Posts

A common pattern I see used by Engineering teams when I provide security consulting is them creating Lambda function and hosting their code in their own S3 buckets. This S3 bucket means the Engineering team needs to secure the bucket, which means the following controls are active and maintained: no public S3 access (bucket or object) access logging (logs are sent to yet another bucket!) default encryption of all objects access control and monitoring backups failover region segregation of code written by different departments …and that’s just the start. All of that is tedious and creates security busy-work, not to mention you are still responsible for those code assets. Since AWS is hosting my Lambda function, they can host my code too. Here’s how you do it. ...

When I was starting to dive deeper into the Ops world, I learned an interesting thing about Linux filesystems and moving files around. This was essential knowledge as my team worked with very large files on a performance-critical system. To improve performance, sometimes moving a file is faster than copying it. In this situation, a move is defined as transferring a file to another location and ensuring that the file at the original location no longer exists. A copy preserves the file at the original location, essentially cloning it. ...

A recurring theme in my InfoSec career has been to expose people to how their seemingly-secure practices are actually very insecure. Today I will show one such practice that is quite common. The idea is insidious in that it lulls people into a false sense of security when it takes only a couple minutes to break. This is similar to the security awareness training I provide: I show the audience a physical lock that is heavy and has the words “Secure” engraved in it. Then I show how it can be picked in 8 seconds. Getting over this cognitive barrier – that something isn’t inherently secure just because it looks that way – is tough for people when they first encounter security. ...

I am often asked the question at networking events, “What do you do at Unbounce?” and I never have an engaging answer. I am working on why that is (future article?) but since I am much better at writing, this is what I will try to say. Q: “What do you do at Unbounce?” My position is Head of Security, but that’s when most people’s eyes glaze over or envision me as a security guard. So let me explain it with an example. Have you ever visited a website that was selling a cool new toy, book or idea? Let’s say they ask for your name and email address so you can be put on a notification list when the product is available for purchase. There is a good chance that website is hosted on our system, and your personal data you just submitted is now flowing through our servers and being stored there too. ...

I’m learning how to relax for the first time in my life. It’s sounds crazy but no one, not even parents, taught me how to relax. And things that could be relaxing (videogames, reading, playing, talking) were given a negative value because they weren’t seen as productive. One of the symptoms of not relaxing is the inability to let go of things. Another is a mind that races when trying to fall asleep. ...

At work I recently had to show our risk profile with Github vulnerability alerts and display them in Domo. Github’s APIv3 (REST) doesn’t allow you to query the vulnerability alerts, but APIv4 (GraphQL) does. I found the documentation around gathering those results very opaque due to being in Preview status, so here are some examples for pulling out the data you need. Github Vulnerability Alerts can be enabled in the Settings component of a repository. It will scan the dependencies listed in various package managers (requirements.txt, package.json, etc) and build a dependency graph (super cool!). From there, each dependency is checked for CVEs posted on public vulnerability websites. This is useful information but it is difficult to visualize when you have many (in my case, hundreds) of repositories to watch. ...

IAM provides a way for users and roles to become another role. This is known as IAM role switching and uses the underlying sts:AssumeRole action. You can restrict IAM role switching in one of two ways, what I like to call the single lock and double lock methods. With any IAM role switch, there involves a two-way handshake. The person (source) switching to the role (target) must be allowed to assume the role, plus the target must allow the source to assume it. That way, an IAM role switch can be used to switch between roles within the same account, or roles within different AWS account (maybe one that you don’t even own). ...

These are the songs I was listening to this year. Let’s Get Married – Jagged Edge – J.E. Heartbreak Automaton – Jamiroquai – Automaton Cloud 9 - Fred Falke Remix – Jamiroquai, Fred Falke – Cloud 9 Superfresh – Jamiroquai – Automaton Oh My Gosh – Basement Jaxx – The Singles Lady (Hear Me Tonight) – Madjo – Vintage Ibiza Classics Old Thing Back – Matoma, The Notorious B.I.G., Ja Rule, Ralph Tresvant – Old Thing Back I Know You Want Me (Calle Ocho) – Pitbull – Pitbull Starring In Rebelution Where Them Girls At – David Guetta – Nothing but the Beat Delirious (Boneless) – Steve Aoki, Chris Lake, Tujamo, Kid Ink – Delirious Pay My Rent – DNCE – DNCE U Got Me – Room 5 – Music & You U Don’t Know Me – Armand Van Helden – 2 Future 4 U World, Hold On – Bob Sinclair – Dance Grooves, Vol. 3 The Bomb! (These Sounds Fall Into My Mind) – Kenny Dope, The Bucketheads – Heny Street Bombs Vol. 1 Corner Store – Macklemore, Dave B., Travis Thompson – GEMINI Don’t Call Me Baby – Madison Avenue – Don’t Call Me Baby In My Feelings – Drake – Scorpion Girls Like You - Carbi B Version – Maroon 5, Cardi B – Red Pill Blues I Love It – Kanye West, Lil Pump – I Love It Despacito – Luis Fonsi, Daddy Yankee – Shut Up Lets Dance Steal My Sunshine – Len – You Can’t Stop The Bum Rush Pinch Me – Barenaked Ladies – Maroon All Star – Smash Mouth – Astro Lounge Peanut Butter Jelly – Galantis – Pharmacy Do It Right – Martin Solveig, Tkay Maidza – Do It Right Toy – Netta – Toy Water Me – Lizzo – Water Me And that’s it for 2018! See you next year! ...

I don’t often talk of employer, mainly to keep an arm’s length distance between them and the writing on my blog. However, one of the great things about working at Unbounce is the concept of a Professional Development day (Pro-D). This is just like when you were in school and the teachers would take a day for themselves to improve. At Unbounce, every employee gets one day (8 hours) every 2 weeks to educate themselves and elevate their professional and career interests. Some of my best ideas have come out of things I learned on Pro-D day. Today, I decided to take a moment to learn about the AWS Systems Manager Session Manager (whoa, that’s a mouthful). ...

Recently, I was speaking with a company about opportunities they have. It’s a regular, casual affair that I do every so often. It keeps me grounded about what the job market is like, and allows me to see if there are other opportunities out there (because if you never look, opportunities never exist). At the end of the day, I like to help people solve problems because it makes me feel valued. ...