| Follow @lancinimarco | Subscribe to CloudSecList


I curate CloudSecDocs.com, a website collecting and sharing my technical notes and knowledge on cloud-native technologies, security, technical leadership, and engineering culture, updated weekly with the best picks from CloudSecList.
I curate CloudSecList.com, a newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape.
Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.

If you are interested in sponsoring CloudSecList, please refer to the Sponsor page.
Technical reviewer of:


A framework to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering, aligned with NIST and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).
Terraform module that automates the setup of roles and users needed to perform a security audit of AWS accounts in an Hub and Spoke model, as described in Cross Account Auditing in AWS and GCP.

In short, this module can be used to create:
  1. One role ("role_security_audit") in every AWS account (Hub + all the Spoke ones), with the built-in "SecurityAudit" policy attached to it.
  2. One role ("role_security_assume"), in the Hub account, able to assume the "role_security_audit" role on all the Spoke accounts.
  3. One IAM user ("user_security_audit"), in the Hub account, able to assume the "role_security_assume" role.
I am a member of the CNCF Security Technical Advisory Group (STAG), which facilitates collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem.

I have also been:
k8s-lab-plz is a modular Kubernetes lab which provides an easy and streamlined way to deploy a test cluster (on minikube or baremetal) with support for different components.

Currently supported components are:
  • Vault
  • ELK (Elasticsearch, Kibana, Filebeats)
  • Metrics (Prometheus, Grafana, Alertmanager)
  • Kafka (Kafka, Zookeeper, KafkaExporter, Entity Operator)
  • Cartography
  • Istio
  • Gatekeeper
  • Falco
  • ...
I have been part of the CNCF committee tasked with creating the Certified Kubernetes Security Specialist (CKS) Certification.

The CKS program provides assurance that a CKS has the skills, knowledge, and competence on a broad range of best practices for securing container-based applications and Kubernetes platforms during build, deployment and runtime.
Kritis is an open-source solution for securing the software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API and Grafeas.

As part of my contribution, I've helped shipping version 0.2.0, and added support for separating attestations into different GCP projects for images and "AttestationAuthority".
       Kritis 0.2.0 Release
I am a maintainer of Cartography, a Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database.

As part of my involvement, I'm actively helping define the long-term roadmap for Cartography, as well as contributing new features and focusing on improving its reliability and speed.
GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.

Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.

GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of 'screen', etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be retrieved asynchronously. That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.

In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.
Offensive ELK is a custom Elasticsearch setup, aiming to show how traditional “defensive” tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results.
In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
Needle is an iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so.
Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.

The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools.

Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC.

It was included by ToolsWatch in the shortlist for the Top Security Tools of 2016, and it is featured in the OWASP Mobile Testing Guide. It reached #3 on Netsec, the first page of Hacker News, and it was trending on Github.
       BlackHat Arsenal USA 2016
       OWASP AppSec USA 2016
       BlackHat Arsenal EU 2016
       BlackHat Arsenal USA 2017
       DEEPSEC 2016
The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and exploit all the common mobile application security flaws, over and above the OWASP Mobile Top Ten.

At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.
       DEEPSEC 2016
I've been involved in the OWASP Project. Over the years I contributed to projects like the Web Application Top 10 and the Mobile Security Testing Guide.
We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
       NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
       'Innovation in Information Security' Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan
       All Your Face Are Belong to Us: Breaking Facebook's Social Authentication (ACSAC 2012)
       Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication (CCS 2014)
       Social Authentication: Vulnerabilities, Mitigations, and Redesign (DEEPSEC 2014)
       CyCon 2014
       DEEPSEC 2014

Conference Talks

At Cloud Native Security Day North America 2020, colocated with KubeCon + CloudNativeCon North America 2020, Alex Chantavy and I presented a talk which highlights using Cartography to improve and scale security decision-making in cloud-native environments.
Needle's progress was shown at Black Hat USA, with a live demo of its capabilities.
       Black Hat Arsenal USA, Las Vegas, USA.
       Arsenal Lineup (Tools Watch)
Pushing the iPhone through the eye of a needle, an introduction to MWR's iOS Security Testing Framework
       MWR Briefing, London, UK
The first iteration of the "Offensive iOS Exploitation" workshop has been delivered at DEEPSEC 2016.
       DEEPSEC, Vienna, Austria
       DEEPSEC Promotion (DEEPSEC - 04 September)
Needle's progress was shown at Black Hat EU, with a live demo of its capabilities.
       Black Hat Arsenal EU, London, UK.
       Arsenal Lineup (Tools Watch)
Needle's architecture, capabilities and roadmap have been presented at AppSec USA. During the talk it was also demonstrated how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (with a demo of the tool in action).
       OWASP AppSec USA, Washington DC, USA.
       MWR LABS Publication
Needle has been publicly released Black Hat USA, with a live demo of its capabilities.
       Black Hat Arsenal USA, Las Vegas, USA.
       Arsenal Lineup (ToolsWatch)
       Black Hat Promotion, Twitter (Black Hat - 23 July)
       Black Hat Promotion, Facebook (Black Hat - 23 July)
       Needle iOS security testing tool to be unveiled at Black Hat Arsenal (Help Net Security - 01 August)
       Black Hat USA Photo Gallery (Help Net Security - 04 August)
       A quick intro to Needle (MWR Labs - 17 August)
At BSides Vienna 2014, Roberto Puricelli and me delivered a talk based on Androrat++, a proof-of-concept mobile malware.
       BSides Vienna, Vienna, Austria.
At DEEPSEC 2014 I delivered a talk based on my Master Thesis: "Social Authentication: Vulnerabilities, Mitigations, and Redesign". In addition, an excerpt of the work has been published by the Magdeburger Institut für Sicherheitsforschung in the volume "In Depth Security - Proceedings of the DeepSec Conferences" of the Magdeburger Journal zur Sicherheitsforschung.
       DEEPSEC, Vienna, Austria
At CYCON 2014 I delivered a talk based on my Master Thesis, for which I won the NATO's Best Thesis Award as the best thesis published on cyber defence topics.
       International Conference on Cyber Conflict (CyCon), by NATO CCDCOE (Cooperative Cyber Defence Centre of Excellence), Tallinn, Estonia
       Student Paper Session with Best Student Thesis Award

Conference Papers

The article I submitted and presented at DEEPSEC 2014 has been published in the "In Depth Security (Proceedings of the DeepSec Conferences)" book.
At DEEPSEC 2014 I delivered a talk based on my Master Thesis: "Social Authentication: Vulnerabilities, Mitigations, and Redesign". In addition, an excerpt of the work has been published by the Magdeburger Institut für Sicherheitsforschung in the volume "In Depth Security - Proceedings of the DeepSec Conferences" of the Magdeburger Journal zur Sicherheitsforschung.
       DEEPSEC, Vienna, Austria
       Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, AZ. (acceptance: 19.4%)
       Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, Angelos D. Keromytis
       Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, FL. (acceptance: 19%)
       Iasonas Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis and Stefano Zanero
Subsequent Talks:
       Hek.SI 2013 (Ljubljana, Slovenia)
       HackCon 2013 (Oslo, Norway)
       Also covered by ComputerWorld