Service accounts for Software-as-a-Service (SaaS) applications have high levels of access and are shared between multiple people — a tempting target for attackers. But service accounts aren’t just a source of security risk. They can also slow down engineering teams. Laggy approvals for access, flaky integrations, and risky manual changes…

Security vulnerabilities result from interactions between thousands of well-intentioned decisions. What systems or libraries do we use? Should I click yes or no on this authorization prompt? Should we make this system more simple or more safe? Only in the aftermath of security incidents do the regrettable decisions become clear.

Login CSRF allows an attacker to force a victim to log in to an attacker-controlled account. It often shows up in vulnerability scans and bug bounties. If you see a Login CSRF vulnerability, should you fix it?

As defenders, we should only spend time fixing Login CSRF if attackers can…

How should we design user access to multiple AWS accounts? As organizations scale, they tend to centralize identity with SSO SAML federation, but there are two patterns for federation with AWS.

Hub-and-spoke: users assume federated roles into a single AWS “identity account” and perform a second role assumption into sub-accounts

Alex Smolen

Security for the people.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store