/Security

Cloud-Native Privileged Access Management

tl;dr: DevOps practices have revolutionized how apps and infrastructure are managed, but access hasn't kept up. Shared secrets like passwords and keys – the #1 source of data breaches – are the norm. Teleport replaces shared secrets like passwords, keys, tokens, and even browser cookies with true identity, removing risk while letting engineers go fast.

featured in #400

Database Cryptography Fur The Rest Of Us

tl;dr: The author defines database cryptography, how it manifests for both relational and NoSQL databases, searchable encryption, and provides a case study of MongoDB’s Client-Side encryption.

featured in #394

Password Strength Explained

- Wladimir Palant tl;dr: From security expert Wladimir Palant: "There is lots of confusion about what constitutes a strong password however. How strong is my current password? Also, how strong is strong enough? These questions don’t have easy answers. I’ll try my best to explain however."

featured in #388

What's Identity-Native Infrastructure Access?

tl;dr: Unlock all Teleport Connect sessions to learn about infrastructure access from DoorDash, Dropbox, Discord, Vonage, and others when you RSVP for the Feb 9th event.

featured in #386

Why Your Team Should Be Using Just-in-Time Access

- Adam Buggia tl;dr: Least privilege in the cloud is hard, but progress can be made by taking a risk-based approach. Consider an attacker who obtained one of your developer’s credentials; what access would they have? By adding a temporal dimension to developer access policies, the attack surface can be significantly reduced for many security-breach scenarios. That’s where just-in-time access comes in.

featured in #382

How To Completely Own An Airline In 3 Easy Steps

- Maia Arson Crimew tl;dr: "I had trip sheets for every flight, the potential to access every flight plan ever, a whole bunch of image attachments to bookings for reimbursement flights containing yet again more PII, airplane maintenance data, you name it. I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of results".

featured in #382

I Scanned Every Package On PyPi And Found 57 Live AWS Keys

- Tom Forbes tl;dr: "This post outlines the way I scanned PyPi, showcases a project I’ve built that automatically scans all new PyPi releases to notify AWS of potentially leaked keys, presents some analysis of the keys I’ve found and draws a few conclusions at the end."

featured in #379

Building Secure, Compliant Containers

- Elliot Volkman tl;dr: Containers are ideal for cloud-first organizations. However, as their use has grown, so have security incidents in container environments. Learn how to build secure containers that support business objectives.

featured in #376

The DevSecOps Maturity Model

tl;dr: A blueprint for assessing and advancing your organization’s DevSecOps practices to detect vulnerabilities and deliver digital services with more confidence.

featured in #367

Accidental $70k Google Pixel Lock Screen Bypass

- David Schütz tl;dr: "I found a vulnerability affecting seemingly all Google Pixel phones where if you gave me any locked Pixel device, I could give it back to you unlocked. The bug just got fixed in the November 5, 2022 security update. The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain access to the user’s device."

featured in #367