| Follow @lancinimarco | Subscribe to CloudSecList

Writing

official page
I curate CloudSecDocs.com, a website collecting and sharing my technical notes and knowledge on cloud-native technologies, security, technical leadership, and engineering culture, updated weekly with the best picks from CloudSecList.
official page blog
I curate CloudSecList.com, a newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape.
Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.

If you are interested in sponsoring CloudSecList, please refer to the Sponsor page.
Technical reviewer of:

Projects

official page blog
A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).
source code
Terraform module that automates the setup of roles and users needed to perform a security audit of AWS accounts in an Hub and Spoke model, as described in Cross Account Auditing in AWS and GCP.

In short, this module can be used to create:
  1. One role ("role_security_audit") in every AWS account (Hub + all the Spoke ones), with the built-in "SecurityAudit" policy attached to it.
  2. One role ("role_security_assume"), in the Hub account, able to assume the "role_security_audit" role on all the Spoke accounts.
  3. One IAM user ("user_security_audit"), in the Hub account, able to assume the "role_security_assume" role.
official page
I am a member of the CNCF Security Technical Advisory Group (STAG), which facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.

I have also been:
blog source code
k8s-lab-plz is a modular Kubernetes lab which provides an easy and streamlined way to deploy a test cluster (on minikube or baremetal) with support for different components.

Currently supported components are:
  • Vault
  • ELK (Elasticsearch, Kibana, Filebeats)
  • Metrics (Prometheus, Grafana, Alertmanager)
  • Kafka (Kafka, Zookeeper, KafkaExporter, Entity Operator)
  • Cartography
  • Istio
  • Gatekeeper
  • Falco
  • ...
Resources:
       Introducing k8s-lab-plz: A modular Kubernetes Lab
       Kubernetes Lab on Baremetal
       Automating Cartography Deployments on Kubernetes
official page
I have been part of the CNCF committee tasked with creating the Certified Kubernetes Security Specialist (CKS) Certification.

The CKS program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
Media:
       Certified Kubernetes Security Specialist (CKS) Coming in November
       New Kubernetes Security Specialist Certification to Help Professionals Demonstrate Expertise in Securing Container-Based Applications
       CNCF - Kubernetes Security Specialist Certification Now Available
       Linux Foundation - Kubernetes Security Specialist Certification Now Available
source code
Kritis is an open-source solution for securing the software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API and Grafeas.

As part of my contribution, I've helped shipping version 0.2.0, and added support for separating attestations into different GCP projects for images and "AttestationAuthority".
Resources:
       Kritis 0.2.0 Release
source code
I am a maintainer of Cartography, a Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database.

As part of my involvement, I'm actively helping define the long-term roadmap for Cartography, as well as contributing new features and focusing on improving its reliability and speed.
Resources:
       📃 [BLOG] Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
       📃 [BLOG] Tracking Moving Clouds: How to continuously track cloud assets with Cartography
       📃 [BLOG] Automating Cartography Deployments on Kubernetes
       🎤 [TALK] Cartography: using graphs to improve and scale security decision-making
       🎬️ Cartography OSS meetings - Youtube Channel
       📕️ Cartography Meeting Minutes
blog source code
GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.

Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.

GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of 'screen', etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be retrieved asynchronously. That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.

In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.
blog source code
Offensive ELK is a custom Elasticsearch setup, aiming to show how traditional “defensive” tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results.
In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
official page source code twitter
Needle is an iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so.
Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.

The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools.

Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC.

It was included by ToolsWatch in the shortlist for the Top Security Tools of 2016, and it is featured in the OWASP Mobile Testing Guide. It reached #3 on Netsec, the first page of Hacker News, and it was trending on Github.
Talks:
       BlackHat Arsenal USA 2016
       OWASP AppSec USA 2016
       BlackHat Arsenal EU 2016
       BlackHat Arsenal USA 2017
Workshops:
       DEEPSEC 2016
official page
The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and exploit all the common mobile application security flaws, over and above the OWASP Mobile Top Ten.

At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.
Workshops:
       DEEPSEC 2016
I've been involved in the OWASP Project. Over the years I contributed to projects like the Web Application Top 10 and the Mobile Security Testing Guide.
slides Book
We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
Awards:
       NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
       'Innovation in Information Security' Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan
Papers:
       All Your Face Are Belong to Us: Breaking Facebook's Social Authentication (ACSAC 2012)
       Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication (CCS 2014)
       Social Authentication: Vulnerabilities, Mitigations, and Redesign (DEEPSEC 2014)
Talks:
       CyCon 2014
       DEEPSEC 2014

