Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1 — truffleHog & git-secrets

Secrets — passwords, API keys, secure tokens, private keys, and so on — protect access to sensitive resources in your environment. If not properly managed, they can end up in the wrong hands.

In Part 1 of this post, we will show you how to find secrets using truffleHog and git-secrets. In Part 2, we will explain how to manage them using appropriate software tools in order to quickly and cost-effectively achieve a higher level of security. Read more “Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1 — truffleHog & git-secrets”

Python Flask Exception Handling In A Secure Manner

In our last Python Flask blog post, we walked through building a simple application to take in a Threat Stack webhook and archive the alert to AWS S3. In this post, we’ll dive into Python exception handling and how to do it in a secure manner.

The code in the last post was written to be as simple and readable as possible. However, what happens if something goes wrong in our application? There’s no error or exception handling. If something goes wrong — for example, we hit a bug or receive bad data — there’s nothing we can do about it in the application. Instead of returning a parseable JSON response, the app will just spit a backtrace embedded in an HTML document back. The entity sending the request to our service is then left trying to figure out what may have gone wrong. Read more “Python Flask Exception Handling In A Secure Manner”

Writing a Web Service Using Python Flask

Many of our customers are building useful services using our webhook feature — but unfortunately, others are not. Often we hear that no one on their team is proficient enough to write a service that can ingest a webhook payload and do something with the data. That leaves them either hoping to get cycles from their development team (unlikely) or continuing to do without.

But what if you could write your own web services? How many routine tasks that involve taking data from system A and inputting it into system B could you automate?

Learning to code well enough can be a major skill in your tool chest and a major asset for optimizing security processes in your organization.

So in this post, I’m going to walk you through a tutorial that will get you started on the road to writing your own web services using Python Flask. Read more “Writing a Web Service Using Python Flask”

Parsing Simple Grammars in Scala With parboiled2

parboiled2 is a Macro-Based PEG Parser Generator written in Scala. It has become our preferred tool for creating parsers for simple grammars. It offers a fairly simple syntax for creating parsers and boasts significantly better performance over Scala Combinators.

To illustrate its use, we will use this post to build a parser for a simplified version of the Slack Assisted Search. Read more “Parsing Simple Grammars in Scala With parboiled2”

Test Systems: The Soft Underbelly of System Security

Test systems are the guts of your overall system design. Test systems embody an incredible amount of the history of how your team’s code and development practices turn into the tools, applications, and services you provide to your users. Most importantly, these systems show how your systems, tools, and applications mature and refine, and every brilliant and embarrassing decision your team made to create your product can often be found there.

But the contents of test environments, whether it’s test frameworks, CSV files, or a rainbow of test data, can be very sensitive, and more importantly, your test systems could contain a decade or more of information related to the development of your systems, tools, and applications. In spite of the potential sensitivity of the data in these systems, the often ad hoc, or ShadowOPS, nature of their development, frequently means that test systems do not undergo the same security scrutiny as other parts of your development environment or production systems, and this means that the risk associated with them probably outstrips the regular investment that has been made to secure them. So from a security point of view, it’s time to right the balance — to toughen up the soft underbelly of your test systems so they don’t undermine your test, dev, and production environments. Read more “Test Systems: The Soft Underbelly of System Security”

Securing User Credentials With the YubiKey 4

I’m a big fan of the YubiKey 4.

The YubiKey is a security device that originally outputted a 44-character “one time password” that could be decoded and mathematically verified and used as a second factor for authentication. Over the last few years, improvements to the devices mean that they can also perform other important functions, such as storing:

  • Identity, Signature, and Encryption Certificates
  • U2F data for websites (GitHub and GMail, among others, support this)
  • GPG Keys

If you’re looking to set this up on your own, read on to learn how this extra functionality helps your security game, and how you can configure services to use it. Read more “Securing User Credentials With the YubiKey 4”

Unit Testing With Webpack & Mocha

After moving our build infrastructure to webpack, one of the hurdles we had to overcome was finding a good way to run unit tests. Quite a few tutorials and how-tos are available for using mocha with webpack, but none of them gave us all the things we wanted from our test setup.

Therefore, as described below, we defined our requirements for the testing infrastructure and created a setup that enables us to build a test bundle from any number of spec files in a directory, incrementally rebuild on each spec change, and rerun the test suite via mocha on every change. Read more “Unit Testing With Webpack & Mocha”

4 Ways to Make Tech Debt Great Again

The cursor blinks steadily as you stare at a line of code that seemingly serves no purpose. You’re trying to fix a bug that is clearly manifested in this code, but you’ve been down this road before. Deleting it seems innocuous, but what if this is the block that sends your Jenga tower of a program crashing down? Your frustration rises as you recall the number of times you’ve asked for time to refactor and improve this project, and now you’re caught between a rock and hard place. As the table you were working at flips over in your episodic rage, you contemplate your next job and what you’ll do differently.

Read more “4 Ways to Make Tech Debt Great Again”

Too Big to Succeed: Monolithic Madness

We’ve all been there. You start your pretty new [insert language here] project, with a vow to do things right. You carefully discuss the project structure, you agree on what the database schema will look like, and your unit test coverage is at a staggering 99.8%! “It’s perfect,” you think as you crack that well-deserved beer and watch bits flow happily through your brand new service.

Fast forward six months, and you’re presented with a completely different scene. The latest set of features has wreaked havoc on your precious project. You have files with 500+ lines of code, your coverage has sunk to a barely acceptable 70%, and your list of complaints with every architectural decision you’ve made is growing by the minute. What an idiot past you was! What happened, and how do we fix it? Read more “Too Big to Succeed: Monolithic Madness”

Ramping up on Finch: Avoiding Common Gotchas

While we have been using Scala for awhile at Threat Stack, we haven’t been overly satisfied with the HTTP servers that we have used. So a few months ago, we audited a number of options and ultimately decided to try out Finch. We chose Finch for its readable and idiomatic API for constructing HTTP endpoints, solid performance, and some other bells and whistles. We also brought in Circe to handle our JSON serialization needs. Circe was a clear pick for its solid performance and generic derivation.
Read more “Ramping up on Finch: Avoiding Common Gotchas”