fwd:cloudsec

Fwd:cloudsec
  • 5.0 (1)
  • EDUCATION
  • UPDATED MONTHLY

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule.

  1. 07/01/2025

    Defenders hate it! Compromise vulnerable SaaS applications with this one weird trick (Eric Woodruff)

    https://youtu.be/rQxc9N4gBqA Speaker: Eric WoodruffThroughout his 25-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. His security research has also been recognized by Microsoft, most notably for his findings he dubbed “UnOAuthorized”. Eric is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. Eric further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.Talk:In June 2023, Descope published research on nOAuth, a critical OpenID Connect implementation flaw that enables user account takeover in vulnerable applications. Following the disclosure, Microsoft and the Microsoft Security Response Center (MSRC) published articles on this issue, highlighting common anti-patterns and their follow-up actions with impacted application owners.Fast forward to the fall of 2024, and nOAuth remains an active security threat. In this session, we will explore its persistence, unveiling new research that builds upon Descope’s original findings to identify additional implementation flaw patterns and methods for staging the abuse. We will also discuss how we uncovered vulnerable applications, the varying responses from developers, and what this means for securing modern SaaS applications.Attendees will leave with a deeper understanding of how nOAuth attacks work, real-world examples of its exploitation, and actionable strategies to mitigate this critical risk.

    49 min

  2. 07/01/2025

    Putting Workload Identity to Work: Taking SPIFFE past day 0 (Dave Sudia)

    https://youtu.be/oHlPGzpFT_c Speaker: Dave SudiaDave Sudia went from Platform Engineering to Product Engineering; in both roles he has had to stand up infrastructure in repeatable but constantly evolving architectures, taking into account usability, security, and scalability. He is the world's biggest fan of Infrastructure-as-Code. By day you'll find him enabling developers to do their best work and by night you'll find him hanging with his kid, whose hobbies are now Dave's hobbies.Talk:With the rise in popularity of open-source standards and tools like SPIFFE and SPIRE, it’s never been easier to get off the ground with issuing all your workloads a flexible cryptographic identity.But this is just the start of your workload identity journey! The real challenge begins in putting these identities to work in your infrastructure in replacing legacy authentication mechanisms such as long-lived shared secrets. It’s difficult to know where to get started.This talk will:Briefly outline SPIFFE and Workload IdentityExplore the options for using SPIFFE for authentication and authorization, with a focus on techniques appropriate for existing infrastructureDive into a handful of practical examples of introducing SPIFFE-based authentication between legacy services, and, between legacy services and Cloud APIsDescribe higher-level strategies for rolling out workload identity in an organization, based on experience helping large organizations approach this work

    26 min

  3. 07/01/2025

    Happy Little Clouds: Painting Pictures with Microsoft Cloud and Identity Data (Matt Graeber)

    https://youtu.be/nwYzVTL8Y4Y Speaker: Matt GraeberMatt is a threat researcher focused on detecting Microsoft cloud and identity threats. Coining the term and establishing the strategy of "living off the land" in 2013 along with Chris Campbell, he has an extensive history of identifying ways to abuse native functionality in Microsoft products. Matt is dedicated to helping make defense accessible to all.Talk: You're tasked with detecting an Entra ID, Azure or Microsoft 365 attack technique. Where do you start? How do you identify what data sources are available to observe the technique? Of the data sources available, what constitutes quality data with which a coherent story can be told? What are the elements of the story that needs to be told so that a responder can ask the right questions and respond with confidence? How data sources need to be correlated and can they even be directly correlated? What the heck is a SessionId versus a UniqueTokenIdentifier, how are they related, and why do they matter?Anyone who has ever been tasked with developing detection guidance for cloud and identity threats in the Microsoft stack will know well just how fragmented and under-documeted their security data sources are. This session will attempt to bring sanity to how to tell effective stories when investigating and detecting threats based on a formal methodology for assessing the quality of any given data source. Join Cloudsec Bob Ross as he reveals the art and science behind threat storytelling and learn to distinguish malicious strokes from happy little accidents.

