The RunAsCloud Blog

  • Sean McDonnell
    An Interview with Tricia Ferreira, VP, Technology Product Management at World Fuel Services – on asking the right questions, leveraging expert resources, and inspiring innovation. Originally from Trinidad & Tobago, Tricia moved to the United States and studied Computer Science at FIU. She moved to Atlanta and held prominent leadership positions in Technology at GE. About five years ago she moved back to Miami and assumed a Business Information Officer role at World Fuel Services, Read More
  • Nate Aiman-Smith
    In two previous articles, I described how the Capital One breach took advantage of an EC2-specific function to obtain AWS credentials which were then used to obtain multiple files containing sensitive information.  If you haven’t already done so, I’d encourage you to read parts one and two before continuing. You might also want to pull up the complaint for reference; the juicy bits describing the attack are on pages 6-8. In this final installment of the article, I’ll describe Read More
  • Nate Aiman-Smith
    In a previous post, I mentioned that the attack vector for the Capital One breach specifically targeted an EC2 feature. In this post, I’ll give my educated guesses about how the attack actually worked. [Note 1: if anyone happens to have any of the contents of the original gist then I’d love to get a look at it to confirm these guesses – until then I’m going to draw my conclusions from the text of the complaint] Read More
  • Nate Aiman-Smith
    There’s been a ton of coverage of the recently discovered Capital One breach. I’m generally very skeptical when AWS security makes the news; so far, most “breaches” have been a result of the customer implementing AWS services in an insecure manner, usually by allowing unrestricted internet access and often overriding defaults to remove safeguards (I’m looking at you, NICE and Accenture and Dow Jones!).  Occasionally, a discovered “AWS vulnerability” impacts a large number of applications in AWS – and it Read More
  • Sean McDonnell
    Yubi what? A YubiKey is Yubico hardware authentication device designed to achieve secure 2-factor authentication (2FA) for online services like AWS, computer logins, developer tools, password managers and other important data. The YubiKey combines hardware-based authentication and public key cryptography to eliminate account takeovers and provides the extra security you need.  YubiKey’s were created by Yubico a private company founded in 2007 by CEO Stina Ehrensvärd they currently have offices in Palo Alto, Seattle, and Read More
  • Jake Berkowsky
    Every morning I try to follow a checklist that I wrote. I read over resumes, check out PRs, check my email accounts, etc… One critical thing I do (or did) was checked to see who forgot to log their hours from the day before (or who left the timer running). Since we are a consultancy, it’s important not only that we log our hours, but that we log them correctly, and if we catch ourselves Read More
  • Cai Walkowiak
    AWS re:Inforce 2019, the first security-focused AWS event, was held at the Boston Convention and Exposition Center—An incredible 516,000 sq ft modern-art well-architected venue of steel and glass. The event occupied 4 floors with ground 0 being the main expo of vendor booths, buffet lunch, and breakfast meals. They kept the same AWS feel of their other events. This was a common experience in their organization, keeping the registration process clean and clear with early Read More
  • Jake Berkowsky
    As a consultant, I tend to work with a variety of clients and teams all across the product maturity spectrum. Some are just starting; maybe they have an MVP, maybe they are still building it. Others have existed in their space for years. Typically, when I get called into projects, the product maturity is on one extreme of the spectrum. DevOps maturity, on the other hand, tends to follow a different distribution with most DevOps Read More