Service accounts for Software-as-a-Service (SaaS) applications have high levels of access and are shared between multiple people — a tempting target for attackers. But service accounts aren’t just a source of security risk. They can also slow down engineering teams. Laggy approvals for access, flaky integrations, and risky manual changes are speed bumps on the path to delivering value. This post discusses standards you can introduce at your organization to tame service account management.

What are service accounts?

When you try out a new SaaS application, you might register with your email, password, phone number, and enable 2FA. Next, you might set up SSO…


Security vulnerabilities result from interactions between thousands of well-intentioned decisions. What systems or libraries do we use? Should I click yes or no on this authorization prompt? Should we make this system more simple or more safe? Only in the aftermath of security incidents do the regrettable decisions become clear.

Security experts are predictors. They are trained to understand how the conditions caused by technical decisions create risk, and can steer the ship toward calmer waters. Bad decisions made without security expertise tend to propagate and amplify before they can be identified and corrected. …


Login CSRF allows an attacker to force a victim to log in to an attacker-controlled account. It often shows up in vulnerability scans and bug bounties. If you see a Login CSRF vulnerability, should you fix it?

As defenders, we should only spend time fixing Login CSRF if attackers can use it to get something they want. For example, in the diagram below, the attacker wants to know that the victim searches for “llamas” on Google.

CS142: Web Applications — Stanford University

What’s the risk of Login CSRF?

Login CSRF can be low- or high-risk, depending on context. Most of the time it’s low-risk (e.g. “you search for Llamas!”), …


It was a running joke at Twitter for new hires to post to the company-wide list asking why we couldn’t change the “dogs in the office” policy. At Clever we developed a theory that someone on the executive team had an allergy given the continued resistance to bringing dogs to work. I was stoked to work in a dog-friendly office at LaunchDarkly, but we (and our dogs) have all been WFH since I started in May 2020.

The Pupster Slack application home page

I built Pupster to make it easy for remote teams to meet each other’s dogs. It’s a Slack App that you add to…


This is an abridged version of my LocoMocoSec 2020 conference talk

How do you set the strategy for a security team? If your goals are vague, people on your team will work on whatever they’re interested in because there’s no clear mission. If you don’t measure impact, your organization will hesitate to give you resources because you won’t be able to show what they get in return.

OKRs let your security team do work that everyone in the organization values. John Doerr’s book Measure What Matters calls out four organizational OKR “superpowers” that also apply to security teams.

  • Focus and…


We use HTTPS to verify web server identities with X.509 certificates, but TLS also supports mutual authentication, where the server uses certs to verify the client’s identity. Given that passwords are a bottomless source of compromise from credential stuffing, phishing, and so on, the idea of using a cryptographically secure, phishing-resistant authentication mechanism already included in every major browsing and operating system seems like a big win.

People have been wondering why is nobody using SSL client certificates? since 2008, and in 2015 a post titled In defense of client certificates admits the “UX can be pretty horrible”. In 2020…


You can turn on CloudTrail logging with a single command, but how do you use the data for audits and automation? In this post, I’ll describe cloudtrail-parquet-glue, which makes CloudTrail logs efficiently Athena-searchable with minimal custom code (because ”the best code is no code”) using AWS Glue.

First, why use Athena for CloudTrail logs?


AWS IAM policies answer the question “who gets access to what?”. AWS IAM policy conditions answer the more precise question “who gets access to what, when?”. Conditions enhance the expressive power of IAM policies by allowing authors to restrict access control by context. But be warned! They come with surprising gotchas. This blog post describes the AWS global condition context keys (i.e. those prefixed with aws:) and their caveats. Use it as a reference the next time you need to solve advanced IAM access issues.

Restricting by calling service

CalledVia, CalledViaFirst, CalledViaLast

AWS “service-to-service” API requests are invoked by other AWS API requests. For example, a request…


You can learn a lot by kicking the tires on software. I work on identity systems, so I wanted to take AWS Cognito out for a spin. In this post, I’ll describe my experiment with Cognito to use G Suite SAML for ALB authentication, and how an encoding bug turned my joyride into a flat tire.

G Suite SAML to OpenID Connect with ALBs using Cognito Authentication

Cognito is two identity products: user pools and identity pools. User pools are a white-label user management system for people who don’t want to build one, like iOS developer implementing sign-in with Apple. …


How should we design user access to multiple AWS accounts? As organizations scale, they tend to centralize identity with SSO SAML federation, but there are two patterns for federation with AWS.

Hub-and-spoke: users assume federated roles into a single AWS “identity account” and perform a second role assumption into sub-accounts

Direct: users assume federated roles into AWS sub-accounts directly

Hub-and-spoke vs. direct federation for AWS accounts

Let’s look at examples of each and tradeoffs between the two.

Hub-and-spoke AWS IAM federation

AWS Multiple Account Security Strategy from AWS Answers describes a hub-and-spoke model where IAM Groups of IAM users can assume roles from a central identity account.

If you use IAM…

Alex Smolen

Security for the people.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store