Cloud Security Podcast

Cloud Security Podcast - If Hacking the Cloud is on your mind for 2023 then in this "Breaking the AWS Cloud" month we are kicking things with Nick Frichette (Nick's Linkedin), a Senior Security Researcher from DataDog who is also maintains the site Hacking the Cloud linking offensive security research for AWS, Azure, GCP. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Nick Frichette (Nick's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Introduction (02:38) snyk.io/csp (03:26) A bit about Nick   (04:15) How is Security research different? (05:55) How to approach cloud security research? (07:24) How to pick the service you want to research? (08:51) What is AWS AppSync? (09:30) What is Confused Deputy Vulnerability? (10:16) The AppSync Vulnerability (12:09) Cross Account in AWS (13:41) Blue Teaming Controls when doing research (14:22) Framework for detective controls (16:01) What to do if you find an AWS vulnerability? (17:20) Legal constraints of security research (20:13) Where to get started in Cloud Security Research? (22:45) Are some misconfigurations becoming less common? (24:59) What is IMDSv2 and how is it different to IMDSv1? (27:00) Why is SSRF bad? (28:52) Cloud Pentesting Platforms (29:57) The story being hacking the cloud (31:25) Who should think about breaking the cloud? (34:02) Cloud Security Research Tools (36:38) How to access AWS environment for research? (39:12) Security Lab Resources   (40:04) The Fun Questions See you at the next episode!

In this episode of the Virtual Coffee with Ashish edition, we spoke with Shilpi Bhattacharjee (Cloud Security Podcast, Producer). We spoke about Announcements from AWS Reinvent for - new security products announced, updates to existing security products, security addition to existing products and products to lookout for.  Podcast Link with favourite Talks, Product launch details and more: https://snyk.io/blog/cloud-security-updates-reinvent-2022/  --Announcing Cloud Security Villains Project-- We are always looking to find creative ways to educate folks in Cloud Security and the Cloud Security Villains is part of this education pieces. Cloud Security Villains are coming, you can learn how to defeat them in this YouTube Playlist link Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Shilpi Bhattacharjee (Cloud Security Podcast, Producer) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions

In this episode of the Virtual Coffee with Ashish edition, we spoke with Justin Garrison (Personal Website) from AWS to talk about what scenarios make sense to choose AWS EKS vs AWS ECS vs AWS Fargate vs bare metal Kubernetes & everything you need to understand for implementing AWS EKS in your environment. --Announcing Cloud Security Villains Project-- We are always looking to find creative ways to educate folks in Cloud Security and the Cloud Security Villains is part of this education pieces. Cloud Security Villains are coming, you can learn how to defeat them in this YouTube Playlist link Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Justin Garrison (Personal Website) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00 introduction (02:31 snyk.io/csp (03:10 Justin's path into Tech (08:14) What is AWS EKS? (10:32) EKS vs ECS vs Fargate (14:52) Why pick EKS vs ECS vs Fargate? (23:05) Security Kubernetes API vs on-prem deployment? (34:26) What's involved in deploying EKS? (38:50) EKS clusters when scaling Kubernetes (42:52) How clusters are structured? (47:02) Cluster availability when upgrading (49:00) Why people struggle with EKS? (51:31)  How can people learn more about EKS? (52:57) The Fun Section

In this episode of the Virtual Coffee with Ashish edition, we spoke with Ashish Desai (Ashish Desai's Linkedin) about how much of the on-premise can work in Cloud, what the online world is saying versus the reality of what businesses are experiencing. --Announcing Cloud Security Villains Project-- We are always looking to find creative ways to educate folks in Cloud Security and the Cloud Security Villains is part of this education pieces. Cloud Security Villains are coming, you can learn how to defeat them in this YouTube Playlist link Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:   Ashish Desai (@ashishlogmaster) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Intro (05:50) Ashish Desai's Professional Background (06:21) Academic Freedom and no firewall (07:12) What are the roles and responsibilities of an AWS cloud security architect? (09:27) Difference between managing permissions between onpremise vs Cloud service provider (13:02) Running Windows 2003 on AWS EC2 Bare Metal (13:28) Running Old Virtual Servers on AWS (14:13) Cloud is secure by default (14:54) CI/CD with Github and Terraform is not common (15:28) Do people use CI/CD? (15:37) Traditional on-premise staff is your new cloud engineer (16:50) Business are not fully advanced (17:47) Failed Kubernetes Deployment in production example (18:45) Managed and Bare Metal Kubernetes can only maintain 1 replica (19:10) What is 1 replica in Kubernetes? (20:36) Problem with stateful app running on Kubernetes (21:35) Change Management in Cloud (21:57) Deployment phases in Cloud (22:34) Why was ServiceNow required? (24:39) Why ServiceNow couldn't keep up? (26:33) Native Solutions bypass Change Management (28:43) Role of Security Architect in a New Cloud World (29:53) DevExperience is holding Cloud Adoption success (32:08) CyberProfessionals to know atleast 1 language to be succesful (32:27) Do Architect need to know how to code in Enterprise context? (33:24) Knowing Code to understand the lay of the land (35:22) Has the Architecture Frameworks changed in the Cloud world? (37:15) What other skillsets outside of coding is required to be successful in Cloud (39:54) Should we care about being Cloud agnostic? (40:41) Architecture for Operational side of Cloud Security? (43:51) Practical things for advancing Cloud skills? (48:36) Can anyone come out of uni and become a Cloud Security Architect (50:32) Resources for education on Cloud security architects (51:36) Fun Section

