Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines and Beyond

fwd:cloudsec via YouTube

Overview

Explore a 24-minute conference talk from fwd:cloudsec Europe 2024 that delves into the security vulnerabilities of policy-as-code engines and Infrastructure-as-Code (IaC) domain-specific languages. Learn how attackers can potentially exploit policy engines like Open Policy Agent (OPA) Rego and Terraform HCL to compromise cloud identities, conduct lateral movements, and exfiltrate sensitive data. Discover novel malicious techniques including DNS tunneling in DSLs, and examine the results of scans performed on the public Terraform registry to assess current threats. Gain valuable insights into detection rules and best practices for defending against these vulnerabilities. Senior Security Researcher Shelly Raban, with her extensive background in cybersecurity, threat hunting, and cloud security research at Tenable, presents findings from this critical investigation into the security implications of running arbitrary policies on policy engines that govern modern cloud applications and Kubernetes platforms.

Syllabus

Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines […] ~ Shelly Raban

Taught by

fwd:cloudsec

Reviews

Start your review of Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines and Beyond

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.