#security (2020-07)
Archive: https://archive.sweetops.com/security/
2020-07-02
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
what waf is everyone using? kubernetes friendly ones would be nice
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
I don’t get your point with k8s, they should not be linked
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Is Kubernetes the right layer for a WAF? Wouldn’t it be nicer to push it out to the edge? E.g. cloudflare
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
we have one currently deployed as a sidecar to the ingress controller
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
WAF and rate limiting, CIDR blocks, etc, should not be in you application stack, but as much possible before
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
yeah that is a valid point. Have you guys investigated AWS WAF?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Ya one thing is if the objective is just to block certain kinds of low volume attacks, but to block any kind of DoS attack, in cluster WAF is too late
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
@btai few metrics, rules are not flexible, no default ruleset, AWS WAF is really expensive and not really handful
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
true, i guess the focus was on things like sqli, suspicious activities, etc.
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
more expensive than cloudflare?
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
We have not only because haven’t liked using the ALB ingress controller since it deploys an ALB for each ingress. Also waf only works with ALB and not NLB
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
fair point
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
@btai can’t tell you, I never compared the bills
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
but if you’re richie rich, Akamai for DOS protection and WAF
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
do u know the pricing model for cloudflare? we’re paying a ton for sigsci (not my decision) and they charge per request
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
and since it sits behind our ELB in the ingress controller we get charged for ELB healthchecks and other constantly running requests (for example push notifications)
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
it depends your company size
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
and your needs
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
Discover which Cloudflare plan is correct for your requirements. Find out more about Cloudflare plan pricing and sign up for Cloudflare here!
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
beautiful
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
i dont see anything about charging per request
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
don’t know for WAF
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
@Issif does cloudflare charge for bandwidth ?
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
doesn’t specify that they do in the pricing plan but some companies leave things like that off sometimes
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
I can ask tomorrow, 1am in France right now
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@btai bandwidth is free with Cloudflare
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that’s the insane thing.
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
thanks @Issif and erik!
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
are you using cloudflare as well erik?
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Yep, *.[cloudposse.com](http://cloudposse.com)
and *.[sweetops.com](http://sweetops.com)
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
prob gonna check out both fastly and cloudflare
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Fastly TBH is a little bit cooler since it’s built on varnish under the hood. But with the advent of workers, a lot of what I would have wanted from Fastly is moot.
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
will check out both. if there’s not much of a feature or cost advantage between the two, theres def an advantage of sweetops user adoption (goes to cloudflare currently)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Fastly does charge for transfers, so that’s one reason they can be come more expensive quickly.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
The CloudFlare free tier service offers unlimited bandwith while other CDNs charge starting at about $.10/gb. CloudFlare does not have bandwidth limits. As long as the domains being added comply
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
wowie
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
must be running all of cloudflare on on spot ocean
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
varnish
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
@Issif i mentioned to Erik already that because of the nature of our business (saas), our clients wont be ok with us introducing a 3rd party that can terminate tls (cloudflare) so I’m investigating AWS WAF (which all our clients approve before signing) and they now have managed rulesets u can purchase from reputable security companies and also AWS managed rulesets. Still much more expensive than cloudflare though (priced per million requests)
![Issif avatar](https://avatars.slack-edge.com/2019-12-02/848866457345_6b17c415c518a84814ce_72.png)
It makes sense
![Jonathan Le avatar](https://avatars.slack-edge.com/2022-06-30/3743020264469_11185ecccf85573f89bc_72.jpg)
SigSci + using the CDN as the first WAF…ends up being a great combo
![Jonathan Le avatar](https://avatars.slack-edge.com/2022-06-30/3743020264469_11185ecccf85573f89bc_72.jpg)
@btai i didn’t have a great experience with the WAFv1 Managed rulesets a 1.5 years ago. Let me know if current Managed rulesets look good to you on the AWS WAF. My biggest issue with the Managed rulesets a while ago was that if something got blocked, there was no way to figure out why it was blocked by the Managed rules, since the rules were a complete blackbox.
2020-07-03
2020-07-10
![Meb avatar](https://secure.gravatar.com/avatar/22f2dd879a5accf3929330d977b39106.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0004-72.png)
Aria Cloud Penetration Testing Tools Container. Aria Cloud is a Docker Container ideal for remote pentesting over SSH or RDP, with a primary emphasis on cloud security tools and secondary on Active…
2020-07-15
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
![maarten avatar](https://avatars.slack-edge.com/2020-09-28/1393040065826_b0d13cfde15deff02026_72.png)
“The CPU architecture has nothing to do with security.”
