2017-09-11
Fascicle 1 is now content complete
Weighing in at aprox 550 pages incl Additional Resources and Attributions
- Added links to Network Security Interview between Kim Carter and Haroon Meer on Software Engineering Radio … to be released in a day or two
- Updated threat tags
- Code formatting changes
- Punctuation modifications
Cloud
Ready for technical review
Strong focus on AWS, although other CSPs discussed
50 Pages of content added
- Shared Responsibility Model: CSP Responsibility, CSP Customer Responsibility
- CSP Evaluation
- Cloud Service Provider vs In-house
- Skills
- EULA
- Giving up Secrets
- Location of Data
- Vendor lock-in
- Possible Single Points of Failure
- People Sec
- App Sec
- Net Sec
- Violations of Least Privilege
- Storage of Secrets
- Private Key Abuse: SSH, TLS
- Credentials and Other Secrets
- Entered by People
- Entered by Software: HashiCorp Vault, Docker secrets, Ansible Vault, AWS Key Management Service and Parameter Store
- Serverless
- Third Party Services
- Perimeterless
- Functions
- DoS of Lambda Functions
- Infrastructure and Configuration Management
Web Applications
- Updated OWASP Top 10 resources to 2017
- Added AWS WAF
Additional Resources
- Getting Secrets out of Docker images
- Password Managers For Business Use
- Many tooling options covered
Attributions
- Thinkst tools (Canary tools and tokens)
- DropboxC2C for Data Exfiltration, Infiltration
- Hosting providers forced to give up customer secrets
- Software Engineering Radio show on Network Security with host: Kim Carter, guest: Haroon Meer
- Docker Image layers
- AWS Lambda
Many other attributions added
Holistic Info-Sec for Web Developers (F1)(VPS, Network, Cloud, Web Applications)
Binarymist 
Leave a comment