#security (2020-07)

Archive: https://archive.sweetops.com/security/

2020-07-30

2020-07-29

2020-07-28

2020-07-27

Mark avatar

Hey folks, very much not a security expert but how does one decide on requiring AntiVirus on virtual servers? We are a payroll company that will accept files from trusted partners and are currently running on Windows but are about to shift/upgrade (however you like to think ) to Linux. I’m not totally sure of the previous reasoning about installing AV’s on all the instances other than thinking it’s a de facto Windows thought. Reasons I’m leaning towards saying no are:

• We don’t run anything on the machine that isn’t ours or from untrusted sources

• We are accepting text files (xml) files only

• We will be using aws linux provided ami’s and despite malware existing I don’t see us being susceptible

• Our current AV provider causes high CPU usage and can trigger alarms which means verifying false positive alarm

• I feel more secure with Live Patching

• SEL but I’m again no expert in this configuration Things that would make me say yes are simply Security Certificate standards like SOC, SOC2, etc.

Mark avatar

Are there other important factors I’m not considering

Alex Siegman avatar
Alex Siegman

Could you consider a file transfer process that includes scans on third-party provided content, rather than an always on server-wide thing that would use up CPU and disk i/o?

imiltchman avatar
imiltchman

It’s best to scan and validate the input assuming everything else is locked down

Mark avatar

Yeah that is definitely a consideration and the more I think on how we can do it, I like it regardless of the effort/complexity. I needed somewhere to talk and not have bias Thanks peeps.

Maciek Strömich avatar
Maciek Strömich

check if your AV is checking the XML files as well upon upload. it may be a safeguard and in your implementation under linux you will have to think more about defusing some xml functionalities which tend to be used in malicious manner. So (depending on your implementation) migration to defusedxml (python based library) or alternative is worth considering.

Zach avatar

I’m curious about this too … I’m being told for HiTrust that we must have AV on servers, but these requirements are really aimed at physical infra or people’s “workstations”. Putting mcafee on a t3.nano instance hosting a backend web app seems like a recipe for disaster

2020-07-23

joshmyers avatar
joshmyers

The S3 bucket where Twilio host their JS SDK had pubic write access for five years

https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020

roth.andy avatar
roth.andy

me: I can’t believe they made such a BAD and OBVIOUS mistake

also me: (nervously checking all of my bucket permissions)

joshmyers avatar
joshmyers

heh, just implemented some checks for it in OPA

joshmyers avatar
joshmyers

At current gig we have an s3 bucket module with sane defaults out of the box, not open to the world. Obvs can still force it though so an OPA policy denies it

roth.andy avatar
roth.andy

Looks like this one was a mistake when trying to make the bucket public read, which is a totally valid use case, but they added write too

joshmyers avatar
joshmyers

Yup, easily done

joshmyers avatar
joshmyers

Great office hours btw :–1:

2020-07-17

2020-07-16

2020-07-10

Meb avatar
iknowjason/AriaCloud

Aria Cloud Penetration Testing Tools Container. Aria Cloud is a Docker Container ideal for remote pentesting over SSH or RDP, with a primary emphasis on cloud security tools and secondary on Active…

2020-07-03

2020-07-02

btai avatar

what waf is everyone using? kubernetes friendly ones would be nice

Issif avatar
Issif

I don’t get your point with k8s, they should not be linked

Issif avatar
Issif

We use Cloudflare btw

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Is Kubernetes the right layer for a WAF? Wouldn’t it be nicer to push it out to the edge? E.g. cloudflare

:--1:2
btai avatar

we have one currently deployed as a sidecar to the ingress controller

Issif avatar
Issif

WAF and rate limiting, CIDR blocks, etc, should not be in you application stack, but as much possible before

btai avatar

yeah that is a valid point. Have you guys investigated AWS WAF?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ya one thing is if the objective is just to block certain kinds of low volume attacks, but to block any kind of DoS attack, in cluster WAF is too late

Issif avatar
Issif

@btai few metrics, rules are not flexible, no default ruleset, AWS WAF is really expensive and not really handful

btai avatar

true, i guess the focus was on things like sqli, suspicious activities, etc.

btai avatar

more expensive than cloudflare?

Issif avatar
Issif

DOS = layer 4, WAF = layer 7

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We have not only because haven’t liked using the ALB ingress controller since it deploys an ALB for each ingress. Also waf only works with ALB and not NLB

Issif avatar
Issif

fair point

Issif avatar
Issif

@btai can’t tell you, I never compared the bills

Issif avatar
Issif

but if you’re richie rich, Akamai for DOS protection and WAF

btai avatar

do u know the pricing model for cloudflare? we’re paying a ton for sigsci (not my decision) and they charge per request

btai avatar

and since it sits behind our ELB in the ingress controller we get charged for ELB healthchecks and other constantly running requests (for example push notifications)

Issif avatar
Issif

it depends your company size

Issif avatar
Issif

and your needs

Issif avatar
Issif
Nos offres | Tarifs | Cloudflare

Discover which Cloudflare plan is correct for your requirements. Find out more about Cloudflare plan pricing and sign up for Cloudflare here!

btai avatar

beautiful

btai avatar

i dont see anything about charging per request

Issif avatar
Issif
09:52:16 PM
Issif avatar
Issif

don’t know for WAF

btai avatar

@Issif does cloudflare charge for bandwidth ?

btai avatar

doesn’t specify that they do in the pricing plan but some companies leave things like that off sometimes

Issif avatar
Issif

I can ask tomorrow, 1am in France right now

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@btai bandwidth is free with Cloudflare

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

that’s the insane thing.

btai avatar

thanks @Issif and erik!

btai avatar

are you using cloudflare as well erik?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yep, *.[cloudposse.com> and *.<http://sweetops.com|sweetops.com](http://cloudposse\.com)

btai avatar

prob gonna check out both fastly and cloudflare

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Love using their edge workers too

:--1:1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Fastly TBH is a little bit cooler since it’s built on varnish under the hood. But with the advent of workers, a lot of what I would have wanted from Fastly is moot.

btai avatar

will check out both. if there’s not much of a feature or cost advantage between the two, theres def an advantage of sweetops user adoption (goes to cloudflare currently)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Fastly does charge for transfers, so that’s one reason they can be come more expensive quickly.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11:20:27 PM
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
How can CloudFlare offer a free CDN with unlimited bandwidth?

The CloudFlare free tier service offers unlimited bandwith while other CDNs charge starting at about $.10/gb. CloudFlare does not have bandwidth limits. As long as the domains being added comply

btai avatar

wowie

btai avatar

must be running all of cloudflare on on spot ocean

Issif avatar
Issif

varnish

btai avatar

@Issif i mentioned to Erik already that because of the nature of our business (saas), our clients wont be ok with us introducing a 3rd party that can terminate tls (cloudflare) so I’m investigating AWS WAF (which all our clients approve before signing) and they now have managed rulesets u can purchase from reputable security companies and also AWS managed rulesets. Still much more expensive than cloudflare though (priced per million requests)

Issif avatar
Issif

It makes sense

Jonathan Le avatar
Jonathan Le

SigSci + using the CDN as the first WAF…ends up being a great combo

    keyboard_arrow_up