Brandon Evans

Is Your Cloud a Fort or a Target? ☁️

In this 2nd of a 4 part series in January on 2024 Trends and Predictions, SANS Certified Instructor and cloud security champion, Shaun McCullough, joins us as guest host to discuss his 2024 cloud security trends and predictions.

Shaun is joined by guests Brandon Evans and Eric Johnson to talk cloud security trends and predictions through the lens of their vast experience with and knowledge of cloud attack techniques, monitoring, and threat… Show more

Is Your Cloud a Fort or a Target? ☁️

In this 2nd of a 4 part series in January on 2024 Trends and Predictions, SANS Certified Instructor and cloud security champion, Shaun McCullough, joins us as guest host to discuss his 2024 cloud security trends and predictions.

Shaun is joined by guests Brandon Evans and Eric Johnson to talk cloud security trends and predictions through the lens of their vast experience with and knowledge of cloud attack techniques, monitoring, and threat detection.

Leave a comment below: What's your biggest cloud security concern for 2024? Show less

The evolution of cloud technologies has ushered in a new era of opportunities, but with it comes a unique set of challenges, particularly in the realms of configuration and network security. This talk will shed light on the modern practices and strategies essential for safeguarding cloud environments against configuration missteps and network vulnerabilities. We'll dissect real-world scenarios where configuration errors led to breaches and delve into network risks that are often overlooked. By… Show more

The evolution of cloud technologies has ushered in a new era of opportunities, but with it comes a unique set of challenges, particularly in the realms of configuration and network security. This talk will shed light on the modern practices and strategies essential for safeguarding cloud environments against configuration missteps and network vulnerabilities. We'll dissect real-world scenarios where configuration errors led to breaches and delve into network risks that are often overlooked. By exploring tools, protocols, and best practices, attendees will gain insights into fortifying their cloud infrastructures. Join us on this journey through the intricacies of cloud security, ensuring that your organization remains resilient in the face of ever-evolving threats. Show less

Organizations are becoming multicloud by choice or by chance. Many of them integrate their multiple clouds with one another to improve Availability, support Disaster Recovery, and leverage the services from each provider that best fits their needs. These integrations are usually supported with long-lived credentials. These credentials are much more valuable to attackers than those that are short-lived. Even following best practices will leave your multicloud environments less secure than their… Show more

Organizations are becoming multicloud by choice or by chance. Many of them integrate their multiple clouds with one another to improve Availability, support Disaster Recovery, and leverage the services from each provider that best fits their needs. These integrations are usually supported with long-lived credentials. These credentials are much more valuable to attackers than those that are short-lived. Even following best practices will leave your multicloud environments less secure than their single-cloud counterparts.

Join Eric Johnson and Brandon Evans as they destroy these long-lived credentials in the Big 3 cloud providers using Workload Identity Federation. They will show how Cloud Security Engineers can securely authenticate from one cloud provider to another using short-lived, automatically rotating tokens that cannot be (ab)used in any other context. The session will conclude with a demonstration of a real multicloud web application that leverages these techniques to securely upload user data to Amazon S3, Azure Storage, and Google Cloud Storage.

Learning Objectives:
- Learn why organizations are choosing to integrate their multiple cloud environments together.
- Examine the risk posed by using long-lived credentials.
- Evaluate the benefits and limitations of following best practices with long-lived credentials.
- Observe integrations from AWS to GCP, from Azure to AWS and GCP, and from GCP to AWS and Azure.
- Understand why AWS cannot access resources in Azure without transmitting powerful Azure credentials to AWS.
- Access an open-source project to bootstrap your secure multicloud integrations. Show less

Multicloud is a reality for organizations of all sizes. Aa a result, security leaders need to build capabilities and expertise for any cloud provider that the business chooses. How can security professionals get a handle on this complex world of cloud security?

For the first time, in this book, we have security leaders from the three major cloud providers – Amazon Web Services (AWS), Microsoft Azure, Google Cloud – along with independent technical experts from SANS Institute sharing… Show more

Multicloud is a reality for organizations of all sizes. Aa a result, security leaders need to build capabilities and expertise for any cloud provider that the business chooses. How can security professionals get a handle on this complex world of cloud security?

