Service accounts for Software-as-a-Service (SaaS) applications have high levels of access and are shared between multiple people — a tempting target for attackers. But service accounts aren’t just a source of security risk. They can also slow down engineering teams. Laggy approvals for access, flaky integrations, and risky manual changes…
Security vulnerabilities result from interactions between thousands of well-intentioned decisions. What systems or libraries do we use? Should I click yes or no on this authorization prompt? Should we make this system more simple or more safe? Only in the aftermath of security incidents do the regrettable decisions become clear.
…
Login CSRF allows an attacker to force a victim to log in to an attacker-controlled account. It often shows up in vulnerability scans and bug bounties. If you see a Login CSRF vulnerability, should you fix it?
As defenders, we should only spend time fixing Login CSRF if attackers can…
It was a running joke at Twitter for new hires to post to the company-wide list asking why we couldn’t change the “dogs in the office” policy. At Clever we developed a theory that someone on the executive team had an allergy given the continued resistance to bringing dogs to…
This is an abridged version of my LocoMocoSec 2020 conference talk
How do you set the strategy for a security team? If your goals are vague, people on your team will work on whatever they’re interested in because there’s no clear mission. …
We use HTTPS to verify web server identities with X.509 certificates, but TLS also supports mutual authentication, where the server uses certs to verify the client’s identity. …
You can turn on CloudTrail logging with a single command, but how do you use the data for audits and automation? In this post, I’ll describe cloudtrail-parquet-glue, which makes CloudTrail logs efficiently Athena-searchable with minimal custom code (because ”the best code is no code”) using AWS Glue.
First, why use…
AWS IAM policies answer the question “who gets access to what?”. AWS IAM policy conditions answer the more precise question “who gets access to what, when?”. Conditions enhance the expressive power of IAM policies by allowing authors to restrict access control by context. But be warned! They come with surprising…
You can learn a lot by kicking the tires on software. I work on identity systems, so I wanted to take AWS Cognito out for a spin. …
How should we design user access to multiple AWS accounts? As organizations scale, they tend to centralize identity with SSO SAML federation, but there are two patterns for federation with AWS.
Hub-and-spoke: users assume federated roles into a single AWS “identity account” and perform a second role assumption into sub-accounts
…