    45 min

  4. 07/01/2025

    Introducing GRC Engineering: A New Era of AWS Compliance (AJ Yawn)

    https://youtu.be/nEM7z266D6o Speaker: AJ YawnAJ Yawn is an experienced cybersecurity leader specializing in cloud compliance, governance, risk, and compliance (GRC) engineering, with nearly 15 years of experience. AJ currently serves as Director of GRC Engineering at Aquia, leading innovative approaches to compliance automation and cloud security. He previously founded ByteChek, a compliance automation startup focused on SOC 2 and HIPAA, achieving over $1M in annual recurring revenue. AJ also served as a partner at Armanino LLP, a top 20 CPA Firm, spearheading product innovation in compliance and audit automation.As a dedicated educator, AJ instructs courses on cloud compliance and security automation for the SANS Institute and LinkedIn Learning, where he has educated over 125,000 professionals worldwide. AJ began his career as a U.S. Army Officer in the Signal Corps, earning the rank of Captain, and later grew the cloud compliance practice at Coalfire from a small team into a thriving practice. His professional mission remains focused on transforming compliance into an accessible, automated, and value-driven discipline.Talk:Traditional cloud compliance often relies on manual, checklist-driven processes that struggle to keep pace with modern cloud infrastructure's complexity and agility. This session introduces GRC Engineering, a fresh, proactive approach that integrates Governance, Risk, and Compliance (GRC) principles directly into the AWS engineering lifecycle.Attendees will explore how GRC Engineering leverages automation, infrastructure as code, and AWS-native tools to transform compliance from a reactive burden into a strategic asset. Real-world examples will demonstrate tactical methods for embedding compliance seamlessly into AWS environments, using services such as AWS Config, AWS Audit Manager, and automation frameworks.Participants will walk away equipped with actionable insights and strategies for adopting GRC Engineering practices, streamlining compliance processes, reducing operational risk, and achieving continuous compliance in AWS environments.

    27 min

  5. 07/01/2025

    Staying Sneaky in the Office (365) (Christian Philipov)

    https://youtu.be/l5lpIF_QZCE Speaker: Christian PhilipovChris is a principal security consultant and leads the specialist services within Reversec. As part of his day to day he leads the global team that deals with various different types of engagements of both a transactional and more bespoke nature. Chris specialises in Microsoft Azure predominantly with GCP and AWS as an additional background.Talk:Microsoft are getting better at closing out security gaps in well-known APIs and components of their platform. However, as shown across the different cloud service providers, these interconnected systems almost always have a significant amount of complexity and a significant range of APIs that communicate together in various ways. Exploring these lesser-known APIs from an attacker and defender’s perspective allows us to better understand these complex attack surfaces and further defend cloud environments.This talk will aim to further expand the rapidly developing field of exploring hidden APIs in Entra/Azure and will focus on the SharePoint APIs being used by the service through the browser client. We’ll explore ways of enumeration that are available through the SharePoint APIs that avoid the direct usage of Microsoft Graph and respectively allow an attacker to evade all known and possible methods of detection. The techniques that will be shown allow an attacker with a foothold in SharePoint to pivot and laterally move throughout an Azure environment, circumventing modern security controls and possibly allowing for the compromise of additional services, aiding an adversary to move towards their objectives. The talk will conclude with an exploration of file sharing security controls in the environment and whether they can be bypassed as well as provide an overview of what actions are available for defensive teams to prevent or detect attempts at using these APIs directly.Attendees will gain an understanding of:Microsoft SharePoint Online internals and differences to SharePoint related Microsoft Graph APIsHow an attacker with a foothold as a regular business user with access to SharePoint can bypass security controls within a tenant to access sensitive resourcesWhat a security team can do to prevent and detect usage of these APIs within an organization

    25 min

  6. 07/01/2025

    Not So Secret: The Hidden Risks of GitHub Actions Secrets (Amiran Alavidze)

