Newsletter #12: Pentest Frequency, Stack Overflow Hack, Hosted vs Self-Hosted
As usual, a variety of topics have come up throughout the week in conversations and servicing clients. So, instead of picking just one and going deep, I’m going to touch upon several items you might find useful…
Q: How often am I expected to do a pentest?
This was asked recently and although it’s not a blanket rule, most companies and organizations expect you to conduct an audit or pentest annually. If it’s been a little over a year but you have a good reason (like you’re waiting for a new version of your app or similar), companies might (depending on how they feel that day, lol) be reasonable in allowing an exception.
One piece of advice: Do not share the contents/details of your pentest report if you don’t have to. It opens up a whole can of worms, so be prepared for that if you do.
Deep Dive Into the Stack Overflow Security Incident
This blog post was an amazing read! It is a VERY detailed account of how an attacker gained a foothold into their infrastructure, traversed across to other systems, and gained elevated access. The article also included lessons learned, so if you’re impatient, you can skip to that.
Spoiler: The attacker was found searching Stack Overflow for questions when he got stuck! Quite amusing. 🙂
3rd rails of DevOps: Terragrunt vs. Terraform/Mono-Repo vs. Multi-Repo
This seems to be the 3rd rail of DevOps! Engineers have strong opinions on this topic, and there is no good or right answer, similar to whether having a Mono Repo or Multi Repo. Sometimes, it feels you’re better off discussing religion or politics!
My security takeaway, as with most requirements, is to set a universal standard. I don’t care how you get it done, as long as it gets done. For example, encrypting secrets. We don’t care how you do it. Just get it done. DRY (Don’t Repeat Yourself), a fundamental topic in DevOps, should be followed using whatever structure or tool you use.
Github Hosted Runners vs Self-Hosted
Similar to the above, there is a mindset that if you host something yourself, it’s more secure by default. Kind of like build vs. buy discussions. If you take the onus of hosting yourself, then you must continually ensure security on that deployment. That means updates, patching, networking, and authentication. See the differences yourself. Which would you choose?
The answer is not always that simple, either. Sometimes, a hosted application may not support Assume Role authentication and require an IAM key instead. In that case, assume the role of the trump IAM key. The system, as a whole, needs to be evaluated, but also, the precedence of system maintenance cannot be neglected. If the maintainers don’t have a track record of updating their servers, history will likely repeat itself.
I hope you found this issue useful. If so, I would love it if you forwarded it others without security in their title and encourage them to subscribe!
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.