For the first time, in this book, we have security leaders from the three major cloud providers – Amazon Web Services (AWS), Microsoft Azure, Google Cloud – along with independent technical experts from SANS Institute sharing where cloud security has been, mistakes that have been made along the way, and what the future may hold.

The book covers foundational principles and strategies for cyber defense to mitigate risk. A key part of this is understanding the myths, missteps and best practices that arise in cloud migration. As
organizations mature, a more comprehensive plan is also required. This is where Zero Trust provides important architectural principles for modern security capabilities. Looking forwared even further artificial intelligence (AI) promises to help improve our cloud security posture and ability respond to threats even more effectively.

As you go through this book I suggest using it as a guide. Know that there will be many twists and turns on your journey but, by leveraging the practices introduced here, you can get a handle on cloud security. Show less

Building apps for one environment is hard, but rewriting them to run elsewhere is a nightmare. An increasing number of organizations are using containerization to solve this problem, creating portable runtimes that are "identical" on-prem and in the cloud. In theory, "cloud native" technologies like containers and Kubernetes (K8s) should enable teams to implement security controls that are effective regardless of the environment in which their "cloud agnostic" microservices are… Show more

Building apps for one environment is hard, but rewriting them to run elsewhere is a nightmare. An increasing number of organizations are using containerization to solve this problem, creating portable runtimes that are "identical" on-prem and in the cloud. In theory, "cloud native" technologies like containers and Kubernetes (K8s) should enable teams to implement security controls that are effective regardless of the environment in which their "cloud agnostic" microservices are running.

However, in reality, the security of containers greatly depend on the K8s engine used. Each of the Big 3 Cloud providers have their own engine flavors: Amazon's Elastic Kubernetes Service (EKS), the Azure Kubernetes Service (AKS), and the Google Kubernetes Engine (GKE). The same K8s cluster can be secure in one environment and insecure in another. Even though K8s was designed by Google, GKE has such significant security pitfalls that a deployment with the default settings can result in the total compromise of the organization's entire Google Cloud Platform account!

Guided by The Center for Internet Security's benchmarks and his own experience in the field, Brandon will help you navigate through the security nuances of each cloud provider's K8s engine. He will deploy a K8s application to a cloud Kubernetes engine, demonstrate some of the exploits that can be performed on insufficiently hardened instances, and walk through the effective and sometimes shockingly simple mitigations. When the presentation concludes, you will feel empowered to help your organization build and defend cloud native applications that are not cloud agnostic, are not cloud devout, but are truly cloud consistent. Show less

The movement towards multicloud has been growing momentum with no end in sight. Over 50% of the respondents to the SANS 2022 Multicloud Survey not only use all of the Big 3 Cloud Providers (AWS, Azure, and Google Cloud), but they also use all of the next three most popular CSPs (Alibaba Cloud, Oracle Cloud, and IBM Cloud).

Organizations look to so-called “cloud-agnostic” technologies to manage this complexity. One such technology, Terraform, allows you to define cloud infrastructure as… Show more

The movement towards multicloud has been growing momentum with no end in sight. Over 50% of the respondents to the SANS 2022 Multicloud Survey not only use all of the Big 3 Cloud Providers (AWS, Azure, and Google Cloud), but they also use all of the next three most popular CSPs (Alibaba Cloud, Oracle Cloud, and IBM Cloud).

Organizations look to so-called “cloud-agnostic” technologies to manage this complexity. One such technology, Terraform, allows you to define cloud infrastructure as code and deploy it for many different cloud providers. Given that Terraform supports all of the top 6 CSPs, this means that an organization can produce a single set of Terraform code to securely configure them all…right?

In this blog, Brandon Evans, SANS Certified Instructor and Lead Author of SEC510: Public Cloud Security: AWS, Azure, and GCP, will explain why this is not true despite the perception of many security professionals. Not only will he demonstrate that Terraform does not work this way, but he will prove why it is practically impossible for any tool to work this way. With this understanding, attendees will learn the real, more difficult techniques required to consistently apply security controls across CSPs using Terraform.

