Another day, another major security vulnerability is uncovered in some complex system. Amazon Web Service (AWS) provides a convenient Relational Database Service (RDS) service that hooks up to many AWS-hosted database systems like PostgreSQL. AWS added support for some advanced features of PostgreSQL in a somewhat sloppy manner (including all keys & credentials in clear text in local files) that created a few severe security vulnerabilities.
Gafnit Amiga uncovered these vulnerabilities and dutifully reported them to AWS, who fixed them quickly. Her writeup is very easy to follow and quite entertaining.
Her conclusion emphasises my strong belief that simplicity is the most-important principle in software design; more specifically, there is no information security (InfoSec) attack surface as good as no attack surface.
No comments:
Post a Comment