/Security

Database Cryptography Fur The Rest Of Us

tl;dr: The author defines database cryptography, how it manifests for both relational and NoSQL databases, searchable encryption, and provides a case study of MongoDB’s Client-Side encryption.

featured in #394


Password Strength Explained

- Wladimir Palant tl;dr: From security expert Wladimir Palant: "There is lots of confusion about what constitutes a strong password however. How strong is my current password? Also, how strong is strong enough? These questions don’t have easy answers. I’ll try my best to explain however."

featured in #388


What's Identity-Native Infrastructure Access?

tl;dr: Unlock all Teleport Connect sessions to learn about infrastructure access from DoorDash, Dropbox, Discord, Vonage, and others when you RSVP for the Feb 9th event.

featured in #386


Why Your Team Should Be Using Just-in-Time Access

- Adam Buggia tl;dr: Least privilege in the cloud is hard, but progress can be made by taking a risk-based approach. Consider an attacker who obtained one of your developer’s credentials; what access would they have? By adding a temporal dimension to developer access policies, the attack surface can be significantly reduced for many security-breach scenarios. That’s where just-in-time access comes in.

featured in #382


How To Completely Own An Airline In 3 Easy Steps

- Maia Arson Crimew tl;dr: "I had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it. I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of results".

featured in #382


I Scanned Every Package On PyPi And Found 57 Live AWS Keys

- Tom Forbes tl;dr: "This post outlines the way I scanned PyPi, showcases a project I’ve built that automatically scans all new PyPi releases to notify AWS of potentially leaked keys, presents some analysis of the keys I’ve found and draws a few conclusions at the end."

featured in #379


Building Secure, Compliant Containers

- Elliot Volkman tl;dr: Containers are ideal for cloud-first organizations. However, as their use has grown, so have security incidents in container environments. Learn how to build secure containers that support business objectives.

featured in #376


The DevSecOps Maturity Model

tl;dr: A blueprint for assessing and advancing your organization’s DevSecOps practices to detect vulnerabilities and deliver digital services with more confidence.

featured in #367


Accidental $70k Google Pixel Lock Screen Bypass

- David Schütz tl;dr: "I found a vulnerability affecting seemingly all Google Pixel phones where if you gave me any locked Pixel device, I could give it back to you unlocked. The bug just got fixed in the November 5, 2022 security update. The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain access to the user’s device."

featured in #367


How Passwordless Works

- Alan Parra tl;dr: This blog post by Teleport explains how passwordless can be implemented using modern technologies such as WebAuthn, while at the same time providing a better user experience and security than the traditional password-based approach.

featured in #366