Discover more from Last Week As A vCISO
Pentest Frequency, Stack Overflow Hack, Hosted vs Self-Hosted...
As usual a variety of topics have come up throughout the week in conversations and servicing clients.
As usual a variety of topics have come up throughout the week in conversations and servicing clients. So instead of picking just one and going deep, I'm going to touch upon several items you might find useful...
Q: How often am I expected to do a pentest?
This was asked of me recently, and although it's not a blanket rule, most companies and organizations expect you to conduct an audit or pentest annually. If it's been a little over a year, but you have a good reason like you're waiting for a new version of your app or similar, then companies should (depending how they feel that day, lol) be reasonable in allowing an exception.
One piece of advice: Do not share the contents/details of your pentest report if you don't have to. It opens up a whole can of worms, so be prepared for that if you do.
Deep Dive Into the Stack Overflow Security Incident
This blog post was an amazing read! It is a VERY detailed account of how an attacker gained a foothold into their infrastructure, traversed across to other systems, and gained elevated access. The article also included lessons learned, so if you're impatient you can skip to that. Spoiler: The attacker was found searching Stack Overflow for questions when he got stuck! Quite amusing. :)
3rd rails of DevOps: Terragrunt vs Terraform / Mono-Repo vs Multi-Repo
This seems to be the 3rd rail of DevOps! Engineers have very strong opinions on this topic and there is no good or right answer. Similar to whether having a Mono Repo or Multi Repo. Sometimes it feels you're better off having a discussion about religion or politics!!
My security takeaway, as with most requirements, is to just set a universal standard. I don't care how you get it done, as long as it gets done. For example encrypting secrets. We don't care how you do it, just get it done. DRY (Don't Repeat Yourself) a fundamental topic in DevOps, should be followed using whatever structure or tool you use.
Github Hosted Runners vs Self-Hosted
Similar to the above, there is a mindset that if you host something yourself it's more secure by default. Kind of like build vs buy discussions. If you take the onus of hosting yourself, then you must continually ensure security on that deployment. That means updates, patching, networking, and authentication. See the differences yourself, which would you choose?
The answer is not always that simple either. Sometimes a hosted application may not support Assume Role authentication and require an IAM key instead. In that case, assume role trump IAM key. The system as a whole needs to be evaluated, but also the precedence of system maintenance cannot be neglected. If the maintainers don't have a track record of updating their servers, then history will likely repeat itself.
I hope you found this issue useful. If so, I would love it if you forwarded it others without security in their title and encourage them to subscribe!
If you liked this email, forward it to a friend! I'd appreciate it.