Posts

Cost of a Security Breach

There are many types of security breaches. Some attackers want your data. Some want your money. Some want your intellectual property. Others want chaos. Not matter what they want, a breach is going to cost you money. But how much money? IBM has a Cost of Data Breach Calculator.

Data records are stolen at a rate of 58/sec. And with an annual average cost of $3.6M per breach that works out to $141 per record. But what about other costs?

Yahoo lost $350M in their deal with Verizon because of a data breach.

In recent years, three high profile companies were put out of business from security breaches:
Code SpacesNirvanixMyBizHomepage And 60% of small businesses fail within 6 months of a security breach. The cost to recover are high and the damage to reputation can be too.
How common are security breaches? Last year 43% of companies had a data breach.
While security breaches may be costly, so is preventing them. Worldwide spending on information security products and services will reach m…

Actually Getting to Least Privilege in AWS Lambda

Least Privilege is kind of like the Holy Grail of security. Everyone wants it, but it remains elusive. Those that have mounted serious efforts to achieve it have had varying degrees of success
"Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."— Jerome Saltzer, Communications of the ACM Peter J. Denning, in his paper "Fault Tolerant Operating Systems", set it in a broader perspective among four fundamental principles of fault tolerance.

Dynamic assignments of privileges was earlier discussed by Roger Needham in 1972.1,2


Okay so luminaries have written about it and that means it's probably a thing. But how to achieve it with AWS Lambda?

Let's start with facing the biggest challenges in general:
The effort required to pare down permissions to the minimum necessary is significant.As developers add features, policy enforcement just gets in their way, and using a relaxed set …

Securing AWS Lambda

AWS Lambda can make your environment more secure than older deployment patterns--assuming you take security seriously and implement it in a secure way.

AWS Lambda makes security easier because you no longer have to manage OS hardening, admin rights, SSH, and segmentation. You still have to manage configuration and application code. The most important aspect of AWS Lambda security is the principal of least privilege. "Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."
— Jerome Saltzer, Communications of the ACM Least privilege dictates that we apply the smallest possible privilege so that it can function correctly, but can do nothing else.
Least privilege must apply to your application and its resources, function, persistence layer (S3, DynamoDB, etc.). AWS IAM roles are the primary control plane and should enforce least privilege.
Although least privilege is critical, it’s rarely achieved, …
Lately I've been working on designing authentication (authN) and authorization (authZ) services for an API Gateway layer sitting on top of a collection supposedly RESTful APIs written by a diverse and disconnected population of developers.

One of the many challenges I've faced is that it turns out that "REST" means different things to different people. I've been looking for a simple way to explain to developers what a high quality RESTful API looks and functions like. While I have found some good material, I felt I needed pull together a few different concepts, so I wrote this.

Why is being fully RESTful important? Turns out that poorly designed and implemented, RESTful APIs are harder to design authentication and authorization services. First I want to discuss  RESTful APIs in general, so we can agree on what they are and are not. Then I will explain why weakly RESTful APIs are harder to implement authN/Z.

Reading the documentation for supposedly "RESTful&q…

How to build a simple RESTful API with Flask

I built this proof of concept (POC) for another project someone else was working on. They had built a basic RESTful API using Flask. But needed to add authentication and HTTPS support.

I was pleasantly surprised how easy it was to go from zero to a basic RESTful API with TLS HTTPS and authentication via URL argument or headers.
I'm writing this post to demonstrate how easy it truly is to setup a simple, safe and secure RESTful API using Flask.
Step 1  Install Python I'll skip the steps on how to install Python. But I will just say that I got this working easily with both Python 2.7 on Linux and Python 3.5 on Windows.
Step 2  Install Flask and clone my repo Flask is also easy to install by following their Quickstart Installation Guide. However, stop before doing the "mkdir myproject" step and clone my "flask-api-key" repo instead.
Step 3  Activate a venv Then do: $ cd flask-api-key $ virtualenv venv New python executable in venv/bin/python Installing setuptools,…

How to build a simple RESTful API with Flask

I built this proof of concept (POC) for another project someone else was working on. They had built a basic RESTful API using Flask. But needed to add authentication and HTTPS support.

I was pleasantly surprised how easy it was to go from zero to a basic RESTful API with TLS HTTPS and authentication via URL argument or headers.
I'm writing this post to demonstrate how easy it truly is to setup a simple, safe and secure RESTful API using Flask.
Step 1  Install Python I'll skip the steps on how to install Python. But I will just say that I got this working easily with both Python 2.7 on Linux and Python 3.5 on Windows.
Step 2  Install Flask and clone my repo Flask is also easy to install by following their Quickstart Installation Guide. However, stop before doing the "mkdir myproject" step and clone my "flask-api-key" repo instead.
Step 3  Activate a venv Then do: $ cd flask-api-key $ virtualenv venv New python executable in venv/bin/python Installing setuptools,…

How to build a simple RESTful API with Flask

I built this proof of concept (POC) for another project someone else was working on. They had built a basic RESTful API using Flask. But needed to add authentication and HTTPS support.

I was pleasantly surprised how easy it was to go from zero to a basic RESTful API with TLS HTTPS and authentication via URL argument or headers.
I'm writing this post to demonstrate how easy it truly is to setup a simple, safe and secure RESTful API using Flask.
Step 1  Install Python I'll skip the steps on how to install Python. But I will just say that I got this working easily with both Python 2.7 on Linux and Python 3.5 on Windows.


Step 2  Install Flask and clone my repo Flask is also easy to install by following their Quickstart Installation Guide. However, stop before doing the "mkdir myproject" step and clone my "flask-api-key" repo instead.


Step 3  Activate a venv Then do: $ cd flask-api-key $ virtualenv venv New python executable in venv/bin/python Installing setuptools,…