What We Discuss with Nick Frichette:
- 00:00 Introduction
- 02:38 snyk.io/csp
- 03:26 A bit about Nick
- 04:15 How is Security research different?
- 05:55 How to approach cloud security research?
- 07:24 How to pick the service you want to research?
- 08:51 What is AWS AppSync?
- 09:30 What is Confused Deputy Vulnerability?
- 10:16 The AppSync Vulnerability
- 12:09 Cross Account in AWS
- 13:41 Blue Teaming Controls when doing research
- 14:22 Framework for detective controls
- 16:01 What to do if you find an AWS vulnerability?
- 17:20 Legal constraints of security research
- 20:13 Where to get started in Cloud Security Research?
- 22:45 Are some misconfigurations becoming less common?
- 24:59 What is IMDSv2 and how is it different to IMDSv1?
- 27:00 Why is SSRF bad?
- 28:52 Cloud Pentesting Platforms
- 29:57 The story being hacking the cloud
- 31:25 Who should think about breaking the cloud?
- 34:02 Cloud Security Research Tools
- 36:38 How to access AWS environment for research?
- 39:12 Security Lab Resources
- 40:04 The Fun Questions
THANKS, Nick Frichette!
If you enjoyed this session with Nick Frichette, let him know by clicking on the link below and sending him a quick shout out at his website:
Click here to thank Nick Frichette!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at email@example.com.
Resources from This Episode
- Nick’s Personal Website – https://frichetten.com/
- Hacking the CloudHack the box
- Sad Cloud
- Cloud Goat
- AWS Goat