2021 Update: Since I wrote this article in 2019, I've found this PDF guide on the same topic. It is much more elaborate and complete than my own notes. I highly recommend going through it :)
November 6, 2019
October 26, 2019
AWS security on the cheap
So, you're on a budget (say, you are voluntarily building a workshop for students in Ghana) and you want a secure AWS environment to allow people to learn on.
How do you setup and secure the account?
You use infrastructure-as-code and a few free tools. I'll discuss the setup and give code in my next blog post.
In this post I'll show something about two of the tools:
How does AWS's Trusted Advisor (free version) compare to NCC group's ScoutSuite?
Well, on a relatively simple AWS account, Trusted Advisor finds no issues:
Many of these findings are worth looking into and getting fixed. The rest can be marked as false positives, so they don't show up in future scans.
Please note that getting a paid AWS support plan would enable extra Trusted Advisor features that might produce similar results. But I like to be able to do it for free :D.
How do you setup and secure the account?
You use infrastructure-as-code and a few free tools. I'll discuss the setup and give code in my next blog post.
In this post I'll show something about two of the tools:
How does AWS's Trusted Advisor (free version) compare to NCC group's ScoutSuite?
Well, on a relatively simple AWS account, Trusted Advisor finds no issues:
But ScoutSuite has findings:
Many of these findings are worth looking into and getting fixed. The rest can be marked as false positives, so they don't show up in future scans.
Please note that getting a paid AWS support plan would enable extra Trusted Advisor features that might produce similar results. But I like to be able to do it for free :D.
October 5, 2019
NSA gives defense advice
The NSA’s Tailored Access Operations unit gives a talk about how they attack the rest of the world. Very interesting for us defenders.
My take-aways to make these guys' (and other nation state attackers') lives harder:
- They get an edge by knowing the network better than the people running it.
- 0-days are not such a huge tool for them (!). They can breach most corp networks using known vulnerabilities. So use recent software!
- User awareness can only help up to a point. Beyond that (for advanced persistent threats), the users can always be tricked into clicking. You must have technical measures to defend against those.
- Older protocols are usually targeted because they are easy to sniff/decode. There is no use in upgrading your apps to use latest (e.g.) SSO technologies if one still uses legacy.
- One of their worst nightmares: an out-of-band network tap, monitoring for anomalous behavior.
- Don’t use old-school AVs which rely only on signatures, use something with reputation checking.
September 22, 2019
AWS security tool collections
I've come across a few of them lately:
- Jason Chan's list of AWS security resources
- Toniblyx's mega collection of AWS security tools
- Something that's missing from there: Brian Warehime's guide to Easy to use GuardDuty alerting with the help of Terraform and Slack
September 15, 2019
Being a tech lead & project management
I found the guidelines that Webflow issues to their Tech Leads useful and inspiring. Webflow is a tool for building websites, but it doesn't really matter, it could be any cool software company that issued this.
The whole article is worth a read for people in such roles (and their managers), but here are three highlights:
On crunch time:
"When people operate at their peak performance, where they engage in the flow state 2–4 hours a day, they are incapable of more work without drastic consequences. They should already be operating at peak efficiency, and asking more of them has severe diminishing returns and a detrimental impact to them personally, and to Webflow as a company."
On moving deadlines:
"Too much is at stake when we attempt to hit an unrealistic deadline, and among them are team burnout, poor product quality, reduced morale, and more.
The important idea here is not to lose sight of a delivery date. That’s all that matters. Projects will fall into limbo when a missed deadline stays (ahem) dead and the project careens toward the unknown. This is worse than moving the deadline, so move it!"
On the 80-20 principle, the last 20% of a project takes a lot of time, and is usually needed. If you want to stop at 80%, consider this: you want to buy a piano for your living room. How much would you pay for one that plays fine [80%] but its wood is still untreated [20%]?
Webflow says "Just treat the 80% point in your project as the halfway marker. That will align expectations against the added effort nuance prescribes."
