Profile picture
Julien Vehent @jvehent
, 11 tweets, 3 min read Read on Twitter
Five years ago, my security reviews were full of mitigations mostly abandoned today: selinux, ddos protection, ids, etc. Not that they were bad, but cloud infrastructure and containers have matured way beyond what we could foresee back then, and we're better off.
For example, I advocated using HAProxy in AWS for better rate limiting and ip blacklisting. I even wrote a long doc on how to do it github.com/jvehent/haprox…. We never used it, mostly because scaling out is generally cheaper and simpler, then straight to cloudflare-type offerings.
Endpoint security (aka. osquery/mig/grr) makes little sense in the short-lived-immutable world we live in today. Auditing provisioning confs solves most needs. Also, systems rarely get popped, and when they do, freezing for forensics is mostly trivial.
IDS straight up doesn't work. Sure, you can route outbound traffic to a NAT instance with IDS, but that's impractical and yields little value when 99.9% of traffic is HTTPS.

Netflow auditing is just as good and doesn't require extra infra.
Even TLS configurations are darn good out of the box nowadays. The need for our Server Side TLS guidelines has reduced dramatically. It's good to see secure-by-default becoming the standard for infra providers.
That's not to say we're done, but we're moving up the stack. Supply chain, authentication (oidc is a mess), fraud detection, etc... The OWASP Top 10 continues to drive the focus of most security teams. Just don't let your budget go to waste on already solved problems.
And before you spend 6 months deploying a complex system, ask yourself "Am I solving the most critical security problem my organization is facing right now?".

Threat hunting is my pet peeve: it's cool, so engineers rush to it, when much lower hanging fruits are still uncovered.
- Can you lock accounts across all your internal and third party apps in a timely manner?
- Can you tell which version of openssl is installed across your production infra?
- Is Kevin over there on vacation in Moscow, or is this access fraudulent?
- What's this new dependency?
Even with mature cloud infrastructure to help you, covering the basics takes years of continued effort. So don't launch yourself into that shiny new project until you're damn sure 1) it solves a critical problem and 2) you have 2 years of runway to finish it.
A relentless focus on removing components of your infra will increase security faster than any new technology ever would.

Gone the puppetmaster, turn off that jenkins, get rid of the central syslogs. All of this can be done by your provider, for less money and more security.
For a somewhat organized list of stuff we care about, see wiki.mozilla.org/Security/Firef…

Doesn't include the infra provisioning piece, like AWS IAM or Kubernetes. This is to be continued...
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Julien Vehent
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
Today @jrf_uk launched our annual state of the nation report #UKPoverty 2018. Here are some of my reflections on what has been a busy few days.
It is crucial when we talk about poverty we recognise progress has been made in tackling child and pensioner poverty before. With the political will and concerted action we can ease the immense strain struggling to make ends meet has on people up and down our country.
The debate about poverty cannot be allowed to become detached from people’s real lives. Obsessive debates about measures only risks distracting us from what matters - protecting everyone in our society from harm.
Read 8 tweets
Profile picture
1️⃣ Five years ago, I suggested systematically Sokaling all peer-reviewed journals. To “Sokal” is, hereby, to attempt to publish clearly bogus papers to illustrate the brokenness of the academic publication process.

2️⃣ Today @HPluckrose, @ConceptualJames & @peterboghossian reported on the first multiple-Sokaling. They were successful in publishing nonsense in top-ranked journals (which comes as no surprise, but is great to have verified).

3️⃣ I had in mind a more ambitious project. Pointing out that “grievance studies” fields are mostly nonsense is shooting fish in a barrel. We know that, for instance, “cognitive neuroscience” is also largely bollocks: biorxiv.org/content/early/…
Read 18 tweets
Profile picture
🎂Today is the 2-year anniversary that Donald Trump announced at a press conference “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,”AND also the anniversary of the first time 12 Russian GRU agents broke into Hillary Clinton's servers.
🎂But it's also the 1-year anniversary that Bill Browder testified in front of the Senate Judiciary Committee about the possibility that the Russians hacked our 2016 election.
⚡️Bill Browder tried to tell the Senate Committee how dangerous Putin is—capable of murder, fraud, corruption, framing him for crimes and—it seemed like they were on the same page, especially the Republicans. Especially, Senator John Cornyn (R-TX).
Read 46 tweets
Profile picture
Five years ago, five justices on the Supreme Court invalidated key provisions of the Voting Rights Act that for decades protected voters in states with pernicious histories of voting discrimination. Don't forget what happened in the immediate aftermath of this appalling decision:
Within 24 hours of the decision, the conservative justices prompted a deluge of voter suppression legislation. Texas and Alabama announced plans to plow ahead with restrictive and previously blocked voter-ID laws. Weeks later, N.C. passed its monster voter suppression law.
Five years later, the landscape is worse: The Republican voter suppression campaign now has the enthusiastic endorsement of the nation’s president – a president who is stacking the federal courts with the very people who cheered the dismantling of the Voting Rights Act.
Read 13 tweets
Profile picture
Five years ago today, two bombs exploded near the finish line of the Boston Marathon. Three people died, and hundreds were injured. Later that week, all hell broke loose in the Boston area. We still don't know who built the bombs.
In 2015, Dzhokhar Tsarnaev was found guilty of bombing the marathon and killing an MIT police officer. He was sentenced to death. The FBI seems to have moved on. But key facts in the case are missing. This is a thread about the loose ends.
The bombings happened on Marathon Monday, April 15, 2013, at around 2:50pm. For days, the government wouldn't say anything about whether it had suspects. Then, on Thursday April 18, at around 5:20pm, the FBI released photos of its suspects.
Read 64 tweets
Profile picture
In Richfield, Ohio, @POTUS now making remarks on #infrastructure to union laborers.
"Plants and factories pouring back into our country. They can't come back fast enough."
"I never give up," says @POTUS of funding for the border wall.
Read 41 tweets

Trending hashtags

#RuleOfLaw #feminine #ukauthorities #policecuts #Pruitt #KidsDeserveIt #terrorists #tyrants #Investigators #Jews #HouseofLords #BikeEquity #TheWorldIsWatching #shares #Charity #bailiffs #religion #thechase #Cressidadick #Brahmanism #Palestine #annualreport #autonomousvehicle #AVs #ofcom

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!