Chris Farris

This past weekend I spoke at BSides Nashville - Get outta my host and into my cloud: A primer for offensive operations in AWS. This talk was similar to my talk last year on Incident Response in AWS at BSides Atlanta. The intent was not to teach pentesting or red teaming, but rather helping to spread cloud knowledge to those who do that on a daily basis.

I’ve decided it’s time for me to launch my consulting business. I’ve been doing cloud and cloud security for almost ten years now, and I’ve seen a lot of issues. PrimeHarbor’s focus is to help solve cloud security challenges at their source.
The ultimate shift-left security flex is to educate and empower developers and engineers

I deliberately published an Access Key and Secrets. Here’s what happened.

There is no canonical way to use Terraform in CodeBuild, with CodePipeline as the method to review plans before applying them. This post defines a Cloudformation template and the buildspec files needed to create a CodePipeline that runs terraform plan, allows a human to review it, then runs terraform apply.

For MLK weekend, Leo and I made a quick trip to LA. My primary reason was to conduct a quick site survey of Anaheim for fwd:cloudsec 2023. I bribed Leo to come along by promising a day at Disneyland.

This is the story of how I spent $2621 to ride Rise of the Resistance.

Our final trip this year was to Morocco. We flew AirFrance from ATL to CDG, then from CDG to Marrakech. In Morocco, we spent two days in Marrakech, took the train to Tangier, then a Grand Taxi to Chefchaouen for an overnight, then back to Tangier and Casablanca. Our flight home had an 18-hour layover in Paris, so we also got a little bit of sightseeing there. Many blogs talk about backpacking or visiting Morocco, but they always leave out a few practical details that I wish I’d known before leaving.

With ChatGPT being all the rage, I decided to see if she (it?) could write my next blog post for me. I’d already written all the Steampipe queries and determined the security value behind the blog post. I just didn’t feel like writing it.

The post’s topic was on enumerating your network-plane cloud perimeter.

A Google Calendar version of all the announced BSides and community security conferences, with dates and CFP Deadlines.

I did not get in on Bitcoin when it was getting started. I thought it had some interesting libertarian principles, but I was skeptical of all computer software and determined that it was only one software flaw or mathematical proof away from being rendered completely worthless. Lets face it, entire empires have fallen due to misplaced faith in their cryptographic capabilities. Bitcoin was just too risky. With the collapse of another crypto-currency exchange, and the release of Andy Greeenberg’s new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, I decided it was worth spending a few hours and AWS credits to check out this blockchain all the crypto-bros are raving about.

My third annual pre:Invent roundup is posted over on Steampipe’s blog. You can also check out 2021 and 2020 if you’re so inclined.

Back in 2018, I wrote a semi-serious post on what you as a security practitioner should be looking for as it relates to re:Invent announcements.

There were a few hot-takes that didn’t warrant mention on my work post, so I’ll include them here for your general amusement.