The whole article is worth a read for people in such roles (and their managers), but here are three highlights:
On crunch time:
"When people operate at their peak performance, where they engage in the flow state 2–4 hours a day, they are incapable of more work without drastic consequences. They should already be operating at peak efficiency, and asking more of them has severe diminishing returns and a detrimental impact to them personally, and to Webflow as a company."
On moving deadlines:
"Too much is at stake when we attempt to hit an unrealistic deadline, and among them are team burnout, poor product quality, reduced morale, and more.
The important idea here is not to lose sight of a delivery date. That’s all that matters. Projects will fall into limbo when a missed deadline stays (ahem) dead and the project careens toward the unknown. This is worse than moving the deadline, so move it!"
On the 80-20 principle, the last 20% of a project takes a lot of time, and is usually needed. If you want to stop at 80%, consider this: you want to buy a piano for your living room. How much would you pay for one that plays fine [80%] but its wood is still untreated [20%]?
Webflow says "Just treat the 80% point in your project as the halfway marker. That will align expectations against the added effort nuance prescribes."
July 3, 2019
Here's a very mature culture I admire
https://jobs.netflix.com/culture
Pure. gold.
This text changed my perception. It also changed my standards for a good employer, forever (I'm afraid). Takes time to read but is absolutely worth it.
One point that is especially relevant to security:
Pure. gold.
This text changed my perception. It also changed my standards for a good employer, forever (I'm afraid). Takes time to read but is absolutely worth it.
One point that is especially relevant to security:
In general, freedom and rapid recovery is better than trying to prevent error. We are in a creative business, not a safety-critical business. Our big threat over time is lack of innovation, so we should be relatively error tolerant. Rapid recovery is possible if people have great judgment. The seduction is that error prevention just sounds so good, even if it is often ineffective. We are always on guard if too much error prevention hinders inventive, creative work.If you want to see some of this in a talk, here's what Devops means for them. Watch at least until 16'. The job of a manager is explained around 13'.
June 20, 2019
May 20, 2019
DevSecOps intro
A couple of resources I found interesting lately:
- Pretty good introduction to DevSecOps, in the first half hour of this video.
- Short article on why we want to shift security left.
And a few thoughts and quotes I stole..ehm..gathered from people that are smarter than me:
- Teams that are doing peer reviews for all their code, are usually doing real devops (this was used to distinguish real devops against just using devopsie tools and calling it a day. DevOps is not just about tools!).
- Every time I do an architecture review (from a security perspective), I should ask myself: how do I make sure that next time I don't need to perform this? Automate it or teach a developer to do it, because security engineers can't scale to all the dev teams of any company.
- If we have embrace CI/CD, there is no option for a security gate/audit/review. Everything has to be automated, short-circled and repeatable!
March 31, 2019
Phishing is "improving"
This reddit thread warns us that in case we get a call claiming to be from our bank or other organization, we should not give out any of our private info, but request that we end the call and call them back on a verified official number, even if the call we received originates from it.
The reason is that the traditional calling system is vulnerable to number spoofing, so caller ID cannot be trusted. So, this is one more thing to remember, on top of SMS being easy to intercept.
Good luck explaining thisattack & defense to elderly laymen 😨.
The reason is that the traditional calling system is vulnerable to number spoofing, so caller ID cannot be trusted. So, this is one more thing to remember, on top of SMS being easy to intercept.
Good luck explaining thisattack & defense to elderly laymen 😨.
March 20, 2019
Meta: Management and employee retention
A few articles that I like, explaining how employee motivation works.
Great for all managers, pretty interesting for the rest of us.
- must-read: Why your employees are losing motivation,
- should-read: A bit over-sensational, but this guy is right, remove the toxic people from your company!
- could-read: A view of a millennial, catching some important points nicely (although I don't agree with everything).
Subscribe to:
Posts (Atom)