So you’re using Terraform to deploy infrastructure on the cloud, and it all works beautifully…you’re done, right? Well not quite! There’s one more very important step that you need to take to make sure that the infrastructure you’re about to deploy is following best practices and doesn’t have any major security issues.
? Chat with me
Discord: https://cybr.com/discord
Website: https://cybr.com
LinkedIn: https://www.linkedin.com/in/christophelimpalair/
Twitter: https://twitter.com/christophelimp
? Links mentioned in the video:
- Repo used in the video: https://github.com/christophelimpalair/terraform-iac-scan-example
- Checkov: https://www.checkov.io/
- Terraform: https://www.terraform.io/
? Courses
- Introduction to AWS Security: https://cybr.com/courses/introduction-to-aws-security/
- Intro to AWS Pentesting: https://youtu.be/IbqjtqTeyr0
? Disclaimer
This video is strictly for educational purposes and to teach you how you can detect and mitigate threats from your or your employer's cloud enviroments. Learning about real threats, ethical hacking, and penetration testing is an important way of protecting ourselves against threat actors.
⏱ Timestamps:
00:00 - 00:16 - Intro
00:17 - 00:47 - What is Terraform?
00:48 - 01:20 - What you need
01:21 - 01:57 - About the demo and tools
01:58 - 02:15 - Install Checkov & Terraform
02:16 - 02:36 - Initializing Terraform
02:37 - 02:54 - Running Checkov
02:55 - 06:09 - Fixing the issues
06:10 - 08:15 - Custom Policies
08:16 - 09:31 - Restricting EC2 instance types
09:32 - 09:39 - Methods for running these checks
09:40 - 10:08 - Outro
#awssecurity #cloudsecurity #sast #iac #checkov #infrastructureascode #terraform #policyascode #policy #cybersecurity #securityassessment #aws
...
https://www.youtube.com/watch?v=o2NkK4w_ZbM
Learn how to enumerate AWS IAM, including gathering useful information about users, groups, roles, and policies. This skill is critical to learn and develop because enumeration is your starting point when performing AWS cloud security assessments. If you don’t know how the AWS environment is set up and configured, then you can’t effectively find issues that need to be fixed.
This is a free lab from Cybr that you can access with links below.
? Resources ?
- Free Lab link: https://cybr.com/courses/introduction-to-aws-enumeration/lessons/lab-introduction-to-aws-iam-enumeration-2/
- Introduction to AWS Enumeration course: https://cybr.com/courses/introduction-to-aws-enumeration/
- AWS Security Cheat Sheet: https://cybr.com/tag/aws-security-cheat-sheets/
- Cloud security public repository: https://cloudsec.cybr.com/
- Cloud security community: https://cybr.com/discord
➡️ Get access to this lab with a free Cybr account: https://cybr.com
#aws #awscloud #cloudsecurity
...
https://www.youtube.com/watch?v=iF3her1Beuk
In this preview video from Cybr's Networking Fundamentals course, we talk about what networking switches are, and what primary purpose they serve.
If you'd like to build a networking foundation, check out our course: https://cybr.com/courses/networking-fundamentals
...
https://www.youtube.com/watch?v=sIeVEYAU8KI
If you’re not already familiar with it, AWS Identity and Access Management (or IAM for short), is the service that lets you control who can be authenticated and authorized to use your AWS resources, including CloudTrail resources.
If you don’t get your IAM configurations right, then you will leave your CloudTrail deployments vulnerable. So we need to start there when it comes to securing CloudTrail.
Because IAM is such a large and complex service, we’ll reserve explaining that in more detail for a different course, but for this lesson, let’s focus on what you need to know and do for CloudTrail specifically.
#awssecurity #cloudtrail #aws #awstraining #cybersecurity
...
https://www.youtube.com/watch?v=cIpnxNWZ9Hw
For the written version of this tutorial and for commands you can copy/paste, visit this blog post: https://cybr.com/app-data-security/how-to-set-up-the-dvwa-on-kali-with-docker/
In this video, we set up the Damn Vulnerable Web Application (DVWA) on Kali Linux with Docker, so that we don't have to install additional software and we can easily spin up/down containers as they are needed. This is my preferred way of setting up web apps on my localhost, as it is a lot faster and cleaner.
The DVWA is meant to help you learn new skills and practice using tools on a vulnerable web application in a safe and legal environment. Please do not upload this application on any publicly-facing servers since it is designed to be vulnerable and will be compromised.
...
https://www.youtube.com/watch?v=ll4NDoO_GvA
Welcome to this course on SQL injection attacks! In this course, we explore one of the biggest risks facing web applications today.
We start out by creating a safe and legal environment for us to perform attacks in. Then, we cover the core concepts of SQL and injections. After that, we learn SQL injection techniques with the help of cheat sheets and references. At that point, we start to gather information about our target in order to find weaknesses and potential vulnerabilities.
Once we've gathered enough information, we go full-on offensive and perform SQL injections both by hand and with automated tools. These attacks will extract data such as tokens, emails, hidden products, and password hashes which we then proceed to crack.
After successfully attacking and compromising our targets, we take a step back and discuss defensive controls at the network, application, and database layers. We also look at actual vulnerable code and show ways of fixing that vulnerable code to prevent injections.
Please note: Performing these attacks on environments you do not have explicit permissions for is illegal and will get you in trouble. That is not the purpose of this course. The purpose is to teach you how to secure your own applications.
Join Cybr's Discord: https://discord.gg/F9EYe7V
Cybr Courses: https://cybr.com/courses/
Pre-Requisites:
To understand how SQL injections work and how to perform them as well as defend against them, you must have:
- Experience working with web applications
- Experience with SQL
Suggestion: You may also wish to take our free Introduction to Application Security (AppSec) course (https://cybr.com/courses/introduction-to-application-security-appsec/) to familiarize yourself with the concepts of Application Security.
Timestamps:
About the course - 00:00 - 04:15
Setting up a safe & legal environment - 4:16 - 14:20
Getting started with OWASP ZAP - 14:21 - 18:41
SQL Concepts - 18:42 - 25:16
SQL Injections Explained - 25:17 - 35:27
SQL Injections Cheatsheets - 35:28 - 45:08
Information Gathering - 45:09 - 58:36
SQL Injections Hands-On - 58:37 - 01:14:41
SQL Injections with SQLMap - 01:14:42 - 01:23:29
Defenses at the Network Layer - 01:23:30 - 01:25:58
Defenses at the Application Layer - 01:25:59 - 01:37:49
Defenses at the Database Layer - 01:37:50 - 01:41:40
Ending Screen - 01:41:41 - 01:41:50
...
https://www.youtube.com/watch?v=fiq59DuhY68
Some of the #AWS #reinvent 2023 security updates that I'm most excited about and have been using nearly daily since they came out
This is part 1 of 3
...
https://www.youtube.com/watch?v=POuETPclY4g
What is SAST, and why do you need to know about it if you're writing any type of code? Here's a quick and simple explanation.
#SAST #applicationsecurity #cybersecurity #programming
...
https://www.youtube.com/watch?v=EQF-0Mu2e0k
What you need to know about the WAF WAF in 59 seconds. For a full detail of how to get started with it, check out my video: https://youtu.be/aDW2NDUBAOw
For a full course on AWS security, check out my course: https://cybr.com/courses/introduction-to-aws-security/
#cloudsecurity #awssecurity #waf #webapplicationfirewall
...
https://www.youtube.com/watch?v=pBXcYA8eSbU