Conference Talks

slides video
At Cloud Native Security Day North America 2020, colocated with KubeCon + CloudNativeCon North America 2020, Alex Chantavy and I presented a talk which highlights using Cartography to improve and scale security decision-making in cloud-native environments.
Conference:
       Cloud Native Security Day North America 2020, Virtual.
Media:
       Cloud Native Security Day North America 2020
       Thought Machine on LinkedIn: Cloud Native Security Day North America 2020: Cartography: using graphs
slides
Needle's progress was shown at Black Hat USA, with a live demo of its capabilities.
Conference:
       Black Hat Arsenal USA, Las Vegas, USA.
Media:
       Arsenal Lineup (Tools Watch)
Pushing the iPhone through the eye of a needle, an introduction to MWR's iOS Security Testing Framework
Conference:
       MWR Briefing, London, UK
The first iteration of the "Offensive iOS Exploitation" workshop has been delivered at DEEPSEC 2016.
Conference:
       DEEPSEC, Vienna, Austria
Media:
       Syllabus
       DEEPSEC Promotion (DEEPSEC - 04 September)
slides
Needle's progress was shown at Black Hat EU, with a live demo of its capabilities.
Conference:
       Black Hat Arsenal EU, London, UK.
Media:
       Arsenal Lineup (Tools Watch)
slides video
Needle's architecture, capabilities and roadmap have been presented at AppSec USA. During the talk it was also demonstrated how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (with a demo of the tool in action).
Conference:
       OWASP AppSec USA, Washington DC, USA.
Media:
       MWR LABS Publication
Needle has been publicly released Black Hat USA, with a live demo of its capabilities.
Conference:
       Black Hat Arsenal USA, Las Vegas, USA.
Media:
       Arsenal Lineup (ToolsWatch)
       Black Hat Promotion, Twitter (Black Hat - 23 July)
       Black Hat Promotion, Facebook (Black Hat - 23 July)
       Needle iOS security testing tool to be unveiled at Black Hat Arsenal (Help Net Security - 01 August)
       Black Hat USA Photo Gallery (Help Net Security - 04 August)
       A quick intro to Needle (MWR Labs - 17 August)
slides
At BSides Vienna 2014, Roberto Puricelli and me delivered a talk based on Androrat++, a proof-of-concept mobile malware.
Conference:
       BSides Vienna, Vienna, Austria.
slides video PDF BibTeX
At DEEPSEC 2014 I delivered a talk based on my Master Thesis: "Social Authentication: Vulnerabilities, Mitigations, and Redesign". In addition, an excerpt of the work has been published by the Magdeburger Institut für Sicherheitsforschung in the volume "In Depth Security - Proceedings of the DeepSec Conferences" of the Magdeburger Journal zur Sicherheitsforschung.
Conference:
       DEEPSEC, Vienna, Austria
slides video
At CYCON 2014 I delivered a talk based on my Master Thesis, for which I won the NATO's Best Thesis Award as the best thesis published on cyber defence topics.
Conference:
       International Conference on Cyber Conflict (CyCon), by NATO CCDCOE (Cooperative Cyber Defence Centre of Excellence), Tallinn, Estonia
Session:
       Student Paper Session with Best Student Thesis Award

Conference Papers

Book
The article I submitted and presented at DEEPSEC 2014 has been published in the "In Depth Security (Proceedings of the DeepSec Conferences)" book.
slides video PDF BibTeX
At DEEPSEC 2014 I delivered a talk based on my Master Thesis: "Social Authentication: Vulnerabilities, Mitigations, and Redesign". In addition, an excerpt of the work has been published by the Magdeburger Institut für Sicherheitsforschung in the volume "In Depth Security - Proceedings of the DeepSec Conferences" of the Magdeburger Journal zur Sicherheitsforschung.
Conference:
       DEEPSEC, Vienna, Austria
PDF BibTeX ACM
Conference:
       Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, AZ. (acceptance: 19.4%)
Authors:
       Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, Angelos D. Keromytis
PDF BibTeX ACM
Conference:
       Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, FL. (acceptance: 19%)
Authors:
       Iasonas Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis and Stefano Zanero
Subsequent Talks:
       Hek.SI 2013 (Ljubljana, Slovenia)
       HackCon 2013 (Oslo, Norway)
       Also covered by ComputerWorld

About

Hi, I'm Marco Lancini. I'm a Security Engineer, mainly interested in cloud native technologies, security, and technical leadership...  [read more] 

Buy me a coffeeBuy me a coffee

Sponsor

CloudSec* Projects

 CloudSecList
CloudSecBooks CloudSecDocs

Collections

Continuous Visibility into Ephemeral Cloud Environments
Cloud Security Strategies
Kubernetes Primer for Security Professionals

Must Read

What to look for when reviewing a company's infrastructure
On Establishing a Cloud Security Program
Security Logging in Cloud Environments - GCP
Security Logging in Cloud Environments - AWS
Tracking Moving Clouds: How to continuously track cloud assets with Cartography
The Current State of Kubernetes Threat Modelling
Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
So I Heard You Want to Learn Kubernetes

Recent Articles

What to look for when reviewing a company's infrastructure
CVE-2022-0847 (aka Dirty Pipe): What does it mean for defenders
Docker on MacOS via minikube (2022 edition)
Remotely Access your Kubernetes Lab with Cloudflare Tunnel
Introducing k8s-lab-plz: A modular Kubernetes Lab

Tags

Twitter Feed