fwd:cloudsec is a cloud security conference for advanced cloud security practitioners hosted by a non-profit run by well-respected people in the cloud security community. The crowd consists of so many talented engineers, practitioners, and researchers that it’s almost unfathomable, especially when it comes to security for AWS and GCP. This results in an inspiring atmosphere for all. Hopefully, the Azure crowd will also increase in the coming years.
Almost all of the talks will be posted on youtube, so I thought it could be a good idea to create a small recap of the talks we attended to help guide readers on which talks to prioritize catching up on. First of all, I would just like to say that none of the talks I went to were bad, so given time, watch any talk you find interesting. And shoutout to the team behind fwd:cloudsec. Thank you for the effort you put into creating the single best cloud security conference in the world.
This is in no way a ranking nor a scorecard, simply the notes I made while attending the conference. The schedule was pretty AWS-heavy, but looking at my notes, I have a lot of actionable takeaways for GCP. That fits me quite well as given my exposure to GCP is increasing by the day.
Day 1
Before the talks, we went to IHOP to do a real touristy thing. Great choice. With approx 2k kcals consumed, we were ready for a full day of talks, although we were feeling the jetlag quite heavily. If you get all the way through the blog, you’ll see that my notes got shorter and shorter as we got later into the day.
So, over to the talks:
“Beyond the AWS Security Maturity Roadmap” by Rami McCarthy.
Summary: The talk went through a broad set of topics a company could focus on after the Scott Piper “AWS Security Maturity Roadmap” Centered around Buy vs. Build vs. Adopt and guidance on “Recommended” vs. “Not Recommended”
My notes from the talk:
- Everyone might not be Netflix, and doing what Netflix does might not be right for all😌
- Secure IaC Modules:
- Commoditize secure architecture
- Secrets management:
- Focus on Developer Experience for adoption
- Automated remediations: maybe not?
- Learning disappears
Key takeaways:
- “Do not let CSPM findings dictate your security program”
- A lot of the advice was applicable even in immature environments in my opinion.
“IMDS: The Gatekeeper to Your Cloud Castles (And How to Keep the Dragons Out)” by Liv Matan and Lior Zatlavi
Summary: A broad and comprehensive comparison of IMDS across the three major CSPs, how to secure the IMDS, and how to abuse it.
My notes from the talk:
- An interesting point about SRM, but CSPs are not responsible for poor/insecure defaults
- after this talk, I'll have a deeper look into the default service accounts in the GCP-envs
Key takeaway:
- “The devil is in the defaults”
“Vulnerabilities and Misconfigurations in GitHub Actions” by Rojan Rijal
Summary: A walkthrough of three vulnerabilities/misconfigurations in Github Actions and mitigating actions.
My notes from the talk:
- Controlling user input
- Workflow hijack (namespace takeover)
- OIDC to AWS config errors
- Some very concrete advice to improve security of GHa
- Commit hash
- monitor build logs
Key takeaway:
Lots of errors to be made. Be attentive when configuring pipelines
“Google Cloud Threat Detection: A Study in Google Cloud” by Day Johnson
Summary: Known and unknown attacks against GCP Environments and how to detect them.
My notes from the talk:
- Find blog (editors note: found it)
- Once again, the default SA w/ editor-role in GCP popped up
- Tidbit: one of the detections (ext principle made GCP Project Owner) caught my eye. Went back and checked a GCP Threat Model I made with a customer and found that we had modeled a very similar threat with our intermediate GCP Knowledge
- would have liked to hear more about the process of “finding”/inducing unknowns
Key takeaway:
The detections. Very actionable talk. Can go straight to implementation for some of the detections.
“A Year of NO: building organizational IAM guardrail policies that work” by Noam Dahan
Summary: The title says it all.
My notes from the talk:
- Nice outline of a process to build guardrails:
- Identify need
- Construct guardrail
- Test vs. logs (actual usage of env to this point)
- Detect violations
- Close weak points in the policy
- Good detail on different guardrail mechanisms available in GCP
Key takeaway:
The above-mentioned process to build guardrails
“gVisor: The Future of Container Security” by Andy Nguyen
Summary: Architecture, platforms, and security boundaries for gVisor.
Did not take any notes during this talk as I had to focus a 100% on the talk. A good thing to attend is talks that are a bit outside your wheelhouse to expand the horizon.
