CSP Author

CSP AUTHOR

u3569373523_keys_s3_cloudtrail_access_hacking_not_ai_1k_--v_6_fc4ab2bc-179d-466f-869a-6b898dff8a1b_0.png

Analyzing access to S3 buckets

A robust AWS incident response plan tends to begin with CloudTrail. CloudTrail is a tool that enables insight into events that occur within the AWS account. It is the first step in investigating a breached account and generally provides a wealth of information. In many cases, however, CloudTrail will not answer all of the questions. Recently, during an Incident Response engagement, we were tasked with understanding the actions that a Threat Actor (“TA”) took inside an AWS account. We quickly en

u3569373523_create_an_image_of_a_loom_creating_a_new_piece_of_bb80c5bc-1480-42a4-b38a-e634bd7e4953_1.png

Software Bill of Materials: Understanding What You’re Actually Running

Software increasingly becomes more complicated. We regularly import libraries for complex or tedious tasks that we would rather not do ourselves to speed up the development of new applications or features. Database connectors, web application frameworks, serialization libraries. The list goes on for tools we need to remain highly productive. And, as we import libraries, they may import their own dependencies called transient dependencies. This creates additional bloat and additional risks to our

Screenshot-2024-08-08-at-4.15.31-PM.png

Preventing Overreliance: Proper Ways to Use LLMs

LLMs have a very uncanny ability of being able to solve problems in a wide variety of domains. Unfortunately, they also have a tendency to fail catastrophically. While an LLM may be able to provide accurate responses 90% of the time, due to nondeterministic behavior, one must be prepared for cases when it gives blatantly wrong or malicious responses. Depending on the use case, this could result in hilarity or, in very bad cases, security compromises. In this blog post, we’ll talk about #9 on th

Picture1.png

Ignore Previous Instruction: The Persistent Challenge of Prompt Injection in Language Models

Prompt injections are an interesting class of emergent vulnerability in LLM systems. It arises because LLMs are unable to differentiate between system prompts, which are created by engineers to configure the LLM’s behavior, and user prompts, which are created by the user to query the LLM. Unfortunately, at the time of this writing, there are no total mitigations (though some guardrails) for Prompt Injection, and this issue must be architected around rather than fixed. In this blog post, we will

connor-mollison-3rkosR_Dgfg-unsplash.jpg

Introduction to LLM Security

In the dynamic world of AI today, Large Language Models (LLMs) stand out as one of the most interesting and capable technologies. The ability to answer arbitrary prompts has numerous business use cases. As such, they are rapidly being integrated into a variety of different applications. Unfortunately, there are many security challenges that come with LLMs that may not be well understood by engineers. Here at Cloud Security Partners, we’ve performed several engagements on applications that integ

containers.png

Don't let your containers escape! Update runc & Docker Now!

TL;DR: Update runc and associated software (such as Docker) to the latest version to address several container breakout vulnerabilities. The security research team at Snyk recently disclosed vulnerabilities in runc <= 1.11.11, which can result in container escapes. Container escaping allows for access to the host operating system, reducing the security boundary of the container runtime. These vulnerabilities could be exploited through the execution of a malicious image or by building an image w

DALL-E-2024-01-24-07.31.18---A-digital-illustration-representing-OpenID-Connect--OIDC--integration-between-GitHub-and-AWS--with-a-black-GitHub-Octocat-logo-and-the-AWS-logo.-The-G.png

OIDC for GitHub Actions

At Cloud Security Partners, we perform a lot of code reviews and Cloud Security Assessments. During these engagements, we see many different CI/CD patterns that cause us to raise our eyebrows. One situation in particular that we encounter relatively often is the unsafe use of AWS credentials. The CIS Benchmark for AWS indicates that Access Keys must be rotated every 90 days. And generally, IAM users should be avoided, instead roles should be utilized. OpenID Connect is an authentication standard

lascon.jpg

LASCON Recap - Infrastructure as Code

Recently, we had the privilege of participating in and sponsoring the Lonestar Application Security Conference (LASCON). Our CEO, Michael McCabe, and Ken Toler delivered a training session and a talk on exploiting Terraform for remote code execution; both received a fantastic turnout. In between operating our booth, we had the opportunity to attend some insightful talks. During the event, one presentation that stood out was delivered by Bug Bounty and focused on how to manage a bug bounty progr

nils_public_rds_security_open_door_castle_cloud_4k_future_71d20f54-e378-40e2-9c5f-95455aff475e.png

RDS Revealed? Time to Give It Some Shade!

By: John Poulin At Cloud Security Partners, we have audited thousands of customer AWS accounts as part of our security reviews. Across our customers, roughly 5% of the AWS Relational Database Service (RDS) instances we analyze are publicly accessible. A general rule of thumb across the security industry is that resources generally should not be directly accessible on the Internet, especially databases. More often than not, resources can be deployed behind controls, such as Load Balancers, Priva

Screenshot-2023-09-05-at-1.25.22-PM.png

Exploring Amazon Athena in Incident Response: A Practical Approach

Recently, our team was pulled into an incident response engagement. As part of the breach investigation, we needed to review months of extensive nginx log files stored on Amazon S3 to determine an application issue causing data leakage. Complicating matters, we had no access to our traditional SIEM tools, prompting us to explore alternative solutions. We explored leveraging Amazon Athena to directly query the logs stored in S3. The post will showcase Amazon Athena's relevance in Incident Respon

Subscribe



Subscribe to Cloud Security Partners Blog

Don't miss out on the latest news. Sign up now to get access to the library of members-only articles.

Subscribe