2021 Update: Since I wrote this article in 2019, I've found this PDF guide on the same topic. It is much more elaborate and complete than my own notes. I highly recommend going through it :)
November 6, 2019
October 26, 2019
AWS security on the cheap
So, you're on a budget (say, you are voluntarily building a workshop for students in Ghana) and you want a secure AWS environment to allow people to learn on.
How do you setup and secure the account?
You use infrastructure-as-code and a few free tools. I'll discuss the setup and give code in my next blog post.
In this post I'll show something about two of the tools:
How does AWS's Trusted Advisor (free version) compare to NCC group's ScoutSuite?
Well, on a relatively simple AWS account, Trusted Advisor finds no issues:
Many of these findings are worth looking into and getting fixed. The rest can be marked as false positives, so they don't show up in future scans.
Please note that getting a paid AWS support plan would enable extra Trusted Advisor features that might produce similar results. But I like to be able to do it for free :D.
How do you setup and secure the account?
You use infrastructure-as-code and a few free tools. I'll discuss the setup and give code in my next blog post.
In this post I'll show something about two of the tools:
How does AWS's Trusted Advisor (free version) compare to NCC group's ScoutSuite?
Well, on a relatively simple AWS account, Trusted Advisor finds no issues:
But ScoutSuite has findings:
Many of these findings are worth looking into and getting fixed. The rest can be marked as false positives, so they don't show up in future scans.
Please note that getting a paid AWS support plan would enable extra Trusted Advisor features that might produce similar results. But I like to be able to do it for free :D.
October 5, 2019
NSA gives defense advice
The NSA’s Tailored Access Operations unit gives a talk about how they attack the rest of the world. Very interesting for us defenders.
My take-aways to make these guys' (and other nation state attackers') lives harder:
- They get an edge by knowing the network better than the people running it.
- 0-days are not such a huge tool for them (!). They can breach most corp networks using known vulnerabilities. So use recent software!
- User awareness can only help up to a point. Beyond that (for advanced persistent threats), the users can always be tricked into clicking. You must have technical measures to defend against those.
- Older protocols are usually targeted because they are easy to sniff/decode. There is no use in upgrading your apps to use latest (e.g.) SSO technologies if one still uses legacy.
- One of their worst nightmares: an out-of-band network tap, monitoring for anomalous behavior.
- Don’t use old-school AVs which rely only on signatures, use something with reputation checking.
September 22, 2019
AWS security tool collections
I've come across a few of them lately:
- Jason Chan's list of AWS security resources
- Toniblyx's mega collection of AWS security tools
- Something that's missing from there: Brian Warehime's guide to Easy to use GuardDuty alerting with the help of Terraform and Slack
September 15, 2019
Being a tech lead & project management
I found the guidelines that Webflow issues to their Tech Leads useful and inspiring. Webflow is a tool for building websites, but it doesn't really matter, it could be any cool software company that issued this.
The whole article is worth a read for people in such roles (and their managers), but here are three highlights:
On crunch time:
"When people operate at their peak performance, where they engage in the flow state 2–4 hours a day, they are incapable of more work without drastic consequences. They should already be operating at peak efficiency, and asking more of them has severe diminishing returns and a detrimental impact to them personally, and to Webflow as a company."
On moving deadlines:
"Too much is at stake when we attempt to hit an unrealistic deadline, and among them are team burnout, poor product quality, reduced morale, and more.
The important idea here is not to lose sight of a delivery date. That’s all that matters. Projects will fall into limbo when a missed deadline stays (ahem) dead and the project careens toward the unknown. This is worse than moving the deadline, so move it!"
On the 80-20 principle, the last 20% of a project takes a lot of time, and is usually needed. If you want to stop at 80%, consider this: you want to buy a piano for your living room. How much would you pay for one that plays fine [80%] but its wood is still untreated [20%]?
Webflow says "Just treat the 80% point in your project as the halfway marker. That will align expectations against the added effort nuance prescribes."
The whole article is worth a read for people in such roles (and their managers), but here are three highlights:
On crunch time:
"When people operate at their peak performance, where they engage in the flow state 2–4 hours a day, they are incapable of more work without drastic consequences. They should already be operating at peak efficiency, and asking more of them has severe diminishing returns and a detrimental impact to them personally, and to Webflow as a company."
On moving deadlines:
"Too much is at stake when we attempt to hit an unrealistic deadline, and among them are team burnout, poor product quality, reduced morale, and more.
The important idea here is not to lose sight of a delivery date. That’s all that matters. Projects will fall into limbo when a missed deadline stays (ahem) dead and the project careens toward the unknown. This is worse than moving the deadline, so move it!"
On the 80-20 principle, the last 20% of a project takes a lot of time, and is usually needed. If you want to stop at 80%, consider this: you want to buy a piano for your living room. How much would you pay for one that plays fine [80%] but its wood is still untreated [20%]?
Webflow says "Just treat the 80% point in your project as the halfway marker. That will align expectations against the added effort nuance prescribes."
July 3, 2019
Here's a very mature culture I admire
https://jobs.netflix.com/culture
Pure. gold.
This text changed my perception. It also changed my standards for a good employer, forever (I'm afraid). Takes time to read but is absolutely worth it.
One point that is especially relevant to security:
Pure. gold.
This text changed my perception. It also changed my standards for a good employer, forever (I'm afraid). Takes time to read but is absolutely worth it.
One point that is especially relevant to security:
In general, freedom and rapid recovery is better than trying to prevent error. We are in a creative business, not a safety-critical business. Our big threat over time is lack of innovation, so we should be relatively error tolerant. Rapid recovery is possible if people have great judgment. The seduction is that error prevention just sounds so good, even if it is often ineffective. We are always on guard if too much error prevention hinders inventive, creative work.If you want to see some of this in a talk, here's what Devops means for them. Watch at least until 16'. The job of a manager is explained around 13'.
June 20, 2019
Subscribe to:
Posts (Atom)