Key takeaway:
“No single vulnerability should compromise the host” - for most workloads, this should be the security mantra if s/host/system
At this point, our jetlag got the best of us, and we needed an extended break so we went for a short walk, a quick beer at the local Bucca Di Beppo, and a quick trip to Target to stock up on RedBull before heading back. We underestimated jetlag when flying this far.
“Scanning the Internet for external Cloud exposures” ********by Nir Ohfeld and Hillai Ben-Sasson
Summary: a demonstration of what misconfigured services can be found on the internet and the scale of the issue.
My notes from the talk:
- Badass slide (Editors note: a slide with all the vulns these guys had on their track record to start the talk)
Key takeaway:
Never got the feeling, “Oh shit I have to check that when I get back” so I guess that's good.
“Operationalizing GCP’s Asset Inventory for Cloud Enlightenment” by Randy Heins and Jeffery Zhang
To be pretty honest, my cognitive capabilities were pretty short due to the jetlag at this point so I don't really have a lot of notes. I remember the talk was interesting and inspiring. Sorry to the speakers for the short summary.
The rest of the talks were “Birds of a Feather”-talks so they won't be posted, and I won't summarize them here.
After the last talks for the day, a small afterparty took place. No need to write minutes from the afterparty, but it was a good night that ended with a walk to the closest Taco Bell to get a Crunchwrap supreme and Doritos Locos tacos.
Day 2:
“How Citi advanced their containment capabilities through automation” by Damien Burks and Elvis Veliz
Summary: why and how Citi wrote a tool on AWS to enable IR of AWS-based resources
My notes from the talk:
- Automation of containment and forensics collection runbooks
- A smart approach to enable Security to perform “operational” activities without having to assign operational roles/privileges to security people
- Open sources soon, maybe?
Key takeaway:
Inspiration and ideas on what and how to do this
“Tales From the Sewer: A Plumber’s View of Building a Data Security platform” by Christopher Webber
Summary: Lessons learned and edge cases running workloads on AWS. If you're in AWS Ops this is a must-watch.
My notes from the talk:
- The best slide deck of the conference
- Interesting AWS “edge cases”
Key takeaway:
Empathy with Ops people. We are in it together.
“Helping developers drink from a champagne flute and not a firehose when it comes to cloud security” by Tyson Garrett and Jason Nelson
Summary: TrustOnCloud (vendor) summary of their service. Then how Citi Threat Modeling team learn from using them.
My notes from the talk:
- Cloud Service Threat Models As a Service
- How Citi built a Threat Modeling Program centered around a Threat Modeling team (scale not comparable in the markets I operate :) )
- This is probably the talk I have the most feelings about.
- Would like to try out the “apply generic threat models procured externally to our context and threat landscape”-approach before I believe it
- Wish the speakers would have gone more into infrastructure / business logic / application interfaces and how they threat model. Multiple models? Different perspectives?
- Shared Responsibility Internally
- what is dev responsibility, what is platform/SRE/Infra responsibility
- Maybe one of the most important discussions to have, IMO. Great point
Key security:
“Good security ensures compliance, Compliance does not ensure good security”
“Billions Served: Processing Security Event Logs with the AWS Serverless Stack” by Josh Liburdi
Summary: Challenges, best practices, and secrets on building large-scale data processing for security with the AWS Serverless stack.
My notes from the talk:
- I do not know enough about data engineering
- “Most people end up as data engineers if you work in security operations”
- The intro was short, sweet, and to the point about ETL and how security platforms often look in this regards
Key takeaway:
Reading the blog and seeing the talk when it's posted is highly recommended.
IR Gameday
- Teamed up with Karim, Noha (prev IR at Unit 42 and now at Google Cloud), and Sebastian (IR at Crowdstrike)
- I was a liability to the team and just watched
- Shoutout to Rich et al. for fighting through the us-east-1 outage as the IR-gameday was just starting
State of the Union by Scott Piper
- A very interesting session that evolved into more of a discussion with almost all fwd-organizers fielding questions
- Confirmed the feeling that fwd:cloudsec is by the community for the community
- Crossing my fingers that a fwd:cloudsec europe might become a thing next year
Summary
fwd:cloudsec is a must-go if you can. Check out the scholarship if your are a student or self teaching cloud-sec practitioner. I have a list of actionable takeaway to deal with when I get back, and meeting all the cloud sec community is the icing on the cake. Talking, discussing and making new friends 🙂 Below you will find a collection of pictures from our trip. Remember; O3C is hiring.
Note: ShakeShack vs In-n-Out was not even a fair fight. ShakeShack 7 out of 7 days of the week.