This post will be a living document that stores all my favourite quotes. At this point, I’m not going to comment on the quotes themselves, or why I find them good. I typically keep these in a private document, but I want to just share them with you and maybe you will think about how they fit into your mindset. Or maybe the quote means nothing to you and you move on. That’s fine too. ...
These are the songs I was listening to this year. Where Are You Now? – Lady Leshurr, Wiley – Where Are You Now? Mad Love – Sean Paul, David Guetta, Becky G – Mad Love One Click Headshot – Feed Me – Feed Me’s Escape from Electric Mountain Love Is All I Got – Feed Me, Crystal Fighters – Calamari Tuesday Be Nice – Black Eyed Peas, Snoop Dogg – Be Nice Summer Days – Martin Garrix, Macklemore, Fall Out Boy – Summer Days Intoxicated – Martin Solveig, Good Times Ahead – Intoxicated Get Up (Rattle) – Bingo Players, Far East Movement – Get Up (Rattle) Chameleon – PNAU – Chameleon Instruction – Jax Jones, Demi Lovato, Steffion Don – Snacks Work Bitch – Britney Spears – Britney Jean Drop That Low (When I Dip) – Tujamo – Drop That Low (When I Dip) I Love It – Icona Pop, Charli XCX – THIS IS… ICNOA POP Five More Hours – Deorro, Chris Brown – Good Evening I Like It - Dillon Francis Remix – Cardi B, Bad Bunny, J Balvin, Dillon Francis – I Like It Way To Break My Heart – Ed Sheeran, Skrillex – No.6 Collaborations Project Antisocial – Ed Sheeran, Travis Scott – No.6 Collaborations Project Freelance – Toro y Moi – Outer Peace Harder – Jax Jones, Bebe Rexha – Snacks When the Rain Beings to Fall – Jermaine Jackson, Pia Zadora – Jermaine Jackson Moonlight – Gaullin – Moonlight And that’s it for 2019! See you next year! ...
I recently tweeted about how people new to programming, or companies that look for candidates and give them programming tests, don’t understand that the first code one writes is just a draft. It can take several edits (so-called “refactors”) to tease out a good, workable, testable, and ultimately simple solution. So here’s a story of how I recently refactored my code 3 times before arriving at a final solution. This happened over the span of a day as I thought about and shaped the code into a format that can be easily tested and understood by others. The code is from a private project, so I am only presenting snippets here and some of the package names and variables have been changed for privacy. ...
UPDATE 2019-10-07: There is a bug in CloudFormation when outputting the LogGroup ARN. See the change below in 4. Define a Policy. UPDATE 2020-06-16: Thanks to jplock, I have fixed an error in the ARN syntax for log-group, where a / should have been a :. I notice that the AWS documentation and even their managed policies (e.g. AWSLambdaBasicExecutionRole) all provide users with insecure examples of how to setup permissions for their Lambda functions to emit their logs to CloudWatch Logs. The permissions are not least privilege, meaning they provide more permission to the Lambda function than are necessary and can lead to unintended consequences. Let’s look at the common example given to users: ...
I love using CloudFormation for provisioning AWS services but one of the more annoying aspects about working with it is that setting up the initial CloudFormation stack is an all-or-none endeavour. This is in contrast to when a stack exists and is being updated, where changes are reversible and the stack is almost always left in a working state. This annoyance is compounded when I write a stack definition with multiple resources and, as it inevitably happens, there is a typo somewhere. CloudFormation dutifully creates all the resources, trips on the error, and rolls back the entire stack to nothingness. Then I need to delete the stack and start again instead of issuing an update or changeset request. It’s a time-sink and I wanted to find a better way. ...
I have been writing a lot of code in Go lately and recently I was asked by someone why I write in Go. Being put on the spot, I didn’t really have an answer, but it did get me thinking about why I like this language over the other languages I work with (Java, Ruby, Python, JavaScript). So without any further ado, here are some things I like about working with Go. ...
Recently I was approached by an internal recruiter looking for someone who dabbles in Cloud, software development, infrastructure and security (so-called “Cloud DevSecOps”). The initial conversations went extremely well and I was moved onto the next stage where I was told my AWS skills would be “assessed.” The Setup To my surprise, the assessment meant that I would be given a take-home test, which is an odd way to test someone’s Cloud security skillset. After all, what could they do, grant me access to their AWS account and start racking up charges as I harden the system? All I was given in the preparatory materials was the idea that I would be integrating a third-party SSO provider into a Web application. Okay, this sounds oddly vague but, in a way, it may have a bit to do with Cloud Security. I set aside what limited free time I have these days and submitted a form that informs me that the test will begin and a timer will start. ...
A common pattern I see used by Engineering teams when I provide security consulting is them creating Lambda function and hosting their code in their own S3 buckets. This S3 bucket means the Engineering team needs to secure the bucket, which means the following controls are active and maintained: no public S3 access (bucket or object) access logging (logs are sent to yet another bucket!) default encryption of all objects access control and monitoring backups failover region segregation of code written by different departments …and that’s just the start. All of that is tedious and creates security busy-work, not to mention you are still responsible for those code assets. Since AWS is hosting my Lambda function, they can host my code too. Here’s how you do it. ...
When I was starting to dive deeper into the Ops world, I learned an interesting thing about Linux filesystems and moving files around. This was essential knowledge as my team worked with very large files on a performance-critical system. To improve performance, sometimes moving a file is faster than copying it. In this situation, a move is defined as transferring a file to another location and ensuring that the file at the original location no longer exists. A copy preserves the file at the original location, essentially cloning it. ...
A recurring theme in my InfoSec career has been to expose people to how their seemingly-secure practices are actually very insecure. Today I will show one such practice that is quite common. The idea is insidious in that it lulls people into a false sense of security when it takes only a couple minutes to break. This is similar to the security awareness training I provide: I show the audience a physical lock that is heavy and has the words “Secure” engraved in it. Then I show how it can be picked in 8 seconds. Getting over this cognitive barrier – that something isn’t inherently secure just because it looks that way – is tough for people when they first encounter security. ...