Rick Butler said:

Well, there's not much to say. It was a question that promoted the concept of "post hoc ergo propter hoc".

Serverless architecture doesn't make APIs less or more vulnerable. APIs are going to be secure or not based on how well they are built - how well they follow the latest techniques of secure programming and whether the orgs that use them don't succumb to the laziness that surrounds having to update security on a routine basis.

There's nothing that says a serverless service changes how secure an API is. It's too general a question.

Click to expand...

I appreciate your reply. I value the clarification provided regarding the connection-or lack thereof-between API security and serverless architecture.

You're correct; in the end, API security depends on the caliber of development procedures and regular upgrades. Although I acknowledge that the topic may have been overly broad, I was interested in whether serverless systems present particular difficulties or factors that developers should take into account when protecting APIs.

Do features like event-driven design or dependency on managed services, for instance, open up new avenues for attacks, or is it all about implementing security in any setting?

I

Trevor Chandler said:

That's brief!!!

Click to expand...

I felt the same

Rick Butler said:

Better. I appreciate the higher quality post in reply, rather than simple low-quality statements of agreement sprayed all over.

I would tend to agree that having some knowledge of basic programming helps in cyber defense. I'm also of the persuasion that "to a carpenter, everything is a hammer, nail, and wood". Programmers are going to tend to the belief that "more programming is better", where someone who spends his time pouring over logs or runs a SIEM is going to prefer more topics about SIEM and SOAR.

This is why having a balance is important. No certification will EVER prepare a person for the complexities of a job. Instead, they will have REQUISITE knowledge for which they can apply skill. Very rarely is anyone ready on day one.

/r

Click to expand...

Very beautiful explanation!... Thanks for clarity... Now am feeling like am in OTW classroom

Trevor Chandler said:

That's brief!!!

Click to expand...

Well, there's not much to say. It was a question that promoted the concept of "post hoc ergo propter hoc".

Serverless architecture doesn't make APIs less or more vulnerable. APIs are going to be secure or not based on how well they are built - how well they follow the latest techniques of secure programming and whether the orgs that use them don't succumb to the laziness that surrounds having to update security on a routine basis.

There's nothing that says a serverless service changes how secure an API is. It's too general a question.

The step that is missing here is what happens, following the breach and the subsequent cleanup of the mess. When a breach occurs, the cold hearted truth here, the part where I say the quiet part out loud, is that preparations failed as a result of People, Process, or Technology. Perhaps because the Risk Assessment wasn't done correctly (or at all). Perhaps there was a modicum of incompetence in the practitioners or in the organizational leadership complaining of a strained budget, thus, skimping on resources. Whatever the cause, the problem here is that someone screwed up.

The after action review needs to immediately follow that needs to show what went wrong, with the accountability necessary to remove the people, processes and technology that failed, followed immediately by the corrective actions to all three of these.

I maintain that the feel-good-ism, don't-offend-people, that permeates the workplace these days has no place in the security department. Emotional feelings and "understanding" often hide the real problem - someone at BeyondTrust and/or the Treasury royally screwed up and needs to pay the price. Unfortunately, we will probably never know, if at all, what the outcome of this was.

Very rarely does a zero-day occur that is so completely unconventional that it takes people by surprise. This is why I have zero sympathy here - because the government trusted an organization that turned out to be incompetent and/or not vigilant enough to see what was coming.

/r

Rick Butler said:

Not especially.

Click to expand...

That's brief!!!

precious said:

True! Picking a language is tricky,...... as JavaScript helps with understanding XSS attacks (executing malicious code in browsers), SQL is key for SQL Injection (injecting malicious queries), and Python aids in crafting custom exploits or automating tasks........while we don’t need a deep dive into coding, a little programming knowledge makes these attacks way clearer.....No need to test all languages-just enough to connect the dots between code and vulnerabilities.

Click to expand...

Better. I appreciate the higher quality post in reply, rather than simple low-quality statements of agreement sprayed all over.

I would tend to agree that having some knowledge of basic programming helps in cyber defense. I'm also of the persuasion that "to a carpenter, everything is a hammer, nail, and wood". Programmers are going to tend to the belief that "more programming is better", where someone who spends his time pouring over logs or runs a SIEM is going to prefer more topics about SIEM and SOAR.

This is why having a balance is important. No certification will EVER prepare a person for the complexities of a job. Instead, they will have REQUISITE knowledge for which they can apply skill. Very rarely is anyone ready on day one.

/r