This blog post is related to Brandon’s RSA Conference 2023 presentation, "Cloud Agnostic or Devout? How Cloud Native Security Differs Between EKS, AKS, and GKE”. While watching the RSAC presentation is not a prerequisite for reading this blog post, viewers who are interested in one will likely be interested in the other.

Associated webcast: https://youtu.be/rCFuXJtxjzg Show less

Join host James Price as he delves into the future of application security with a panel of industry experts. Cris Rodriguez from Sabre Corporation, Brandon Evans from SANS Institute, Mick Gomm from Medallia, and Jamie Prosser from Verizon share their insights on managing application security, automation, pen testing, and more. Get valuable tips and strategies for staying ahead in the ever-evolving landscape of application security. Don't miss this informative and engaging episode!

The SANS Institute report on DNS security in multicloud environments documents findings from a wide-ranging survey of the global cybersecurity community. Read to learn:

• Where respondents are struggling with DNS visibility into remote users and devices.
• Why IT security teams are adding DNS to their next-gen firewalls rather than using DNS-layer security tools.
• How the majority of respondents are using DNS for visibility across their multicloud environments to empower threat… Show more

The SANS Institute report on DNS security in multicloud environments documents findings from a wide-ranging survey of the global cybersecurity community. Read to learn:

• Where respondents are struggling with DNS visibility into remote users and devices.
• Why IT security teams are adding DNS to their next-gen firewalls rather than using DNS-layer security tools.
• How the majority of respondents are using DNS for visibility across their multicloud environments to empower threat investigation and incident response. Show less

Topics covered:

• What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right?
• Occasionally we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)?
• How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word?
• Can we really achieve “secure by default” but for… Show more

Topics covered:

• What got you interested in security and motivated you to make this your area of focus? You came from a developer background, right?
• Occasionally we hear the sentiment that “developers don’t care about security,” how would you counter it (and would you?)?
• How do we encourage developers and operations to use the appropriate security controls and settings in the cloud? Is “encourage” the right word?
• Can we really achieve “secure by default” but for developers?
• What do you think are the main application security issues that developers need to deal with in the cloud? 
• You mentioned software supply chain security, do you treat this as a part of application security? How important is this, realistically, for an average organization and its developers?
• Going to our favorite subject of threat detection, how do you think we can better encourage developers to supply the logs necessary for our detection and response teams to act upon? Show less

Market research shows that organizations are increasingly adopting a multicloud strategy. This survey examines how this trend has continued over the years and its implications for security teams. Amazon Web Services (AWS), Microsoft Azure, and Google Cloud are still far and away the Big Three providers, though this survey indicates that IBM, Oracle, Alibaba, and others are also utilized at an impressive scale. Respondents stated that their organizations overwhelmingly valued… Show more

Market research shows that organizations are increasingly adopting a multicloud strategy. This survey examines how this trend has continued over the years and its implications for security teams. Amazon Web Services (AWS), Microsoft Azure, and Google Cloud are still far and away the Big Three providers, though this survey indicates that IBM, Oracle, Alibaba, and others are also utilized at an impressive scale. Respondents stated that their organizations overwhelmingly valued "cloud-agnosticism," meaning that they would like the ability to run their workloads on multiple cloud providers. Stakeholders for these organizations might actively choose to go multicloud to leverage the best services for their goals at the best price, with many porting workloads from one cloud to another in real-time to maximize cost savings. Many other respondents work with organizations that organically became multicloud through mergers and acquisitions.

These business trends pose security challenges. Forbes notes that "each major public cloud platform uses a different approach and tools for protecting its infrastructure." Many respondents stated that they are "not at all" prepared to secure certain cloud services, including some of the simplest and most foundational services. If these respondents use three cloud providers, they should feel three times as unprepared as if they were using one. This problem will likely increase alongside multicloud adoption, especially when, as the Forbes article indicates, the security "talent crunch meets the budget crunch" amidst economic uncertainty.

Multicloud and its security issues are here to stay. The authors of this report hope to inform the readers of the hard work ahead of them, warn the industry that they are far away from reaching their ideal state, and highlight the technologies and techniques practitioners are using to cope with the onslaught of challenges brought about by the vast multicloud service landscape. Show less

Large enterprises are increasingly operating in a multicloud environment, either by choice or by chance. As a result, organizations, security teams, and we—as security professionals—are on a continuous journey to develop multicloud security capabilities to enable businesses and effectively respond to the changing threat landscape.

