Skip to content

    Latest Posts

    Pen Testing in the Age of Cloud

    Josh Stella

    Lately, we at Fugue have been demonstrating live hacks against cloud infrastructure based on real events in the news. We often walk through a theft of data from Amazon S3 by exploiting little-known misconfigurations of Security Groups, EC2, IAM, and S3 in combination. See A Technical Analysis of the Capital One Cloud Misconfiguration Breach.

    Read More

    Developers Now Own Security, and That's a Good Thing

    Josh Stella

    Software is eating the world. In the age of cloud computing, developers now own the security posture of your enterprise because the cloud is fully software-defined and programmable. If that scares you, it's because you haven't given your developers the tools to create secure systems. The good news is that you can, but you need to change how you think about security.

    Read More

    A Technical Analysis of the Capital One Cloud Misconfiguration Breach

    Josh Stella

    UPDATE: August 26, 2019Since posting this, AWS has made some public statements regarding the breach that shed some light on what likely happened. From their response to Senator Ron Wyden, AWS stated:"As Capital One outlined in their public announcement, the attack occurred due to a misconfiguration error at the application layer of a firewall installed by Capital One, exacerbated by permissions set by Capital One that were likely broader than intended. After gaining access through the misconfigured firewall and having broader permission to access resources, we believe a SSRF attack was used (which is one of several ways an attacker could have potentially gotten access to data once they got in through the misconfigured firewall." "As discussed above, SSRF was not the primary factor in...

    Read More

    Shift Left on Cloud Security, Part III: Extending into Production

    Josh Stella

    In the last part of this series, we're going to look at the final stages of the software development life cycle (SDLC)—deployment and operations. As a reminder, in parts one and two, we discussed the overall concept of shifting left for security and compliance, and laid out some best practices for how to do so during the development and testing phases of the SDLC. In this post, we'll cover how using policy as code and baselines allows you to leverage all the work done in the earlier phases to prevent deployment of misconfigurations and ensure that your deployed infrastructure remains functional and compliant over time.

    Read More

    Shift Left on Cloud Security, Part II - Phases of the SDLC

    Josh Stella

    In an earlier blog post, we discussed at a high level how security can shift left regarding cloud infrastructure. In this post, we'll drill in with more detail on how this can be done through the discrete phases of the Software Development Life Cycle (SDLC), beginning with the development phase, and extending through testing, and ultimately all the way to deployment and ongoing operations.

    Read More

    Shifting Left on Cloud Security and Compliance

    Josh Stella

    We're hearing a lot about “shifting left” these days in the industry, and like most popular terms the meaning can be hard to pin down, and some of the implications buried. This post will focus on how to shift security and compliance left in cloud computing. These two functions are closely related, but the operational aspect of each is quite different. However, before we get into specifics, it might be helpful to define what we mean by shifting left in general.

    Read More

    DevSecOps: What is it, and Where to Start

    Josh Stella

    There is a lot of talk about DevSecOps these days, and we've been working in the area for years now and have learned some things that work and some that don't. First, we'll give you our view on what DevSecOps is, and then we'll make a few recommendations on how to start doing it and get real results in an hour or two!

    Read More

    Cloud Security: Automated Remediation Scripts vs. Self-Healing Infrastructure

    Josh Stella

    A lot of folks have realized that manually fixing cloud infrastructure to correct security and compliance issues is just too slow and error prone to handle the threat landscape on the cloud. An increasingly common approach to speeding up remediation these days is to use cloud functions, such as AWS Lambda or Azure Functions, connected to a threat detection tool, to remediate specific cloud misconfigurations.

    Read More

    Two Years With Emacs as a CEO (and now CTO)

    Josh Stella

    Two years ago, I wrote a blog post that got some notice, which surprised me. It was a piece about going back to Emacs as my primary content creation tool, first as a CEO, and now as a CTO. A brief recap is that I spent most of my career as a programmer and a software architect, and preferred Emacs as my code editor for much of that time. Reconsidering Emacs was an experiment that I was excited about, but wasn't sure how it would work out. On the Internet, the post was met with roughly equal parts disdain and appreciation, but tens of thousands of people read it, so it seems that I touched on something interesting. Some of the more challenging and funny posts on Reddit and HackerNews predicted that I'd have hands shaped like claws or that I'd have lost my eyesight because I use white...

    Read More

    Fugue Welcomes Phillip Merrick, Our New CEO

    Josh Stella

    In late November of 2017, I informed Fugue's Board that I intended to lead a search for a new CEO. We had a substantial amount of money on the balance sheet, some really impressive customers, a solid product, and a highly motivated team - many of the things needed to attract a world class CEO. My passion has always been for technology and team building, and it's been an amazing 4 years at the helm through the R&D and engineering phases of the company and well into the go-to-market execution phase, but I've known since founding Fugue that someday I'd look for a partner to fulfill Fugue's potential, and the time is right. Growing Fugue is now about execution in the market, building out great sales and marketing functions, and scaling the business. We've put together great teams to...

    Read More
    1 2 3
    Fugue Developer

    Free Cloud Security for Engineers

    • Visualize your cloud infrastructure
    • Run policy checks and get feedback
    • Detect change and eliminate misconfiguration
    GET STARTED CONTACT SALES