Psst, Your S3 is showing!
Your application security might not be as good as you think. S3 security breaches are in the news way too often. These breaches are not the result of sophisticated hacks, but simple misconfigurations akin to not locking your front door.
Having private moments exposed can be embarrassing. Leaving all your sensitive files open for all to view is more than embarrassing. It is a publicity nightmare with legal ramifications. More than ever, application security is critical for application development.
Cloud providers have great solutions for file storage – AWS S3, Google Cloud Storage and DigitalOcean Spaces.
These tools allow unlimited storage of your files, fast access, and an affordable price. The systems use on-disk encryption and access over https.
With all these security features your files are safe and sound, right?
Maybe, maybe not. If your development team is not up to speed they can press the ‘easy button’ and allow all your files to be publicly readable. Instead of properly implementing security they rely on obscurity.
“There are millions of files on Amazon Web Services they will never find ours.” — said many embarrassed developers
Of course, your rockstar development team would never do that — right?
Obscurity never works for long. There are numerous public tools that scan Amazon for public S3 buckets with hidden data (e.g. DigiNinja Bucket Finder).
S3 leaks are not new but have been happening at an alarming rate recently.
It has already happened to likes of Booz Allen Hamilton, a partner of Verizon, Dow Jones, and a DoD security firm and many many others. These failures exposed nearly 10,000 resumes, 14 million customers records, sensitive military files and more.
What can I do?
If you already have a project deployed to the cloud – you should audit your file permissions right away. Any buckets with public access need to careful scrutiny.
If you are in the process of developing a new web application check with your development team to ensure all your S3 buckets are secure.
We can help. Orange Robot provides software management consulting services and turn-key development solutions with a focus on reliable secure applications.