In this book we have, for the first time, a coming together of security leaders from Microsoft Azure, Google Cloud, and independent technical experts from SANS… Show more

Large enterprises are increasingly operating in a multicloud environment, either by choice or by chance. As a result, organizations, security teams, and we—as security professionals—are on a continuous journey to develop multicloud security capabilities to enable businesses and effectively respond to the changing threat landscape.

In this book we have, for the first time, a coming together of security leaders from Microsoft Azure, Google Cloud, and independent technical experts from SANS Institute who are sharing their
perspectives on building cloud security capabilities as well as best practices for key cloud security pillars.

This book starts with a view on cloud-specific threats that can inform cloud security strategies. What follows is foundational information for key areas such as IAM, data security, and visibility. But often, foundational information does not provide enough direction. People typically learn best when making mistakes and learning lessons the hard way. Knowing this, the contributors to this book convey these lessons in the form of various security anti-patterns that highlight important “not to do” items. Cases studies like these highlight cloud security weaknesses and what you can do to shore them up. As they say, experience is often the best, if not bitterest, teacher. So please, take some time to learn from the experience of these expert contributors. Don’t leave your cloud security journey to chance. Show less

Major enterprises are multicloud by choice or by chance. Is a shift to multicloud architectures inevitable? What do security teams need to do in preparation? Attend this session to hear a lively discussion including a brief history of technology, the current state of cloud, and how it all may inform where cloud security is headed.

Tune in to the final chapter of this security saga as Eric Johnson and Brandon Evans recount another horrific cloud war story.

YouTube: https://www.youtube.com/watch?v=Y-C-UpovXbM

The transition from on-premise to cloud-hosted networking is complicated. Many organizations fail because they attempt to replicate their on-premise networks in the cloud, rather than redesigning cloud networks that take advantage of new features and security controls. Join SANS Instructors Eric Johnson and Brandon Evans for a session discussing cloud-native networking architecture designs, features, and security controls that can help you avoid building an unmanageable cloud… Show more

The transition from on-premise to cloud-hosted networking is complicated. Many organizations fail because they attempt to replicate their on-premise networks in the cloud, rather than redesigning cloud networks that take advantage of new features and security controls. Join SANS Instructors Eric Johnson and Brandon Evans for a session discussing cloud-native networking architecture designs, features, and security controls that can help you avoid building an unmanageable cloud network.

YouTube: https://www.youtube.com/watch?v=g6RpTQbPiH0 Show less

Vulnerabilities are synergistic. A bunch of small findings can add up to one big catastrophe. This is especially true in the cloud, where a single compromised instance can be used to escalate IAM privileges and take over an entire account.

SANS Senior Instructor Eric Johnson has seen this countless times in the field. Join Eric as he discusses one of his cloud IAM war stories with Certified Instructor Brandon Evans. This story will demonstrate how attackers pivot within the cloud, which… Show more

Vulnerabilities are synergistic. A bunch of small findings can add up to one big catastrophe. This is especially true in the cloud, where a single compromised instance can be used to escalate IAM privileges and take over an entire account.

SANS Senior Instructor Eric Johnson has seen this countless times in the field. Join Eric as he discusses one of his cloud IAM war stories with Certified Instructor Brandon Evans. This story will demonstrate how attackers pivot within the cloud, which cloud permissions need to be scrutinized, and how to segment your organization to protect your cloud assets.

YouTube: https://www.youtube.com/watch?v=8V-Uc_nou2o Show less

Attackers are using our clouds against us. As the cloud providers introduce new services, adversaries are learning how to co-opt their features and resources. The 2019 Capital One breach illustrates how immense damage can be wrought on a cloud account using its own API calls and internal network. Monitoring for anomalies with actions taken on and within the cloud is key to identify potential compromises. Although logs are created for nearly every action taken in the cloud, if organizations fail… Show more

Attackers are using our clouds against us. As the cloud providers introduce new services, adversaries are learning how to co-opt their features and resources. The 2019 Capital One breach illustrates how immense damage can be wrought on a cloud account using its own API calls and internal network. Monitoring for anomalies with actions taken on and within the cloud is key to identify potential compromises. Although logs are created for nearly every action taken in the cloud, if organizations fail to monitor them, they are useless.