![btai avatar](https://avatars.slack-edge.com/2019-09-04/736463433650_34701761239ea7ba8207_72.jpg)
![attachment image](https://techcrunch.com/wp-content/uploads/2020/07/GettyImages-887657568.jpg?w=600)
The scammers have raised $20,000 — and rising — in less than an hour.
2020-07-16
2020-07-17
2020-07-23
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
The S3 bucket where Twilio host their JS SDK had pubic write access for five years
https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020
![roth.andy avatar](https://avatars.slack-edge.com/2019-09-18/753707271651_6f58c1cbab3c77754f58_72.jpg)
me: I can’t believe they made such a BAD and OBVIOUS mistake
also me: (nervously checking all of my bucket permissions)
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
heh, just implemented some checks for it in OPA
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
At current gig we have an s3 bucket module with sane defaults out of the box, not open to the world. Obvs can still force it though so an OPA policy denies it
![roth.andy avatar](https://avatars.slack-edge.com/2019-09-18/753707271651_6f58c1cbab3c77754f58_72.jpg)
Looks like this one was a mistake when trying to make the bucket public read, which is a totally valid use case, but they added write too
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Yup, easily done
![joshmyers avatar](https://avatars.slack-edge.com/2018-11-20/483958217281_8117d6f6c62807ce9912_72.jpg)
Great office hours btw
2020-07-27
![Mark avatar](https://avatars.slack-edge.com/2020-07-22/1249261538486_80e1da6c1a8550dc3a8d_72.png)
Hey folks, very much not a security expert but how does one decide on requiring AntiVirus on virtual servers? We are a payroll company that will accept files from trusted partners and are currently running on Windows but are about to shift/upgrade (however you like to think ) to Linux. I’m not totally sure of the previous reasoning about installing AV’s on all the instances other than thinking it’s a de facto Windows thought. Reasons I’m leaning towards saying no are:
• We don’t run anything on the machine that isn’t ours or from untrusted sources
• We are accepting text files (xml) files only
• We will be using aws linux provided ami’s and despite malware existing I don’t see us being susceptible
• Our current AV provider causes high CPU usage and can trigger alarms which means verifying false positive alarm
• I feel more secure with Live Patching
• SEL but I’m again no expert in this configuration Things that would make me say yes are simply Security Certificate standards like SOC, SOC2, etc.
![Mark avatar](https://avatars.slack-edge.com/2020-07-22/1249261538486_80e1da6c1a8550dc3a8d_72.png)
Are there other important factors I’m not considering
![Alex Siegman avatar](https://avatars.slack-edge.com/2019-04-10/592429074434_cea95e800f54d8ea3544_72.jpg)
Could you consider a file transfer process that includes scans on third-party provided content, rather than an always on server-wide thing that would use up CPU and disk i/o?
![Igor avatar](https://avatars.slack-edge.com/2022-03-17/3244104166391_48a8db73944f03735a65_72.jpg)
It’s best to scan and validate the input assuming everything else is locked down
![Mark avatar](https://avatars.slack-edge.com/2020-07-22/1249261538486_80e1da6c1a8550dc3a8d_72.png)
Yeah that is definitely a consideration and the more I think on how we can do it, I like it regardless of the effort/complexity. I needed somewhere to talk and not have bias Thanks peeps.
![Maciek Strömich avatar](https://secure.gravatar.com/avatar/98de12365b633b063e208220100d4594.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0002-72.png)
check if your AV is checking the XML files as well upon upload. it may be a safeguard and in your implementation under linux you will have to think more about defusing some xml functionalities which tend to be used in malicious manner. So (depending on your implementation) migration to defusedxml (python based library) or alternative is worth considering.
![Zach avatar](https://avatars.slack-edge.com/2020-07-21/1278358623280_e99d673db1471fc93095_72.jpg)
I’m curious about this too … I’m being told for HiTrust that we must have AV on servers, but these requirements are really aimed at physical infra or people’s “workstations”. Putting mcafee on a t3.nano instance hosting a backend web app seems like a recipe for disaster