one of the best decisions I ever made in life, as someone who is a security professional who also tinkers in many other fields, was the conscious choice that every web app side project *must* be fully unauthenticated or single user with the authentication delegated entirely to the httpd.
none of the data these apps handle is particularly important and the design complexity skyrockets as soon as you start to think about authentication and user privileges.
years ago I took a more maximalist approach and it always led to project burnout and security yak shaving.
so you have my permission, as someone who has worked in security for over 10 years now, to use "it doesn't fucking matter lol" as a threat model for these kinds of side projects and work on useful functionality instead of spending twenty hours of your precious time building a login page and password reset workflow that will only ever see one user anyway.
@gsuberland I have a similar “don’t bother writing tests and setting up linting” rule for side projects now, for similar reasons. I’d be endlessly starting things and getting bored before actually building anything I intended to.
@jon I do usually make a few unit tests for stuff that's non-trivial, because it's much easier to fix a problem when the regression occurs than when I hit a bug several years later and can't remember a damn thing about how it works, and that's also a recipe for my brain going "too much effort, don't bother" (or worse, "JUST REWRITE IT AGAIN BRO!"), but I definitely agree with not doing full TDD and rigid styling when you're just tinkering or prototyping.
@jon although the other approach is just to go harder on defensive development styles, which is my natural way of doing things anyway. lots of validation even if things further up the call stack are supposed to have done validation ahead of time.
"I spent yesterday evening reading up on optimal selection of argon2id parameters for storing passwords in my web app that lets me catalogue what electronics parts I have in my storage bin" - statements dreamed up by the utterly deranged (past me)
@gsuberland we would ofc try to fork the browser and implement reverse HTTP
(we would also fail.)
@gsuberland My opening question is always "What's your threat model?" because that tends to put things in perspective.
@gsuberland I have seen a lot of decent projects and products just curl up and die because they've had to add too much stuff.
A good example are some ICS devices - they have telnet and an enable password.
Someone adds a web interface. Now we have permissions. And user levels. And sessions. Some little shit like me tests it and finds loads of issues in the web interface.
@gsuberland speaking of, I’ve been pondering proxies and containment models that are better than nothing for sharing simple services at the club level, maybe via Tailscale Funnel so I don’t have to deal with all the randos.
Is escaping podman and docker containers trivial these days? How about systemd-nspawn? Strikes me qemu is taking it too far, but maybe not, and maybe someone made it easier.
Off the cuff is fine. Border on rude. For all I know I’m in not-even-wrong incoherent land here.
@cybergibbons and it still talks over unauth & unencrypted OPC or PROFINET anyway.
@gsuberland recently was asked to test if such a device had good TLS config.
Cert and key were hardcoded and it was talking Modbus/TCP, but an active MitM without that key and cert would have to capture around 22TB of data to recover 8 bytes of the session key.
GOOD WORK.
@tryst literally the best question anyone can ask when it comes to security. figure out your security model, act accordingly, keep your eye on the things that matter, and don't waste time (and money!) with unnecessary security maximalism.
@gsuberland Unfortunately, discourse about cyber security has been dominated by APTs, and we end up in this weird situation where companies are investing serious money in SIEM/SOAR but don't have an effective JML process.
@gsuberland @tryst I tend to lump my security model into "whoever has the sqlite DB file" 🙃
@tryst preaching to the choir there.
"we have AV, EDR, DLP, NIDS, 2FA & identity management, a secure gateway for remote work, a SIEM platform, and we're in the process of contracting a 24/7 managed SOC"
"okay can you give me access to a list of all your assets?"
"... uh, hmm, that would be very hard, we don't really have one"
@tryst I got out of pentesting 5 years ago and switched to research, and I'm much happier for it. I still do some customer work but it's almost all weird stuff that nobody else is sure how to tackle.
I ran into something yesterday where I needed to dynamically generate some CSS in a view cell, which obviously doesn't work with CSP due to having no inline styles allowed, and I was about to go down the rabbit hole of deciding whether to implement inline nonces or create a new controller that emits specific CSS payloads as per the necessary format which could then be inserted into the page, and then I realised it doesn't fucking matter and just enabled unsafe-inline because who gives a shit.
(note: do not follow this advice for things that matter; unsafe-inline is like 60% of why XSS still works in the year of our overlord 2024)
@gsuberland The year is 2028, an alert is generated on Google's Web Complete Overwatch Populace Security (WebCOPS) Dashboard. 5 minutes later you get a knock on the door "Open up! It's the CSP police!"