This session will demonstrate live how defenders can unlock the full potential of their cloud audit logs. We will examine the logging and monitoring capabilities that are built-in to the Big 3 Cloud Providers. In one of our several live demonstrations, we will identify anomalies in our cloud private network flow logs. After querying the traffic metadata, we will discover infrequent communications from our cloud infrastructure to an unknown host over an irregular port. This will lead us to examine the traffic contents on our cloud host using a sniffer or traffic mirror. Upon further analysis, we can recognize that the host is exfiltrating data using DNS queries containing the Base32 encoded message chunked into blocks of 63 characters. This traffic is generated via an advanced piece of malware that was shipped as a Trojan horse using the Node Package Manager (NPM). To remedy this compromise, we will show how to leverage Terraform, a cloud Infrastructure-as-Code utility, to automatically lock-down traffic in each of our private clouds.

When we can block attacks, we should. When we cannot, our next best recourse is to identify them and limit the damage they produce. Each cloud provider has powerful tools to collect and visualize potential indicators of compromise. However, these are useless if we do not use them. With the right tools, training, and personnel, security engineering and operations can thrive in the cloud. Show less

We about the challenges organizations face when integrating cloud services into the control network. We cover security requirements, data collection, service management and other issues relating to selecting a cloud service provider or integrating a cloud service.

Organizations in every sector are increasingly adopting cloud offerings to build their online presence. However, although cloud providers are responsible for the security of the cloud, their customers are responsible for what they do in the cloud. Unfortunately, the providers have made the customer's job difficult by offering many services that are insecure by default. Worse yet, with each provider offering hundreds of different services and with many organizations opting to use multiple… Show more

Organizations in every sector are increasingly adopting cloud offerings to build their online presence. However, although cloud providers are responsible for the security of the cloud, their customers are responsible for what they do in the cloud. Unfortunately, the providers have made the customer's job difficult by offering many services that are insecure by default. Worse yet, with each provider offering hundreds of different services and with many organizations opting to use multiple providers, security teams need a deep understanding of the underlying details of the different services in order to lock them down. As the landscape rapidly evolves and development teams eagerly adopt the next big thing, security is constantly playing catch-up in order to avert disaster.

The Big 3 cloud providers alone provide more services than any one company can consume. As security professionals, it can be tempting to limit what the developers use to the tried-and-true solutions of yesteryear. Unfortunately, this approach will inevitably fail as the product development organization sidelines a security entity that is unwilling to change. Functionality drives adoption, not security, and if a team discovers a service offering that can help get its product to market quicker than the competition, it can and should use it. SEC510 gives you the ability to provide relevant and modern guidance and guardrails to these teams to enable them to move both quickly and safely.

Join Brandon and Eric in this webcast as they walk through the details of the new 5-day SEC510: Public Cloud Security: AWS, Azure, and GCP course. Show less

Security professionals face the daunting challenge of keeping up with constantly changing technology trends. By the time security has a handle on a new programming paradigm, product development has been using it in production for months, if not years. Worse yet, new tech is normally designed with security as an afterthought, introducing risks that will need to be managed rapidly.

Despite all of this, in this presentation, SANS Instructor Brandon Evans will illustrate that Serverless is… Show more

Security professionals face the daunting challenge of keeping up with constantly changing technology trends. By the time security has a handle on a new programming paradigm, product development has been using it in production for months, if not years. Worse yet, new tech is normally designed with security as an afterthought, introducing risks that will need to be managed rapidly.

Despite all of this, in this presentation, SANS Instructor Brandon Evans will illustrate that Serverless is actually a breath of fresh air for security. Although it might initially seem complex and intimidating, it reduces risk when compared to traditional application architecture by shrinking the customers portion of the Shared Responsibility Model. Additionally, it empowers security automation that would otherwise be impractical. Overall, as Serverless continues to mature, Brandon argues that it will become the recommended practice from security teams. Show less

After becoming a SANS Certified Instructor, I shared details on my journey, advice for aspiring technologists, and some fun facts about myself.

