is a landing zone in GCP? (17:23) Building landing zone in existing GCP environments (20:04) Using Cloud Native services vs others (22:59) Security gaps in GCP (25:15) Non technical challenges moving to cloud and GCP (28:45) Doing security in GCP (31:18) Where to start learning about GCP (32:37) The Fun Section These are some of the resources Jimmy found helpful when learning GCP Security Google Cloud Training See you at the next episode!

Cloud Security Podcast - Yes - AWS Cloud folks are starting to look after Google Cloud security now in a lot of organisations. Caleb Tennis from Sequoia Capital joins us to share his personal experience on how from being an AWS professional he started looking after Google Cloud Identity and how to secure their Google Cloud Environment. Episode YouTube Video - https://youtu.be/k1FrVEe1tGc Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠) Guest Socials: Caleb Tennis's Linkedin Caleb Tennis⁠ Podcast Twitter - ⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠ - ⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠⁠ (00:00) Introduction (04:51) A bit about Caleb Tennis (07:27) Caleb's first impressions of GCP (08:53) Google Cloud Blind Spots (12:35) Where to start security GCP? (15:23) Managing identities in GCP (20:17) Temporary Credential in Google Cloud (24:54) Managing identity with scale (29:59) Is there enough Google Cloud Usage (31:14) Google Cloud logging and monitoring (35:48) What does Scale look like in Google Cloud? (37:53) Hardest things to learn in GCP (41:08) Learning GCP Security (42:58) The Fun Section See you at the next episode!

Cloud Security Podcast - Cybersecurity Threat hunting explained for Google Cloud. Day Johnson is a threat detection engineer and in this episode of Cloud security for Google Cloud security we spoke about how to start doing threat detection in Google Cloud, the common threats and attack vectors in GCP Episode YouTube Video - https://youtu.be/FCVG7-lFu0Q Host Twitter: Ashish Rajan (⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠) Guest Socials: Day Johnson's Linkedin (Day - Linkedin⁠) Podcast Twitter - ⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠ ⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠Cloud Security Newsletter  - ⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠ (00:00) Introduction (02:37) A word from our sponsor snyk.io/csp (03:11) A bit about Day Johnson (04:12) Common Threats in GCP (06:04) Starting Threat Detection in GCP (07:57) Transitioning to GCP from AWS (10:53) Threat modelling by Service (14:27) Where to start with threat detection in GCP (18:17) Common Threat Vectors in GCP (21:53) Automatic Threat Detection (23:13) Services to be mindful of (26:10) Compute Image Creation (28:07) Get started in Detection Engineering (32:45) Helpful resources for Threat Detection (36:00) The fun questions These are some of the resources Day found helpful for threat detection in GCP along with some resources he mentioned + his talk GCP IAM Docs GCP Goat Day's talk on fwd:cloudsec Google Cloud Threat Research Report See you at the next episode!

Cloud Security Podcast -  AWS Network Security, IAM Security or even Organization security for what can happen in your AWS Environments can be achieved using Data perimeter. John Burgress (⁠John - Linkedin⁠⁠⁠⁠) from Stripe spoke about this topic at  @fwdcloudsec  and shared additional insights on the thinking he had when building data perimeters are guardrails. There were lot more gems dropped so def check out the episode. Episode YouTube Video - https://youtu.be/Hs9ZEaVG7Ww Host Twitter: Ashish Rajan (⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠) Guest Socials: John Burgress (John - Linkedin⁠) Podcast Twitter - ⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠ ⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠Cloud Security News ⁠⁠⁠⁠ - ⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠⁠⁠⁠snyk.io/csp⁠⁠⁠⁠ (00:00) Introduction (03:13) A word from our sponsors (03:38) A bit about John Burgess (04:26) Data perimeter in the Cloud (05:10) Defining data perimeter in AWS (06:50) Where to start building AWS data perimeter (08:21) The defense in depth approach 09:09 Approach to enable developers (10:40) Starting point for building data perimeter (11:41) Limitations with Data Perimeter (13:06) Implementing data perimeter for segregation (15:52) Working with Terraform Modules (16:34) Goals behind data perimeter controls (18:31) Proactive detection for third party (20:00) Data perimeter for other CSPs (20:42) Challenges in establishing data perimeter (23:06) Dealing with multiple organisations (23:35) Learn more about data perimeter (24:06) The fun section These are some of the resources John found helpful for data perimeter: Establishing a Data Perimeter on AWS: Overview Data Perimeter Policy ExamplesNetflix: Preventing Credential Compromise See you at the next episode!