| Follow @lancinimarco

Semgrep is an emerging static analysis tool which is getting traction within the AppSec community. Its broad support to multiple programming languages, together with the easiness with which is possible to create rules, makes it a powerful tool that can help AppSec teams scaling their efforts into preventing complete classes of vulnerabilities from their codebases.

But what about cloud security? In the era of Infrastructure as Code, where tools like Terraform, CloudFormation, Pulumi (and many others) are used to provision infrastructure from (de-facto) source code, can we apply the same approach to eradicate classes of cloud-related vulnerabilities from a codebase?

Ever since I started studying for OSCP in 2014, I started taking (technical) notes of everything I was learning in a OneNote notebook. Over the years, that OneNote notebook grew until it became a daily go-to point, and a sort of extension of my knowledge (since I tend not to rely on hard memory as much as I can).

Previous Articles

Tracking Moving Clouds: How to continuously track cloud assets with Cartography    MUST READ
So I Heard You Want to Learn Kafka    MUST READ
The Current State of Kubernetes Threat Modelling    MUST READ
Building a Serverless Mailing List in AWS
My Blogging Stack
Remote Development with a Chromebook in 2020
Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography    MUST READ
Cross Account Auditing in AWS and GCP    MUST READ
Introducing CloudSecList.com
Deploy Your Own Kubernetes Lab
Offensive Infrastructure: the HashiStack
Critical Vulnerability in Kubernetes API Server (CVE-2018-1002105)
Red Teaming Mind Map from The Hacker Playbook 3    MUST READ
My Arsenal of Cloud Native (Security) Tools
Hunt for and Exploit the libSSH Authentication Bypass (CVE-2018-10933)
So I Heard You Want to Learn Kubernetes    MUST READ
GoScan v2
Offensive Infrastructure: Introduction to Consul
Offensive ELK: Elasticsearch for Offensive Security    MUST READ
Robtex-Go: Go Client for the Robtex API
Introducing GoScan (aka a reason to learn Go)
Burp Pro as a Docker Container
Docker + Consul + Vault: A Practical Guide
Needle meets Jenkins: how to include Needle in your CI pipeline
Needle v1.0.0 released: new native agent and support for iOS 10
Needle V0.1.1 Released
iOS 9: Effective Jailbreak
Needle V0.0.4 Released
Needle Status Update
A quick intro to Needle
Introducing Needle