Multiple clouds require multiple solutions. In an ideal world, you could learn the core concepts of cloud computing and
apply them to whatever cloud provider your organization uses. Unfortunately, we live in a world where each of the top three most popular cloud platforms, Amazon Web
Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP), radically differ from one another in both
design and implementation. These differences affect how security professionals must… Show more

Multiple clouds require multiple solutions. In an ideal world, you could learn the core concepts of cloud computing and
apply them to whatever cloud provider your organization uses. Unfortunately, we live in a world where each of the top three most popular cloud platforms, Amazon Web
Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP), radically differ from one another in both
design and implementation. These differences affect how security professionals must operate in each environment.

This poster compares and contrasts the popular security services of each major cloud provider. By identifying insecure defaults and little-known security features,
you can ensure the security of your organization's assets across each public cloud environment.

The contents of this poster are based on material from SEC510: Public Cloud Security: AWS, Azure, and GCP. For more information, visit sans.org/SEC510 Show less

Firebase allows a frontend application to connect directly a backend database. Security wonks
might think the previous sentence describes a vulnerability, but this is by design. Released in
2012, Firebase was a revolutionary cloud product that set out to "Make Servers Optional". This
should raise countless red flags for all security professionals as the application server
traditionally serves as the intermediary between the frontend and backend, handling
authentication and… Show more

Firebase allows a frontend application to connect directly a backend database. Security wonks
might think the previous sentence describes a vulnerability, but this is by design. Released in
2012, Firebase was a revolutionary cloud product that set out to "Make Servers Optional". This
should raise countless red flags for all security professionals as the application server
traditionally serves as the intermediary between the frontend and backend, handling
authentication and authorization. Without it, all users could obtain full access to the database.
Firebase attempts to solve this by moving authentication and authorization into the database
engine itself. Unfortunately, this approach has several flaws. Show less

A detailed write up of an unintended 0-day I found in the InstaFriends Cyber Range by Security Innovation with two of my co-workers, Jessica Wood and Kirill Kulakov. We ethically disclosed the vulnerability and helped the development team patch it.

With the evolution of cloud-based protections and secure application development frameworks, fewer organizations are susceptible to having their databases dumped with server-side exploits. Faced with this, data thieves are getting more sophisticated with their techniques. One novel approach is abusing the Domain Name System (DNS) protocol to quietly exfiltrate data. Although DNS traffic is often overlooked, the major cloud providers have made it easier than ever to examine it, detect data loss,… Show more

With the evolution of cloud-based protections and secure application development frameworks, fewer organizations are susceptible to having their databases dumped with server-side exploits. Faced with this, data thieves are getting more sophisticated with their techniques. One novel approach is abusing the Domain Name System (DNS) protocol to quietly exfiltrate data. Although DNS traffic is often overlooked, the major cloud providers have made it easier than ever to examine it, detect data loss, and lock down the network to prevent similar attacks in the future. This post will illustrate this process using a Node.js application deployed to Microsoft Azure. Show less

Graphical User Interfaces (GUIs) are so passé. "Real hackers" use Command-Line Interfaces (CLIs). Why should the cloud be any different? This cheat sheet provides commands, tips, and tricks for the Amazon Web Services, Azure, and Google Cloud Platform CLIs.

For more details on how to use this cheat sheet, see this video demo: https://www.youtube.com/watch?v=3WjlmhxJ9OA

The move to leveraging multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all cases. This paper will examine five critical considerations for securely using the three biggest public cloud providers: Amazon Web Services, Microsoft Azure, and the Google Cloud Platform. While it is tempting to… Show more

The move to leveraging multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all cases. This paper will examine five critical considerations for securely using the three biggest public cloud providers: Amazon Web Services, Microsoft Azure, and the Google Cloud Platform. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control. By embracing multicloud as inevitable and working to understand it, security and compliance professionals can help move the organization forward safely. Show less

Join Brandon to get an in-depth understanding of serverless security from an attacker's perspective. In this session, Brandon will demonstrate how a compromised function can be used to gain sensitive credentials and pivot to other services through live demonstrations on AWS Lambda, Azure Functions, and Google Cloud Functions.

