Posts

I recently tweeted about how people new to programming, or companies that look for candidates and give them programming tests, don’t understand that the first code one writes is just a draft. It can take several edits (so-called “refactors”) to tease out a good, workable, testable, and ultimately simple solution. So here’s a story of how I recently refactored my code 3 times before arriving at a final solution. This happened over the span of a day as I thought about and shaped the code into a format that can be easily tested and understood by others. The code is from a private project, so I am only presenting snippets here and some of the package names and variables have been changed for privacy. ...

UPDATE 2019-10-07: There is a bug in CloudFormation when outputting the LogGroup ARN. See the change below in 4. Define a Policy. UPDATE 2020-06-16: Thanks to jplock, I have fixed an error in the ARN syntax for log-group, where a / should have been a :. I notice that the AWS documentation and even their managed policies (e.g. AWSLambdaBasicExecutionRole) all provide users with insecure examples of how to setup permissions for their Lambda functions to emit their logs to CloudWatch Logs. The permissions are not least privilege, meaning they provide more permission to the Lambda function than are necessary and can lead to unintended consequences. Let’s look at the common example given to users: ...

I love using CloudFormation for provisioning AWS services but one of the more annoying aspects about working with it is that setting up the initial CloudFormation stack is an all-or-none endeavour. This is in contrast to when a stack exists and is being updated, where changes are reversible and the stack is almost always left in a working state. This annoyance is compounded when I write a stack definition with multiple resources and, as it inevitably happens, there is a typo somewhere. CloudFormation dutifully creates all the resources, trips on the error, and rolls back the entire stack to nothingness. Then I need to delete the stack and start again instead of issuing an update or changeset request. It’s a time-sink and I wanted to find a better way. ...

I have been writing a lot of code in Go lately and recently I was asked by someone why I write in Go. Being put on the spot, I didn’t really have an answer, but it did get me thinking about why I like this language over the other languages I work with (Java, Ruby, Python, JavaScript). So without any further ado, here are some things I like about working with Go. ...

Recently I was approached by an internal recruiter looking for someone who dabbles in Cloud, software development, infrastructure and security (so-called “Cloud DevSecOps”). The initial conversations went extremely well and I was moved onto the next stage where I was told my AWS skills would be “assessed.” The Setup To my surprise, the assessment meant that I would be given a take-home test, which is an odd way to test someone’s Cloud security skillset. After all, what could they do, grant me access to their AWS account and start racking up charges as I harden the system? All I was given in the preparatory materials was the idea that I would be integrating a third-party SSO provider into a Web application. Okay, this sounds oddly vague but, in a way, it may have a bit to do with Cloud Security. I set aside what limited free time I have these days and submitted a form that informs me that the test will begin and a timer will start. ...

A common pattern I see used by Engineering teams when I provide security consulting is them creating Lambda function and hosting their code in their own S3 buckets. This S3 bucket means the Engineering team needs to secure the bucket, which means the following controls are active and maintained: no public S3 access (bucket or object) access logging (logs are sent to yet another bucket!) default encryption of all objects access control and monitoring backups failover region segregation of code written by different departments …and that’s just the start. All of that is tedious and creates security busy-work, not to mention you are still responsible for those code assets. Since AWS is hosting my Lambda function, they can host my code too. Here’s how you do it. ...

When I was starting to dive deeper into the Ops world, I learned an interesting thing about Linux filesystems and moving files around. This was essential knowledge as my team worked with very large files on a performance-critical system. To improve performance, sometimes moving a file is faster than copying it. In this situation, a move is defined as transferring a file to another location and ensuring that the file at the original location no longer exists. A copy preserves the file at the original location, essentially cloning it. ...

A recurring theme in my InfoSec career has been to expose people to how their seemingly-secure practices are actually very insecure. Today I will show one such practice that is quite common. The idea is insidious in that it lulls people into a false sense of security when it takes only a couple minutes to break. This is similar to the security awareness training I provide: I show the audience a physical lock that is heavy and has the words “Secure” engraved in it. Then I show how it can be picked in 8 seconds. Getting over this cognitive barrier – that something isn’t inherently secure just because it looks that way – is tough for people when they first encounter security. ...

I am often asked the question at networking events, “What do you do at Unbounce?” and I never have an engaging answer. I am working on why that is (future article?) but since I am much better at writing, this is what I will try to say. Q: “What do you do at Unbounce?” My position is Head of Security, but that’s when most people’s eyes glaze over or envision me as a security guard. So let me explain it with an example. Have you ever visited a website that was selling a cool new toy, book or idea? Let’s say they ask for your name and email address so you can be put on a notification list when the product is available for purchase. There is a good chance that website is hosted on our system, and your personal data you just submitted is now flowing through our servers and being stored there too. ...

I’m learning how to relax for the first time in my life. It’s sounds crazy but no one, not even parents, taught me how to relax. And things that could be relaxing (videogames, reading, playing, talking) were given a negative value because they weren’t seen as productive. One of the symptoms of not relaxing is the inability to let go of things. Another is a mind that races when trying to fall asleep. ...