Cloud Security Podcast

Learn about the essential skills needed to excel as a Cloud Hacker in 2023, including identity, cloud infrastructure security, CI/CD security, preventative security, and data security. Gain insights from DEFCON 31 and discover the key focus areas for Red teamers. Discuss the challenges CSOs face in managing identity and access in cloud security. Explore the importance of data security skills for Cloud Hackers and the complexity of cloud security. Uncover the various skills crucial for a cloud hacker, including static analysis, infrastructure testing, and CI/CD security.

Michael Piacente, security executive recruiter for Lyft, Instacart, and Airbnb, discusses the rise of Cloud Native CISOs and the skills needed to succeed in this role. They explore different leadership roles in security, compensation for CISOs, protecting oneself in the role, changing responsibilities, and the importance of personal branding. Overall, it provides valuable insights for aspiring Cloud Native CISOs.

Understanding Software Supply Chain security threats for Terraform which has been the default for Infrastructure as Code is important. in this episode Mike Ruth is sharing his experience of working on securing Terraform Cloud/Terraform Enterprise - no open source was harmed in the making of this episode. Episode YouTube: ⁠⁠⁠ ⁠⁠⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Mike's Linkedin (⁠⁠Mike Ruth) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (03:27) A bit about Mike Ruth (04:01) What is Terraform? (05:38) Terraform in the context of supply chain (07:24) Flavors of Terraform (09:07) Deploying Terraform (12:25) Terraform Architecture (14:48) Research findings that Mike and Oca made (25:52) Securing Terraform Architecture (28:13) Policy Enforcement (29:13) What is a Module? (30:15) Security best practices for Terraform Deployment (31:53) Learning about Terraform security (34:44) Maturity for Terraform (37:45) The Fun Questions Mike spoke about Terraform Cloud Security Model during the interview. See you at the next episode!

DSPM or Data Security Posture Management with Yotam Segev from Cyera: Most security teams have known about data challenges in their organization and some of them are put in the too hard to solve right now bucket. Yotam came on the show to talk about who should own and manage data security programs and what can a data security roadmap look like for leaders who are working on the data problem today. Episode YouTube: ⁠⁠⁠ ⁠⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Yotam's Linkedin (⁠Yotam Segev⁠⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (04:32) Why is data security getting attention? (05:46) How was data security done before? (06:43) Cloud native way of managing data (07:31) What triggers a data security project? (08:35) At what stage should you start data security? (10:06) Challenges with starting data security projects (13:02) What does success look like? (15:02) Does the CISO own data security? (16:03) The right skill set for data security See you at the next episode!

Harshil Parikh, CISO experience on code to cloud and cloud to code. What should CISOs prioritize? How different sectors are impacted. Application vs Cloud vs Product Security. Is application security becoming cloud security? What does maturity look like?

Former CISO of Block and current CISO of GitLab, Josh Lemos, shares his journey from pentesting to becoming a CISO. Topics discussed include cloud security, AI/ML, CISO roadmap for 2023, takeaways from BlackHat CISO Summit, hardware vs software security, skills needed to be a CISO, and cloud pentesting.

Karl Fosaaen, the author of Penetration Testing "Azure for Ethical Hacker" and the VP of Research at NetSPI, came as a guest to share why the penetration Test of a Web Application hosted on Azure Cloud in 2023 is quite different to just a simple/traditional web app pentesting and the skills you need to pentest Azure environments. Cloud Penetration testing is misunderstood to be just config review in Microsoft Azure Cloud just like in AWS and Google Cloud. In this video, we have Karl Fosaaen was kind enough to answer the following questions and methods. Episode YouTube: ⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Karl's Linkedin (⁠⁠⁠⁠Karl Fosaaen) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (02:32) A bit about Karl Fosaaen (03:26) How is pentesting in Azure different from AWS? (04:35) Cloud pentesting is not just config review (05:42) Cloud pentesting vs Network pentesting (06:25) Cloud Pentest - Next evolution of Network Pentest? (07:14) Boundaries of cloud pentesting (09:07) Do you need prior approval for Azure Pentest? (09:32) Working with Microsoft Security Research Centre (10:35) Process of pentesting in Azure (11:57) Low hanging fruits to start off with! (13:37) How to persist and escalate? (14:58) Managed Identities in Azure (16:23) Impact of peripheral services to Azure (18:33) Scale of deployments in Azure (21:02) Getting access to permissions for Azure Entra (22:36) Scaling your pentest tools (23:34) TTPs or Matrix you can use (25:30) Getting into Azure Pentesting (26:56) Transitioning from network to azure pentesting (28:37) Connect with Karl Resources: The NetSPI Blog to learn more about offensive cloud security Mitre - Cloud Attack Matrix ATRM Karl's Book - Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments See you at the next episode!

