11-18, 13:20–13:50 (Europe/Vienna), Badeschiff
This talk introduces a new and open platform to track and compare cloud vendors and their broken promises about secure cloud operations. CVEs are not working for cloud vendors and we need a better way than tribal knowledge and smoke signals to communicate these issues. The platform provides a structured way to search and evaluate past security incidents at cloud vendors.
OMIgod, BingBang, chinese APTs stealing signing keys, developers leaking high-sensitive access tokens and personal data, silently patching IDMSv2 to curb SSRF attacks, ... we need a better way than tribal knowledge and smoke signals to communicate these issues. There is currently no structured way to search, evaluate, track and compare issues with big cloud vendors. Our society relies more and more on cloud vendors. Their vulnerabilities are often unique and a broken process in a single cloud vendor can impact million of businesses and their customers. Cloud security is evolving slowly to have not only technological impacts, but also societal. We need a way to track their broken promises and enable us to make decisions based on a structured analysis of their track record.
For someone working in security management I have a very technical background, from backend development to system administration. I was a penetration tester, and a security engineer.