Introduction
A majority of security incidents in the cloud result from misconfiguration of the cloud services. One of the great ways to learn about this is by understanding what are the common misconfigurations that often lead to attacks and breaches.
In this video, Joshua Jebaraj will explain how you can use GCP Goat to understand common misconfigurations on Google Cloud. Joshua is a security researcher and is deeply interested in the areas of Cloud security, DevSecOps, and Kubernetes Security. He is part of various open-source communities like null, Ansible, and Hashicorp and regularly presents at various security events.
This video is part of the tech talks presented at Cloud Village. Cloud Village is an open space dedicated for people interested in cloud security and conducts various activities like talks, workshops, CTFs, and discussions around cloud.
What to expect from this video
Following topics have been covered in this video:
- Introduction and getting started with GCP Goat
- Attacking Google Compute Engine
- Attacking SQL Instance
- Attacking Google Kubernetes Engine
- Attacking Google Cloud Storage
- Privilege Escalation
Video
https://www.youtube.com/watch?v=dcKER88tH50
Key Takeaways
With cloud adoption on the rise, attackers are also finding ways to exploit gaps and weaknesses in the way cloud infrastructures are configured. It is essential for the DevOps and SRE’s who set up the cloud infrastructure for their teams and organisations to understand how to properly configure their infrastructure.
This video introduces you to GCP Goat, which is an intentionally vulnerable environment for learning about GCP security. It is an open source project created by Joshua Jebaraj - the presenter of the tech talk. GCP Goat allows you to practice various scenarios in which you can learn how vulnerable GCP services can be attacked by the adversaries, thus gaining an understanding of what gaps may be left when GCP services are not configured properly and securely.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.