Profile picture
Julien Vehent @jvehent
, 11 tweets, 3 min read Read on Twitter
Five years ago, my security reviews were full of mitigations mostly abandoned today: selinux, ddos protection, ids, etc. Not that they were bad, but cloud infrastructure and containers have matured way beyond what we could foresee back then, and we're better off.
For example, I advocated using HAProxy in AWS for better rate limiting and ip blacklisting. I even wrote a long doc on how to do it github.com/jvehent/haprox…. We never used it, mostly because scaling out is generally cheaper and simpler, then straight to cloudflare-type offerings.
Endpoint security (aka. osquery/mig/grr) makes little sense in the short-lived-immutable world we live in today. Auditing provisioning confs solves most needs. Also, systems rarely get popped, and when they do, freezing for forensics is mostly trivial.
IDS straight up doesn't work. Sure, you can route outbound traffic to a NAT instance with IDS, but that's impractical and yields little value when 99.9% of traffic is HTTPS.

Netflow auditing is just as good and doesn't require extra infra.
Even TLS configurations are darn good out of the box nowadays. The need for our Server Side TLS guidelines has reduced dramatically. It's good to see secure-by-default becoming the standard for infra providers.
That's not to say we're done, but we're moving up the stack. Supply chain, authentication (oidc is a mess), fraud detection, etc... The OWASP Top 10 continues to drive the focus of most security teams. Just don't let your budget go to waste on already solved problems.
And before you spend 6 months deploying a complex system, ask yourself "Am I solving the most critical security problem my organization is facing right now?".

Threat hunting is my pet peeve: it's cool, so engineers rush to it, when much lower hanging fruits are still uncovered.
- Can you lock accounts across all your internal and third party apps in a timely manner?
- Can you tell which version of openssl is installed across your production infra?
- Is Kevin over there on vacation in Moscow, or is this access fraudulent?
- What's this new dependency?
Even with mature cloud infrastructure to help you, covering the basics takes years of continued effort. So don't launch yourself into that shiny new project until you're damn sure 1) it solves a critical problem and 2) you have 2 years of runway to finish it.
A relentless focus on removing components of your infra will increase security faster than any new technology ever would.

Gone the puppetmaster, turn off that jenkins, get rid of the central syslogs. All of this can be done by your provider, for less money and more security.
For a somewhat organized list of stuff we care about, see wiki.mozilla.org/Security/Firef…

Doesn't include the infra provisioning piece, like AWS IAM or Kubernetes. This is to be continued...
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Julien Vehent
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!