Can Honeytokens be used in your supply chain security? Turns out we can! We spoke to Mackenzie Jackson ( @advocatemack ) from  @GitGuardian  about the benefits of using Honeytokens, which organisations can benefit from them and whats involved in deploying them and next steps once they are triggered. Episode YouTube: ⁠ ⁠⁠Video Link⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Mackenzie Jackson (⁠ @advocatemack ⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (02:01) A bit about Mackenzie Jackson (02:37) What are Honeytokens? (03:35) Traditional threat detection (05:29) Honeytoken in action (07:02) Deployments for Honeytokens (09:46) Role of Honeytoken in Supply Chain (11:02) Deploying and managing Honeytokens (13:12) Incident response with Honeytokens (15:01) What companies should use Honeytokens? (16:05) What if the key is deleted ! Resources: You can find out more about Honeytokens & GitGuardian here! See you at the next episode!

Penetration Test of a Web Application hosted on Google Cloud in 2023 is quite different to just a simple/traditional web app pentesting.Cloud Penetration testing is misunderstood to be just config review in Google Cloud. In this video, we have Kat Traxler who is a cloud security researcher, SANS Course author and has worked in the Google Cloud space to even build open source tools that can be used to perform cloud security testing. Episode YouTube: ⁠ ⁠⁠⁠Video Link⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Kat Traxler (⁠⁠ Kat Traxler's Linkedin ⁠⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (04:17) A bit about Kat Traxler (05:56) Pentesting in GCP vs AWS (08:07) Config review vs cloud pentesting (09:24) Cloud pentest vs Traditional Pentest (10:28) Starting to do GCP pentesting (12:35) Common services used in GCP (14:10) Low hanging fruits in GCP (15:25) What are default service accounts? (17:52) You may already have google cloud (20:00) How to persist access in Google Cloud? (21:56) Shared responsibility in GCP (24:01) Common TTPs in GCP (28:05) Is there SSRF in GCP? (30:19) Open source tools for cloud pentest (33:59) Fun questions Resources that Kat shared during the episode The Google Cloud Adoption Framework Google Cloud Org Policy Bot GCAT Threat Horizons Report Pacu Microburst DeRF Stratus See you at the next episode!

Cloud Security Pentest is not just a Cloud configuration review ! Blackhat 2023 & Defcon 31 conversations included Cloud Security Podcast asking traditional and experienced pentesters about their opinion on cloud security pentesting and the divide was between it being a config review or a product pentest. For this episode we have Seth Art from Bishop Fox to clarify the myth. Episode YouTube: ⁠ ⁠Video Link⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Seth Art's Linkedin ⁠⁠⁠⁠⁠⁠(⁠⁠Seth Art Linkedin) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Question (00:00) Introduction (05:17) A bit about Seth Art (06:44) Network vs Infrastructure Security Pentest (08:00) Internal vs External Network Security Pentest (10:26) Assumed vs Objective Based Pentest (12:51) Is network pentest dead? (14:04) How to approach network and cloud pentests? (20:12) Cloud pentest is more than config review (24:04) Examples of cloud pentest findings (30:07) Scaling pentests in cloud (32:25) Traditional skillsets to cloud pentest (36:58) A bit about cloudfoxable (39:31) Cloud pentest and Zero Trust (40:54) Staying ahead of CSP releases (44:31) Third party shared responsibility (47:35) 1 fun question (48:36) Boundary for cloud pentest (52:21) Last 2 fun questions These are some of the resources that Seth shared during the episode along with the tools he has created ⁠CloudFox CloudFoxable flAWS flAWS 2 iamvulnerable Cloud Goat See you at the next episode!