I'm a fan of Open Source and have a growing interest in serverless and edge computing. I'm not a big fan of spiders, but they're doing good work eating bugs. I also stream on Twitch.
One thing, I'd mention too, although potentially obvious, but it never hurts to state the obvious, is to always apply the principle of Least Privilege.
I am a developer with a passion for testing. I've been coding for 14 years and I want to share my experience and learnings with other developers to help them write better software.
Give your users, services, etc. the least amount of privileges necessary to function and no more. For example, I recently watched a security video on how to hack AWS Lambda. Pretty much all the exploits depended on the admin being lazy and giving the IAM account all privileges (*) rather than creating multiple accounts and customizing the capabilities of each one to the task at hand.
I'm a fan of Open Source and have a growing interest in serverless and edge computing. I'm not a big fan of spiders, but they're doing good work eating bugs. I also stream on Twitch.
I'm a fan of Open Source and have a growing interest in serverless and edge computing. I'm not a big fan of spiders, but they're doing good work eating bugs. I also stream on Twitch.
For reference, I came across this in 2014 while working on Identity Access Management (IAM) for a bunch of SharePoint applications that were using WS-Federation, SAML etc. Although the code is generally related to C#, this was a great blog I used at the time, leastprivilege.com.
Dominick Baier, the author of this blog, is well versed in IAM, specifically on the .NET platform. If you're in that ecosystem, you should check out, github.com/identityserver
I'm a fan of Open Source and have a growing interest in serverless and edge computing. I'm not a big fan of spiders, but they're doing good work eating bugs. I also stream on Twitch.
Our client ended up going with commercial software. We set them up with Optimal IdM. Great product and support. We needed an on premise solution, so it fit their needs. The virtual feature allowed us to expose all the clients' user stores as one.
I am a developer with a passion for testing. I've been coding for 14 years and I want to share my experience and learnings with other developers to help them write better software.
I'm a fan of Open Source and have a growing interest in serverless and edge computing. I'm not a big fan of spiders, but they're doing good work eating bugs. I also stream on Twitch.
@robdwaller
, here's a real world example that occurred yesterday.
Why people run npm with sudo makes no sense to me as you don't need to.
I Am Devloper
@iamdevloper
"You get root access! You get root access! You get root access! You get root access! Everybody gets root access!" Oprah exclaimed. "Everybody gets root access! Everybody gets root access!"
I am a developer with a passion for testing. I've been coding for 14 years and I want to share my experience and learnings with other developers to help them write better software.
I have to admit I hate NPM. I've scrapped entire boxes and started over because I've messed up an NPM install. It always feels more like sorcery than actual Dev ops. Always advise developers to be careful with Node and NPM.
But that's just more dogma too. Don't get me wrong, the principle of Least Privilege is a fantastic security tool, but it comes a cost, and sometimes what you're protecting just isn't worth that cost. For example, I run my own server which handles my mail and runs my blog, and I also run an always connected IRC client through screen on it. Principle of Least Privilege would say that I should use a different user account that doesn't have the ability to admin my web and mail server for running my IRC client. But I don't, because the value of my mail and web server isn't that high, not high enough to outweigh the cost of managing multiple use accounts and SSH keys for logging in to the one server. That's a pragmatic decision I've made after understanding the threats.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
One thing, I'd mention too, although potentially obvious, but it never hurts to state the obvious, is to always apply the principle of Least Privilege.
Interesting, tell me more. I haven't heard about that before.
Give your users, services, etc. the least amount of privileges necessary to function and no more. For example, I recently watched a security video on how to hack AWS Lambda. Pretty much all the exploits depended on the admin being lazy and giving the IAM account all privileges (
*) rather than creating multiple accounts and customizing the capabilities of each one to the task at hand.👍 Thanks for providing the explanation Kasey, was in a meeting before, so didn't have time to respond.
For reference, I came across this in 2014 while working on Identity Access Management (IAM) for a bunch of SharePoint applications that were using WS-Federation, SAML etc. Although the code is generally related to C#, this was a great blog I used at the time, leastprivilege.com.
Dominick Baier, the author of this blog, is well versed in IAM, specifically on the .NET platform. If you're in that ecosystem, you should check out, github.com/identityserver
We use IdentityServer for one of our systems, actually.
Our client ended up going with commercial software. We set them up with Optimal IdM. Great product and support. We needed an on premise solution, so it fit their needs. The virtual feature allowed us to expose all the clients' user stores as one.
Ah that all makes a lot of sense. We've recently gone through a process of doing that at work.
@robdwaller , here's a real world example that occurred yesterday.
Why people run npm with
sudomakes no sense to me as you don't need to.In this particular case, by giving npm too much privilege, it wreaked havoc on Linux file systems, Show-stopping bug appears in npm Node.js package manager | ZDNet.
Had npm been run with a non-root user (least privilege), this would not have happened. The issue has since been fixed with a patch.
I have to admit I hate NPM. I've scrapped entire boxes and started over because I've messed up an NPM install. It always feels more like sorcery than actual Dev ops. Always advise developers to be careful with Node and NPM.
Also would be remiss without linking this:
Principle of Least Privilege
But that's just more dogma too. Don't get me wrong, the principle of Least Privilege is a fantastic security tool, but it comes a cost, and sometimes what you're protecting just isn't worth that cost. For example, I run my own server which handles my mail and runs my blog, and I also run an always connected IRC client through screen on it. Principle of Least Privilege would say that I should use a different user account that doesn't have the ability to admin my web and mail server for running my IRC client. But I don't, because the value of my mail and web server isn't that high, not high enough to outweigh the cost of managing multiple use accounts and SSH keys for logging in to the one server. That's a pragmatic decision I've made after understanding the threats.