Livitec Consulting

As Personal Access Tokens (PAT) são inseguras, expiram, podem vazar, e são péssimas para automação. Causando incidentes recorrentes quando um funcionário sai da empresa ou a Token expira. Aposente de vez o uso das PATs de toda a sua automação, usando Github Apps no lugar delas em todas as Pipelines de uma só vez. https://lnkd.in/dE8CG_Ad

Descubra como configurar uma VPN usando WireGuard para proteger sua VPS contra ataques de bots e injeções de código. Aprenda também a fechar portas com firewall e garantir um acesso seguro à sua rede. https://lnkd.in/dtUz79Ju

This week, X (formerly Twitter) shipped the most amateur URL rewrite I've seen, and created a massive security attack vector. Here is what went down: Twitter has been rebranded as “X,” but the twitter .com URL remains. In an attempt to fix this, starting on Monday (8 April,) X automatically changed anything in an URL with twitter ․com to x ․com. This would have been fine, if it would have only changed twitter ․com to x ․com, almost like a permanent rewrite. However, the change replaced all twitter ․com strings inside of any URL to x ․com, while still redirecting to the underlying URL. So, for example: space-twitter ․com was displayed as space-x ․com (but directing, upon clicking, to space-twitter ․com) Sounds pretty innocent so far, right? After all, SpaceX surely owns SpaceTwitter ․com as well, so that it’s hard to hack SpaceX .com. But consider a malicious attacker wanting to hijack the Netflix ․com domain. All they now have to do is to register the domain NetfliTwitter ․com, and post a link to it! Users on Twitter will see Netflix ․com displayed, click, and the attacker can attempt to steal their Netflix passwords (in the screenshot below) X just opened up a honeypot for phishing attacks by neglecting very basic security principles. This mistake suggests a couple of things: 1. The engineer(s) making this change are inexperienced. (I cannot imagine an experienced software engineer who wouldn’t consider security vulnerabilities with URL rewrites.) This is ok! The problem is how such a major change was most certainly not reviewed by a peer, an experienced engineer, or a security engineer. 2. Either X has no security team, or a security team never reviewed this change, or the security team is useless. 3. If high-profile changes like URL rewrites ship without concern for security practices, what kind of attention to detail can we expect for less visible changes? X has closer to 500 million monthly users. You would expect basic security hygene at such a company. What is certain: this kind of miss would have been less likely to happen at “Twitter 1.0.” That version of the influential social media platform invested plenty in planning and security, meaning it’s likely this issue would have been caught and resolved before shipping. To its credit, X reversed the change in one day, and by Tuesday (9 April) it was rolled back. The fact that such a widespread change was released with no feature flags and no staged rollouts to hundreds of millions of users, suggests the culture of shipping to production at X can be described as a “YOLO strategy”. I’ve covered the various strategies in shipping to production, and more resilient alternatives to YOLO here: https://lnkd.in/dsQzhQ7S --- This was an expert from yesterday's Industry Pulse in The Pragmatic Engineer at https://lnkd.in/e2BzQCxZ. Follow me for similar updates on analysis of interesting software engineering-related events, or sign up to get it in your inbox, weekly: https://lnkd.in/grXSBkVw

Estamos entusiasmados em anunciar uma nova e grande parceria estratégica com a GRP Tecnologia! Ao combinar a experiência da GRP Tecnologia em fornecer hardware e soluções de infraestrutura corporativa com o conhecimento especializado da Livitec em consultoria em Cloud, DevOps e DevSecOPs, temos todas as ferramentas para oferecer soluções sob medida para suprir às demandas de tecnologia da informação para o sucesso de nossos clientes. Desde arquiteturas escaláveis e altamente disponíveis até segurança robusta e gerenciamento de custos eficiente na nuvem, nossa parceria visa impulsionar o sucesso de seus negócios. Já começamos a trabalhar juntos e a fornecer resultados excepcionais! 💼💻  #Parceria #Tecnologia #Infraestrutura #Nuvem #Inovação #Negócios #DevOps #DevSecOps

Participar do SSD 2023 foi de grande valor para a Livitec, fomentamos boas parcerias neste simpósio.