Building @SourceShield. Cloud Security EM @Stripe. Ex-Founder at @CloudSploit_, acquired by @AquaSecTeam. Ex-Adobe.
Nov 14, 2020 • 8 tweets • 3 min read
I know "serverless" is sometimes called out as a buzzword, but the model #AWS#Lambda introduced quite literally changed my career (and consequently, my life). (Thread)
A few years ago, I started an open source security auditing tool called CloudSploit. It got a lot of users, but many were asking me if I could offer a hosted version as an API (and they were willing to pay for it!).
Jan 2, 2020 • 9 tweets • 3 min read
I've been using #AWS for 8+ years now, so IAM is relatively second-nature to me. But I just sat down to explain it to someone new to AWS and... wow, it is a confusing service. (thread) #aws#cloud#security#cloudcomputing
First, we've got policies - what can the role do and what services can it access? Policies are JSON-based (although AWS added a "friendlier" UI recently, which honestly creates some really confusing output). Most common security mistake here: using wildcards.
Oct 14, 2019 • 12 tweets • 3 min read
Been thinking a lot about #cloud#security lately and I am starting to believe that the "shared responsibility model" is fundamentally broken. Securing an storage bucket or server in the cloud shouldn't be as difficult as it is. Thread...
The big providers advertise how easy it is to deploy infrastructure in the cloud, but they don't seem to talk about how easy it is to screw it up and loose half the country's SSNs because of an extra * in a JSON policy. It doesn't help that the default settings are rarely secure.