LIST
Insufficient Attack Protection We must always assume that attackers have unlimited access to other machines behind the firewall. pattern: track illegitimate requests by their origin pattern: log bad requests by source principal pattern: use API Gateways to block callers by API key pattern: use API Gateways to throttle request rate by API key (src: Model_ OWASP top 10 Book_ release it! - Michael Nygard)
Security Misconfiguration takes the form of omission default passwords pattern: seek out Admin consoles and change the default password pattern: disable running servers on Base OS images (eg. redis, mongo, postgres, zookeeper, …) anti-pattern: servers listening too broadly anti-pattern: sample applications in production pattern: every admin uses a personal account pattern: log admin & internal calls (src: Model_ OWASP top 10 Book_ release it! - Michael Nygard)
Sensitive Data Exposure All the valuable things people can steal from you or use against you. eg. credit cards, medical records, insurance files, purchasing data, emails pattern: applications request data encryption keys, which are encrypted themselves anti-pattern: don’t leave decryption keys laying around where and attacker could retrieve them (eg. in memory) AWS Cloud: use AWS Key Management Service (KMS) On Premise: HashiCorp Vault anti-pattern: half-heartedly using an encryption tool you picked...
Underprotected APIs pattern: bulkheading to limit the size of hacks pattern: communicate with most secure possbile public-facing API: TLS pattern: configure to reject protocol downgrades pattern: keep root Certificate Authority (CA) files up to date business-to-business: bi-directional certificates pattern: verify with generative testing library that your parser (JSON / XML / …) is hardened against malicious input pattern: fuzz-testing APIs & check failure responses rejects safely (src: Model_ OWASP top 10 [[book-release-it-michael-nygard....
Components with Known Vulnerabilities Most developers don't even know what all is in their dependency tree. Sadly, most successful attacks are not the exciting "zero day, rush to patch before they get it" kind of thing. Most attacks are mundane. pattern: use your build tool to extract a report of ALL the artifacts that went into your build (including build tool’s plugins) pattern: check CVE manually weekly or automatically (src:...
XML external entity (XXE) injection <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "<file:///etc/passwd>"> ]> <foo>&xxe;</foo> Most xml parsers are vulnerable to XXE injection by default. You need to configure them to be safe (src: Book_ release it! - Michael Nygard)
(6) intro (7) CDK (8) CloudFormation (9) install CDK (10) base project deployment (11) project exploration (12) CDK types and commands (13) CDK Outputs (cf terraform output) (14) CDK Deployment Parameters (15) CDK core - recap (6) intro (7) CDK abstraction of aws resources reusable components use AWS CDK to: create and deploy AWS resources configure those resources link together resources into constructs uses JSII (javascript interop interface) (8) CloudFormation...
API gateway Lambda DynamoDb Cognito https://github.com/barosanuemailtest/space-finder-backend.git https://github.com/barosanuemailtest/space-finder-frontend.git git init npm init -y npm i -D aws-cdk aws-cdk-lib constructs ts-node typescript mkdir infra touch infra/Launcher.ts touch infra/SpaceStack.ts # echo '{"app":"npx infra/Launcher.ts"}' > cdk.json echo '{"app": "npx ts-node --prefer-ts-exts infra/Launcher.ts"}' > cdk.json cdk synth # error related to tsconfig target npx tsc --init # change tsconfig.json "target": "es2016", -> "target": "ES2018", # copy tsconfig.json from generated project infra/Launcher.ts import {App} from "aws-cdk-lib"; import {SpaceStack} from "....
(23) Section Intro (24) Why Bundling? (25) Bundling with CDK Node Lambda (26)Webpack intro (27)Webpack setup (23) Section Intro (24) Why Bundling? options deploy all node_modules NOPE Node Lambda - with esbuild (integrated with CDK) YES webpack (hard to configure) NOPE why? growing list of dependencies typescript needs compilation to node_js (25) Bundling with CDK Node Lambda integrated with CDK uses esbuild npm install --save-dev esbuild@0 example dependency npm i uuid @types/uuid services/node-lambda/hello....
(28) section intro (29) CloudWatch logs (30) using AWS SDK (30) using AWS SDK npm i aws-sdk services/node-lambda/hello.ts import {S3} from "aws-sdk"; const s3Client = new S3() ... const buckets = await s3Client.listBuckets().promise(); ... body: 'here are your buckets' + JSON.stringify(buckets.Buckets) infra/SpaceStack.ts const s3PolicyStatement = new PolicyStatement(); s3PolicyStatement.addActions('s3:ListAllMyBuckets'); s3PolicyStatement.addResources('*'); // anti-pattern ; use specific! helloLambdaNodeJs.addToRolePolicy(s3PolicyStatement); (31) run lambda locally in debug mode run config (in VSCode) { "version": "0.2.0", "configurations":[ { "type": "node" "request": "launch" "name":"Debug local file", "runtimeArgs":["-r", "ts-node/register"] "args":"${relativeFile}" "env":{"AWS_REGION":"eu-west-2"} } ] } (you can add AWS credentials to env if you’re not logged in locally)...