Also presented for a SANS@Mic talk on 03/25/2020: https://sansurl.com/attacking-serverless / https://www.youtube.com/watch?v=DegAofI3fR0

Also presented for… Show more

Join Brandon to get an in-depth understanding of serverless security from an attacker's perspective. In this session, Brandon will demonstrate how a compromised function can be used to gain sensitive credentials and pivot to other services through live demonstrations on AWS Lambda, Azure Functions, and Google Cloud Functions.

Also presented for a SANS@Mic talk on 03/25/2020: https://sansurl.com/attacking-serverless / https://www.youtube.com/watch?v=DegAofI3fR0

Also presented for serverlessDays Virtual on 04/29/2020: https://www.youtube.com/watch?v=H4WoQd2yVJQ&t=142m54s Show less

This presentation provides a technical comparison of the default configurations for various services provided by the Big 3 Cloud Providers: AWS, Azure, and the Google Cloud Platform. It compares services apples to apples, preferring platforms powered by open-source software where possible. Using a consistent methodology, I score each provider in a variety of categories and give each a report card. Attendees are provided resources to evaluate these services for themselves and introduce… Show more

This presentation provides a technical comparison of the default configurations for various services provided by the Big 3 Cloud Providers: AWS, Azure, and the Google Cloud Platform. It compares services apples to apples, preferring platforms powered by open-source software where possible. Using a consistent methodology, I score each provider in a variety of categories and give each a report card. Attendees are provided resources to evaluate these services for themselves and introduce alternative viewpoints.

Topics include: the strength of access controls for file storage solutions (AWS S3, Azure Storage, and Google Cloud Storage), encryption of data in-transit and at rest for managed SQL servers (AWS RDS, Azure Database, and Google Cloud SQL), management and invocation privileges for serverless functions (AWS Lambdas, Azure Functions, and Google Cloud Functions), and much more.

Our goal is to bring attention to the importance of scrutinizing default settings, especially for new functionality. With better awareness, we can hold our providers to a higher standard to make the path of least resistance a safe one. Long-term, we should push for the ability to better control what actions and configurations are allowed within our cloud accounts. Show less

In software development, there is always a balance between functionality and security. As anyone in the field knows, the only perfectly secure system is one that contains no sensitive data, is off of the network, and is powered down. For the benefit of our customers and shareholders, technology companies must balance these goals.

This can feel like a Herculean task due to the different priorities and values of team members. Technologists view product managers and salespeople as renegades… Show more

In software development, there is always a balance between functionality and security. As anyone in the field knows, the only perfectly secure system is one that contains no sensitive data, is off of the network, and is powered down. For the benefit of our customers and shareholders, technology companies must balance these goals.

This can feel like a Herculean task due to the different priorities and values of team members. Technologists view product managers and salespeople as renegades who are willing to jeopardize everything just to deliver a fancy new feature on-time. On the other-side, engineers are oftentimes viewed as impractical and naïve curmudgeons who care more about saying "no" than actually moving the needle. How can these differences be reconciled?

The truth is that we are really not so different. Regardless of how a person juggles quality, security, and agility, everyone wants to deliver value for our customers and shareholders in a responsible way. If our high-level incentives appear not to be aligned, we have a communication problem, not an idealogical one.

This presentation will demonstrate how subtle changes in how engineers communicate their concerns can drastically increase the persuasiveness of their message. Topics will include incentive alignment, language accessibility, building credibility, and being a team player without compromising your ideals.

At times, it is tempting to dismiss the other side as simply being wrong and unwilling to listen. Unfortunately, without influence, change is impossible. The more extreme of a position a person takes, the more they alienate those around them, even those who generally agree with them. By simply using a softer touch, it is possible to improve the security posture of an organization while finding allies across the aisle. Show less

Blog post encouraging people to join Security Innovation's March Hackness Tournament and covering my experience at 2019 AppSec California where I won their previous Capture the Flag.

Originally published here: https://blog.securityinnovation.com/give-hacking-a-try

I describe the most secure configuration for connecting to a relational database on Amazon RDS using the Node.js ORM Sequelize.

I was given a wonderful opportunity to write about my role working on a platform by Asurion.

I provide some tips for how to make your hackathon experience a success.