VPNNotify: A VPN Notification bot for Slack

In an earlier post, we talked about how we implemented centralized authentication at Threat Stack. This project initially allowed us to create clearer access control for our servers. A side benefit of this work has allowed us to write tooling around common authentication processes.

One thing we’ve wanted to do is create an alert when folks are using a VPN to connect to one of our environments. In the event of a stolen laptop and stolen credentials, a user could be alerted to someone logging in with their credentials. With OpenVPN, performing actions on a client connect is possible using a client-connect script, so in the tradition of writing small Go applications to improve visibility, we did just that.

For the last few months our Slack bot VPN Notifier has been letting our engineers know when they connect into a Threat Stack environment. We’ve now done the work to open source the tool so that others can use and improve on it. We specifically mention improve, because our tool has limitations: The current version does extremely basic environment checking, and extremely basic alert suppression. Our hope is that we can collaborate with others who want to take this tool the extra mile. Read more “VPNNotify: A VPN Notification bot for Slack”

Authkeys: Making Key-Based LDAP Authentication Faster

Authkeys, Threat Stack’s new open source tool, performs LDAP lookups of SSH keys without the need for using scripts or other interpreted code.

You may recall from an earlier post that we’ve set up centralized authentication here at Threat Stack. Our motivation for doing so centered on the desire to achieve clearer access control for the servers that power our platform. By doing this, we no longer need to use Chef to deploy the majority of users to servers. Rather, we can use an internal application to add, lock, and update users and their associated metadata.

Read more “Authkeys: Making Key-Based LDAP Authentication Faster”

Balancing Security and Your On-Call Rotation Using Deputize

Threat Stack, like many other Software-as-a-Service providers, has an on-call rotation. During any week, two members of our engineering organization are tasked with responding to alerts across the platform they build and maintain. These two engineers are also responsible for a myriad of other services as well that provide support to the infrastructure: services that provide metrics and monitoring, log capture and collection, authentication, etc.

This presents a security issue with regard to access control: should all staff have access to all servers all the time? In early start-up life this is unavoidable. But as an organization matures and grows, it becomes a bigger risk. Administrator and similarly scoped credential theft is a goldmine for attackers, so we wanted to improve our story around internal access control.

Unwrapping who needs access to what is always an evolving task, but we put in the work to figure out who goes where and why, and then created groups to control that access. Since we already use groups as a way to control who can log into specific machines, and we use PagerDuty to assign on-call rotations, it seemed like we could create a tool that would query PagerDuty and update our on-call group. So we did! And as a gift to you, we’ve open sourced it.

Read more “Balancing Security and Your On-Call Rotation Using Deputize”

How to Stay Secure at Conferences

Conferences can be an amazing way to connect with like-minded folks and educate yourself on what’s new and trending in your industry. At Threat Stack, we regularly attend and speak at conferences like BSides and DevOpsDays, and it’s been exciting to see a bigger focus on security topics in the DevOps world in recent years. Since we attend so many conferences ourselves, we wanted to offer some helpful advice on how you can keep your devices secure while you’re attending conferences. Read more “How to Stay Secure at Conferences”

DevOpsing at Home

I remember the days when SysAdmins bragged about server uptimes that were sometimes measured in years. I have been out of the SysAdmin world for quite a while, focusing on software development, and somewhere along the way, a small revolution happened. Here at Threat Stack, our DevOps team embraces immutable infrastructure, which allows us to spin down problematic servers and spin up brand new clean instances in a matter of minutes. Impressed with this approach, I started to look for a way to bring some of these concepts home. Read more “DevOpsing at Home”

Writing a Web Service Using Python Flask

Many of our customers are building useful services using our webhook feature — but unfortunately, others are not. Often we hear that no one on their team is proficient enough to write a service that can ingest a webhook payload and do something with the data. That leaves them either hoping to get cycles from their development team (unlikely) or continuing to do without.

But what if you could write your own web services? How many routine tasks that involve taking data from system A and inputting it into system B could you automate?

Learning to code well enough can be a major skill in your tool chest and a major asset for optimizing security processes in your organization.

So in this post, I’m going to walk you through a tutorial that will get you started on the road to writing your own web services using Python Flask. Read more “Writing a Web Service Using Python Flask”

Post Mortem: Death Star Data Breach by ROGUE ONE

Recently the Galactic Empire’s Death Star plans were leaked due to a security breach on the planet Scarif. A threat actor known as ROGUE ONE carried out the breach with support from the Rebel Alliance fleet. This post mortem has been commissioned by the Imperial Security Bureau and documents what is currently known while active investigation continues.

This breach is not expected to delay construction of the Death Star. The battle station is expected to be operational by its previously announced date, if not before. Read more “Post Mortem: Death Star Data Breach by ROGUE ONE”

The USENIX LISA 2016 Conference: In Their Own Words

The USENIX LISA 2016 Conference wrapped up a week ago after a tremendous five-day program of workshops, training sessions, presentations, talks, and more. Our own Pat Cable, Threat Stack Security Engineer, lent his expertise as “Invited Talks Co-Chair,” and Threat Stack was a proud sponsor of the event.

Full length presentations and videos will soon be available on the LISA site, but we thought it would be fun and informative to follow LISA’s motto of “More Craft, Less Cruft” by bringing you short video interviews with five LISA16 attendees and presenters.

So in their own words, here’s what they had to say about their favorite projects, the importance of security, and anything else that was top of mind. Read more “The USENIX LISA 2016 Conference: In Their Own Words”

AWS re:Invent 2016 Sets Records for New Services and Attendance

Interested in attending AWS re:Invent 2017? Take a look at what we’ll be up to.


AWS re:Invent 2016 has come and gone and what an event it was! This year had a record-breaking attendance of more than 30,000 people, showing the tremendous interest in all the advantages that the cloud has to offer. The expo floor (where Threat Stack was a Gold Sponsor) mirrored this growth with many new vendors to full-scale enterprise offerings with multi-floor architectures. It’s clear from this year’s re:Invent that the cloud industry has moved out of its infancy into full scale adoption across a vast number of  implementations.

So, what were our team’s key takeaways? It’s become clear that security is no longer a tax, but rather an investment into long-term organizational growth and success. Given the cloud’s explosive growth, security must be considered early on rather than as an afterthought. In addition to a strong interest in security, AWS launched many new services that will help to accelerate cloud adoption and enable companies to move even faster.

Read more “AWS re:Invent 2016 Sets Records for New Services and Attendance”

5 Things Security Can Learn From Operations’ Transition Into DevOps

Over the past couple of years, a discussion has been brewing in the Security community about the future of its work. On one hand, the need for a cloud security service is more urgent than ever as all areas of business and personal computing are being impacted by cyber threats. On the other hand, the process of delivering software has changed: We have significantly streamlined the development process by reducing organizational silos through various implementations of a DevOps culture.

So here’s the question: Faced with this changing landscape, how can Security transform the way it does business in order to contribute its full value — without negatively impacting development schedules and operational procedures? Security needs to adjust to the rapid and agile world of the cloud, but the transition doesn’t have to be difficult. The Ops community faced a similar transition when it integrated with Dev, and there’s much that Security can learn from their experience.

Read more “5 Things Security Can Learn From Operations’ Transition Into DevOps”