Anything and everything cybersecurity
Hey all,
I was on Product Hunt this morning and saw a new product who responded to the question "How do you secure your product" with the answer "We use SSL/TLS encryption". No shame to them, but I wanted to open the doors and see if anyone has any burning security questions.
I've performed hundreds of web application penetration tests, static code analyses, and love to break things! I'd love to help out however I can.
Also, if anyone has cool security products they're building I'd love to hear about them below!
Trending on Indie Hackers
Not really appsec but I'm building https://phish.report
Originally it was just a micro-site: put in any URL and it'd tell you who hosted it. But it's evolved over time and now I'm growing it into a full on takedown tool
This is awesome! Looking at the pricing, is there manual effort that goes on in the background behind each report?
Thankfully no, not on my part anyway. Definitely couldn't support unlimited takedowns for that price 😅
Most providers in this space are fully managed: you submit a phishing site and the provider's team handle everything.
With Phish Report I'm trying a "bring your own team" model: I supply some nice simple, powerful tools and companies do the form filling, email sending, etc. using their own, existing team.
Definitely not got product market fit yet but got a little traction (a big unknown is whether companies actually want to do this themselves, but hopefully being 1/10th the cost of a managed service will help 🤞🏻)
No idea what you're going for, but we released Authress: https://authress.io/ and it's been going pretty great.
I really like your API documentation, what software do you use for that?
Am I correct in assuming this is mainly for CRUD permissions? Or is there a way to integrate into things like search endpoints to filter out non-authorized results from search queries?
You can configure it however you want. If a user only has access to part of the data in an API, you can set that up, and handle the authorization check which would drive the data that should be returned from your service. I don't know if anyone has taken it that far, but I don't see why it couldn't be.
For the API documentation, we use OpenAPI specification, and our popular open source explorer: OpenAPI Explorer
But SSL/TLS is not enought. I think that you need to add more protection in any site, as CDN with antiDDOS, WAF service, ...
🙏 Dead on, that's why I was so surprised by their response
Well, I am a cyber security products builder for many years. I am building for myself though with no resources :) so that is going to be different. It is a b2b product.
Here is my idea for authentication. Use keycloak for login on a single (realm) for all tenants "normal" users, do the roles and groups internally in the program (since you can't do that on a single realm). Use the other realms for premium since keycloak has 400 realms limit until it dies and you can't just hand them out. The reason I am doing that single tenant on keycloak is that it is difficult to maintain 2 softwares for authorization in the software itself.
Would love to hear an alternative solution, I don't know of one to date. ORY does not support multi realm (they say you have to spin more processes really? maybe this is good for big companies).
We build something like that by consulting with someone from the keycloak core devs. They also told us that groups don't scale very well! So maybe that's not the best solution to model tenants ;)
We have a microservice which tracks permissions per user for a tenant with a small number of roles (a user can have access to multiple tenants) and they are injected into the JWT returned from keycloak. The frontend then uses these tenants from the token to allow selecting one, the rest is taken care of by routing based on the tenant's name in k8s. The individual backend (we run one per tenant) of course double-checks with the keycloak JWK and the microservice etc. because I don't trust user input!
This ideas stems from said core dev but we are not in the position yet to do an audit, that's still planned.
PS: https://github.com/thomasdarimont/keycloak-extension-playground/blob/master/adhoc-keycloak-extensions/src/main/java/demo/keycloak/oidcmappers/RemoteOidcMapper.java
If you are using spring, one thing i noticed that for multi tenant it did not refresh the token because of a bug. I force refresh it by activating their checks logic every call.
I don't use keycloack groups for multitenant, i use my own custom implementation to mimic realms. If a company buys a whole realm then i can override these with the federated roles from their okta or one login. The cheapest compromise i found to date.
We don't have the problem with the token. I guess that's because the client implements the token retrieval and refreshment, the backend is only consuming and validating it.
Ok, gotcha. If you ever want to look at another approach you now know an alternative ;)
What tech stack are you using? I've found for enterprise apps, most authz solutions are going to fall short. Creating a multi-tenant authorization scheme isn't simple by any means, but with proper security audits it will improve your efficiency and scalability a ton.
If you're going to do roles and groups internally in your software, what benefit is keycloak providing you? Authentication?
Yes, for secured oauth authentication and federation for social login plus kinda gdpr requirement to seperate the PII info...
The realms for enterprise customers can have roles overlays in keycloak no problem but it is mainly for sso federation. E.g., to their onelogin or okta.
I use java spring. I had to customize keycloak libs like hell because it is not multi-tenant out of the box and buggy but there are ways... (cyber security products dev remember ;) ).
That dang GDPR always getting in the way, haha.
I’ll be curious to hear how your solution scales, sadly I’m not too familiar with those specific security products.
I’m a big fan of spring boot, I’ve typically managed authz/authn in product myself when working with them. Aspect-oriented programming makes securing API routes really nice.
Basically you don't have to worry about scale as long as you add more keycloak instances every 400 customers :) but since they are paying a premium it is worth it. What i am more worried about is if this is an overkill. It really is but the alternative is worse and i don't have the resources to replace something like this.
Hi Jake - I've been building a vulnerability scanner called HostedScan Security. We transparently build on top of several open source tools for network scans, web app scans, port scans, etc... The value that we add is automating all of these tools and tracking the results in one place. I'd definitely appreciate any thoughts that you have. Thanks!
Hey! I love tools like this, so many orgs struggle with scheduling and combining their disparate scanners.
If I had one suggestion it’d be to add value on top of the data the scanners report, customized remediation and description information is always beneficial. The scan reports typically aren’t very contextual or aware of the business context.
Thanks for the feedback. That matches up with user data we are seeing as well. Many of our customers are already familiar with the tools and interpreting the results vs someone who is new to them.
I think the challenge for us is adding quality context and remediation info at scale for high frequency, automated scanning. One item on our roadmap already is to create some more guides and educational content for each of the scans. If you know of any example reports or other products that do a good job with the remediation and description info, I'd love to check them out.
I think Nuclei does a good job, mainly because most templates check for a very specific vuln so they can be a bit more specific. They also allow nice customization of their templates.
But it’s unfortunate, I don’t know any apps that give really great context like most users want.
I actually started building the same thing a while ago, but felt that I can't provide enough additional value (real time vuln tracking etc., remediation suggestions and such) and didn't really complete it. Good to see you succeed though!
I have compiled basic 9 cyber security tips that startups or businesses can follow the least - https://mojoauth.com/blog/top-data-breaches-and-learnings-from-them/
would love to hear your/anyone thoughts
Not specifically security, but since our first feature is authentication, we've basically been dragged into the security products segment - Kinde
Some tools I've recently found that wish I knew about earlier
By the nature of our target market, we work with a lot of founders. Do have any go-to code scanners or dependency checkers for PHP? We've come across a lot of PHP founders lately and the only free one I know of is semgrep.
Great. I am into security too. Very important to think about the security of your product at the very beginning of your development. Security should not be an afterthought!
no idea