CloudSecurityAlliance

Conventional wisdom: review what permissions a role has. What teams miss: who can *pass* that role to a service. In AWS, `iam:PassRole` + `lambda:CreateFunction` = privilege escalation. An attacker with those two permissions can spin up a Lambda function with an admin role they'd never be allowed to assume directly — no stolen credentials, just a misconfigured IAM policy. cloudsecurityalliance.org/research/publi… #IAM

Private package named `corp-auth-utils`? If that name exists on npm's public registry too — uploaded by anyone — your CI might silently pull the public version instead of yours. That's dependency confusion. No exploit code, no phishing. Just an unscoped package name and a registry that checks public sources first. The malicious package runs its install scripts before your build even starts. Audit your .npmrc and pip.conf registry priority configs: cloudsecurityalliance.org/research/publi… #SupplyChainSecurity

Here's a question most CISOs can't answer cleanly: if an autonomous agent causes a breach tonight, who owns the remediation? Not who gets paged. Who owns the disclosure decision, the post-mortem, the board call? That gap doesn't show up until it does. CSAI Foundation is building the accountability frameworks before you need them. csai.foundation

If something goes wrong because of a decision an AI agent made autonomously, who's responsible — and does your organization even have a policy that answers that? That's not a hypothetical. TAISE is a starting point. cloudsecurityalliance.org/education/taise

Your zero trust policy covers users, devices, and service accounts. Does it cover an LLM that can be redirected mid-session by a single injected instruction? That's not a hypothetical. That's the gap CSA's Zero Trust guidance for LLM environments addresses. cloudsecurityalliance.org/research/publi… #ZeroTrust

Zero Trust doesn't eliminate trust — it concentrates it. When everything authenticates through a single IdP, a compromised federation config or stolen SAML signing certificate can mint valid credentials for any identity in your environment. Attackers don't break Zero Trust; they impersonate through it. Audit your IdP's admin accounts, federation trusts, and certificate stores with the same rigor you'd apply to a domain controller. cloudsecurityalliance.org/research/publi… #ZeroTrust

Zero Trust says "never trust, always verify." But verify *what*, exactly, for an autonomous agent mid-task? The identity? It may have delegated to a child process. The model? Your provider updated it silently last Tuesday. The permissions? They expanded to complete the task. The prompt context? You can't read it. That's not a policy gap. It's a missing verification object. csai.foundation #ZeroTrust

What I kept running into this week: AI tools being evaluated entirely on capability — speed, accuracy, cost — with security treated as a post-deployment question. By then, the architectural decisions are already locked in. TAISE is built for teams that want to get in front of that. cloudsecurityalliance.org/education/taise

One thing MAESTRO gets right that STRIDE misses: in agentic systems, a prompt injection at the orchestration layer carries different risk than the same attack at the tool-call layer. Threat modeling can't be layer-agnostic when your system isn't. cloudsecurityalliance.org/research/publi…

Here's what I'd check first in any Kubernetes environment: whether NetworkPolicies are actually enforced. By default, every pod can reach every other pod across all namespaces. A compromised container in your frontend tier can freely query your internal APIs, your secrets store, and your database layer — no exploit needed, just network reachability. Run `kubectl get networkpolicy -A`. Empty output means default-allow everywhere. cloudsecurityalliance.org/research/publi… #Kubernetes

Renting a venue doesn't make the venue responsible for what happens inside — that's still on you. Cloud infrastructure works the same way: the provider locks the building, but everything you run on top of it is your responsibility to secure. Most breaches don't beat the provider. They exploit the gap that belongs to you. That's the foundation CCSK is built on. cloudsecurityalliance.org/education/ccsk

Most AI security reviews end with: "the vendor completed our questionnaire." That questionnaire was written in an afternoon, probably by someone who'd never threat-modeled an LLM. 243 control objectives across 18 domains exist so you don't have to start from scratch. #AIControls cloudsecurityalliance.org/artifacts/ai-c…

An SSRF bug in your EC2 app can turn into full IAM credential theft in a single HTTP request. IMDSv1 — still enabled on many older instances — lets any internal redirect reach 169.254.169.254 and pull your instance role's access keys. No special exploit, just a misconfigured hop. IMDSv2 blocks this by requiring a session preflight token that SSRF can't forge. It's available on all current instances but not enforced by default on older ones. Check your fleet. cloudsecurityalliance.org/research/publi… #CloudSecurity

Ask your IAM vendor how they handle an agent that mints three child identities mid-task, delegates scoped permissions to each, then completes — with no human-initiated offboarding trigger. That silence is the gap. Agent identity governance isn't an IAM extension — it's a new domain. csai.foundation #AgentSecurity

Common assumption: if you're compliant, you're secure. The reality is that compliance measures a point in time — cloud drift, misconfiguration, and over-permissioned access don't wait for your next audit cycle. That gap is foundational to understand. CCSK is where it starts. cloudsecurityalliance.org/education/ccsk

"Shared responsibility" sounds clear until someone asks what your half actually requires. Cloud providers define theirs. CCM defines yours — 207 controls across 17 domains, mapped to what you're actually accountable for in cloud environments. Free, vendor-neutral, and built for the question every auditor eventually asks. cloudsecurityalliance.org/research/cloud… #CloudSecurity

Your GitHub Actions workflows probably pin to tags: `uses: actions/checkout@v4`. Tags are mutable. A compromised upstream repo silently redirects that tag to malicious code — which then runs in your pipeline with your cloud credentials, signing keys, and deploy tokens loaded. Pin to a commit SHA instead. `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` cannot be moved. The tag can. One config change. Immutable by design. cloudsecurityalliance.org/research/publi… #SupplyChain

An agent takes an action that violates a customer contract. Security gets the ticket. Legal gets the call. IT gets blamed. Engineering explains the prompt chain. Four teams, four conversations, zero clear owner. Org charts were drawn before agents existed. The accountability gap isn't coming — it's already open. csai.foundation #AIGovernance

Between login and logout, how much of what happens inside your environment is genuinely being verified — and how much is just assumed safe because the initial authentication checked out? That's the gap Zero Trust architecture is built to close. CCZT 🔐 cloudsecurityalliance.org/education/cczt

The moment you give an LLM access to internal tools, it's operating inside your trust boundary — with the implicit trust of an insider. Zero trust was built to eliminate exactly that kind of implicit access. CSA's Zero Trust guidance for LLM environments maps out what enforcement actually looks like when the requestor is a model, not a human. cloudsecurityalliance.org/research/publi…