In this episode of the Virtual Coffee with Ashish edition, we spoke with Kat Traxler (Kat's Linkedin) about the skillset, certification and knowledge base required to become a cloud security architect in 2023.  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:   Kat Traxler (Kat's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:28) https://snyk.io/csp (02:46) A bit about Kat  (05:35) What does a security architect do? (06:46 )The difference in the Cloud Security Architect role (11:08) The building blocks of building an application in AWS (13:41) Are there DMZs in Cloud Architecture? (15:54) Cybercriminal and Cloud exploitation  (19:04) How to keep with rapid changes in cloud? (20:08) AWS pre:invent update (21:39) Why is IAM important in Cloud? (25:03) Do cloud security architects need to know coding and automation? (27:38) How important are certifications? (31:49) Getting in cloud security with no experience (33:41) What are important skills for architect? (35:33) SANS certifications for Cloud Security Architects (37:04) How important is ist to have multi cloud knowledge (40:44) Frameworks to build cloud architecture  (42:59) Do you need to know software development? (44:19) Roadmap to become a cloud security architect (45:32) What is the most difficult thing related to architecture? (49:32) The Fun Section 

In this episode of the Virtual Coffee with Ashish edition, we spoke with Rodrigo Montoro (Rodrigo's linkedin) about threat modelling and incident response involving the uncommon AWS services which still may be widely used in your organisation and increase your attack surface.  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:   Rodrigo Montoro (Rodrigo's linkedin)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:10) https://snyk.io/csp (03:19) A bit about Rodrigo (04:37) Detection in On-Premise (06:51) The role of API in Cloud (08:06) Common Services in AWS (15:22) Managing unused services (17:38) Incident response for AWS Appstream ? (20:57) integration of services with Cloudtrail (27:14) AWS Pass role (31:38) Incident Response for services (34:00) Pre-signed URL (36:23) How to get started in AWS threat detection? (39:10) Where can people learn more about this? (41:37) How to do AWS threat detection at Scale? (43:30) The Fun Section

In this episode of the Virtual Coffee with Ashish edition, we spoke with Nandesh Guru (Nandesh's Linkedin) about ransomware and supply chain attack mechanisms in AWS and how the world of CSPM have evolved to address the increasing complexities of cloud security  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Nandesh Guru (Nandesh's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:09) https://snyk.io/csp (03:11 )A bit about Nandesh  (05:01) 4 Components of Supply Chain Risks (06:47)Example of AWS Supply Chain Attack  (10:08) Evaluating code scanning tools  (12:30) What is ransomware? (13:06) Ransomware in AWS  (14:55) Attacks on encryption in AWS (19:27) What is a CSPM? (20:46) The role of CSPM and CNAPP in supply chain attacks (22:56) Is CIS Benchmark still a good starting point? (26:38) The evolution of CSPMs (29:47)  Complexity of Cloud Security  (32:59)Where can you learn more about supply chain risks? (33:50) Fun Questions

In this episode of the Virtual Coffee with Ashish edition, we spoke with Christophe Parisel (Christophe's Linkedin) about what how to transition from being a technical architect on premise to a cloud security architect and then a cloud native security architect. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Christophe Parisel (Christophe's Linkedin)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:21) https://snyk.io/csp (03:18) A little bit about Christophe (05:08) What is Cloud Native? (07:27) Why Cloud Native is important? (09:34) Responsibilities of Cloud Native Architect (13:15) Solution Architect vs Cloud Native Architect (15:32) Culture to move into Cloud Native Environment (18:09) Designing an application in Cloud (21:41) Designing an application using Kubernetes Cluster (24:39) Learning Kubernetes as an Architect (28:09) Common services people should standardise (31:50) Frameworks for Kubernetes Architecture (34:06) Logging with Kubernetes at Scale (38:24) Challenge with transitioning to Cloud Native Security Architect (39:43)Should we trust the cloud? (43:37) Bottlerocket in Kubernetes (46:00) Certifications for Cloud Native Security Architect

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jim Bugwadia (Jim's Twitter) about policy management and compliance as code for Kubernetes and how you can use open source tools like Kyverno and OPA for policy management Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Jim Bugwadia (Jim's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (03:20) https://snyk.io/csp (05:23) What is Kubernetes Control Plane? (06:51) What is an admission controller? (08:01) What do you need policy management in Kubernetes? (10:13) Pod Security and Policy management (11:57) Policy Management in Managed Kubernetes (13:54) Scaling Policy Management for Kubernetes (19:34) Common use cases for policy management (25:30) Compliance in Kubernetes (32:04) Levels of Maturity in Kubernetes Policy Management (36:47) Future of policy as code (38:46) Kyverno vs OPA (43:39) Kyverno vs gatekeeper (45:15) Where to start with policy management? (46:11) Where you can find Jim

In this episode of the Virtual Coffee with Ashish edition, we spoke with Luke Hinds (Luke's Twitter) the open source Sigstore project and how it is helping with software signing and protecting the software supply chain Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Luke Hinds (Luke's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (05:21) What is the software supply chain and why is it important? (08:20) Common supply chain attacks in Kubernetes (09:53) Codecov attack (11:14 )Kubernetes and API (14:10) Vulnerability scanning tools (16:38) Explaining the importance of supply chain security (19:19) What is a signing service (19:56 )The SLSA framework (20:42) Importance of signing service (23:35) What is Sigstore? (27:57) What is Lets Encrypt (31:48) The aim of sigstore (34:39) What is Co-Sign (36:40) Co-Signing and non-repudiation (46:29) Where to start