Threat Modeling GenAI applications - Chris Farris
How I go about thinking about the security of GenAI applications| https://www.chrisfarris.com/
How I go about thinking about the security of GenAI applications| https://www.chrisfarris.com/
Rethinking the Threat Model for US Cloud Providers due to Trump| https://www.chrisfarris.com/
I’ve spoken a lot about Security Invariants, but all of them have been implemented using Organizational Policies. That’s great, but organizational policies don’t apply to the Organizational Management Account (aka “payer”). So how does one implement invariants in a payer account? AWS would tell you that you shouldn’t be giving anyone access to the payer account, so the need for invariants should be minimal. However, that doesn’t reflect the reality that AWS never protected its c...| Chris Farris
I’ve finally settled on the wording for Farris’s Three Laws of Cloud Security Auto Remediation: A bot must never harm stateful data or allow stateful data to come to harm. A bot must act with utmost haste so functionality doesn’t become dependent on a misconfiguration. A bot must announce its existence and tell a carbon-based life form what it did and why. I think these reflect the key tenants of auto-remediation while staying true to the original source of the Three Laws.| Chris Farris
In previousposts, I took AWS to task for not making the customer’s security Job Zero. This offended some sensibilities, so let me lay out my 95 13 Thesis against the current AWS Culture and how it is neither Customer-Obsessed, nor makes security job zero.| Chris Farris
It’s once again pre:Invent, that magical season where AWS announces new features related to their legacy products (cloud) before they jump all-in on Generative AI magician gimmicks at re:Invent in Las Vegas. Once again, I will be in attendance at re:Invent, although I start to question my life choices every time I get off the plane in Vegas and am hit by the dry air, cigarette smoke, and insanely bright lights. Oh, right, I agreed to do a breakout session with Rich Mogull: DEV401 - Security...| Chris Farris
In order to profit effectively from a ransomware attack, a threat actor needs to have something to offer in return for payment. This blog posts outlines a process, along with some python scripts to encrypt AWS resources and then revoke access to the secret material until the ransom is paid.| Chris Farris
Cloud Hygiene is a Cloud Security problem, and we need to cleanup the pollution in our cloud environments| Chris Farris
In September 2024, I returned to Stockholm to give a talk at Sec-T. The Slides are here, and the YouTube Video is here. In the last year or so talking to organizations of all sizes, shapes, and security budgets, it’s become clear there is a deeper problem than just “developers don’t know how to not make a bucket public”. How we as an industry use the public cloud is fundamentally unsafe. We wouldn’t give any random 16-year-old kid with a driver’s license a 787 to fly. Yet, with th...| Chris Farris
Cloud, Ransomware, Threat Model| https://www.chrisfarris.com/
My visit to Norway - getting around and not freezing to death in the Nordic winter| https://www.chrisfarris.com/
An outline of the cloud security differences of AWS, Azure, and GCP| https://www.chrisfarris.com/
AWS makes some changes to Security Hub setup after my previous blog post.| https://www.chrisfarris.com/
My breakdown of the key announcements security folks should know about from AWS re:Invent 2023.| https://www.chrisfarris.com/
There were 511 AWS announcements in pre:Invent season. I breakdown and snark about 43 of them relating to security and governance.| https://www.chrisfarris.com/
I leaked eight access keys to a public GitHub Repo. Here is how AWS Responded| https://www.chrisfarris.com/
My scathing take on AWS Security Hub, what's wrong, what's good, and why it's a dangerous service for smaller companies.| https://www.chrisfarris.com/
My latest project - defining the Sensitive IAM Actions that lead to data access| https://www.chrisfarris.com/
I've been named an AWS Security Hero. Perhaps not the one you deserve, but the one you got.| https://www.chrisfarris.com/
Once again, I'm doing my two-day Incident Response class for BSides Augusta.| https://www.chrisfarris.com/
I deliberately published an Access Key and Secrets. Here's what happened.| https://www.chrisfarris.com/
Apparently there is no canonical way to use Terraform in CodeBuild, with CodePipeline as the method to review plans before applying them. I fix that.| https://www.chrisfarris.com/
Encryption doesn't belong at the top of your cloud security concerns, it probably should be towards the bottom.| https://www.chrisfarris.com/