    https://youtu.be/k3DBur7iEHM Speaker: Amiran AlavidzeAmiran is a passionate product security professional with over 20 years of experience spanning systems engineering, security operations, GRC, and product and application security. As a security engineering leader, he champions a pragmatic, scalable approach to security - where collaboration between security, developer, and platform teams turns security into a business enabler rather than a bottleneck.With a deep understanding of evolving cloud architectures and modern development practices, Amiran focuses on helping organizations align security with velocity, ensuring defenses scale effectively in dynamic environments.An avid supporter of the local security community, he is actively involved with the OWASP Vancouver chapter and DC604 DEFCON group.Talk:If your CI/CD pipelines are built on GitHub Actions, you might be using GitHub Actions secrets to securely store credentials for connecting to your cloud environments. The security model for GitHub Actions secrets is not very intuitive. Many organizations assume that repository and organization-level secrets offer sufficient protection, but in reality these secrets lack granular access controls, exposing organizations to hidden security risks.In this talk, we’ll break down the different types of secrets in GitHub Actions (organization, repository, and environment), the protections they offer, and their limitations. We’ll explore how misconfigurations lead to a false sense of security and discuss a more robust approach using environments and environment protection rules. We’ll also examine OpenID Connect (OIDC) for cloud authentication - where there are no long-lived secrets - but where misconfigurations can still introduce risks, and how environment-based protections help.You’ll leave with a clearer understanding of GitHub Actions secrets, their exposure risks, and practical strategies to better protect cloud permissions of your CI/CD pipelines. Whether you’re securing sensitive credentials or refining your OIDC configurations, this session will equip you with actionable defenses to keep your automation secure at scale.

    22 min

  7. 07/01/2025

    Trust Issues: What Do All these JSON files actually mean? (David Kerber)

    Speaker: David KerberDave is an engineer and longtime AWS practitioner with a focus on IAM and AWS security tooling. He’s led product and engineering teams at startups and billion-dollar companies, raised millions from VCs, built two CSPMs, and now consults on AWS security for Fortune 500 companies. He maintains open-source projects in the AWS IAM space and is currently obsessed with perfecting his focaccia.Talk: As cloud security practitioners, we spend our days wrangling IAM policies—but for all the JSON we manage, it’s still surprisingly hard to answer basic questions like: “Who can access this S3 bucket?” or “What can this role actually do?” Understanding AWS permissions in practice means piecing together policies across services, accounts, organizations, and trust layers. And because those policies are often managed by different teams or scattered across pipelines, it’s difficult to reason about what’s truly possible in a deployed environment.This talk explores a pragmatic approach to verifying effective IAM permissions: simulating what AWS IAM actually allows across all policy layers, and exposing the results in a way that clearly shows who can do what, and why. Rather than replacing pre-deploy linters or policy review processes, this system complements them by analyzing deployed IAM configuration and evaluating real-world access across identities, resources, and trust relationships. Want to know which principals have s3:GetObject access to your prod bucket? Or which external accounts can assume a sensitive role? We’ll show how to answer those questions—quickly, clearly, and without hand-parsing several JSON files.You’ll leave with a new set of tools for understanding how IAM really works in your environment. This session includes a demo and the release of an open-source project built to support these workflows.

    24 min

  8. 07/01/2025

    Inviter Threat: Managing Security in a new Cloud Deployment Model (Meg Ashby)

    https://youtu.be/ilnOvSV0QtY Speaker: Meg AshbyMeg does cloud security for Alloy, a fintech in NYC. Previous to Alloy she worked at Marcus by Goldman Sachs, but that was way less fun. At Alloy, Meg does IAM, networking, data, and kubernetes security (and everything else related or tangentially-related to AWS & security). When detached from her computer, Meg dances and is part of a ballet performance group.Talk:Vendors are looking for ways to differentiate themselves in a crowded market and organizations are looking for solutions that are cheaper, faster, and easier for their teams to deploy and manage. SaaS providers are now offering a “vendor-managed-deployment” option for their product, where the employees of the SaaS company install the cloud infrastructure and software into your environment and maintain this access for ongoing maintenance. This can be enticing on both sides - enabling the vendor to focus on core product development rather than secondary “features” (including deployment templates) and freeing infrastructure teams from re-architecting and managing another tool in your stack.However, the risks introduced in this new paradigm are immediately clear - expanded cloud attack surface, granting elevated access to another entity, and redefining your posture on insider threat are just the beginning. Yet, for some organizations the tradeoff in control is well worth the operational and cost savings proposed by this model.In this talk we’ll cover how this new deployment option differs from existing well-established integration patterns and scenarios where this deployment option can benefit your organization. Additionally, we will provide key considerations to keep in mind when considering this deployment option, and strategies for mitigating risk and maintaining security in both initial deployment stages and ongoing support.

    26 min
See All (22)

About

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule.

Information

  • Creator
    Fwd:cloudsec
  • Years Active
    2K
  • Episodes
    22
  • Rating
    Clean
  • Copyright
    © Fwd:cloudsec
  • Show Website
    fwd:cloudsec