Boy Baukema

Secure Development Anti-Pattern: Failure to separate resource from user

Boy Baukema Security

Netflix is cool with you sharing your account

Hey, guess what, as someone in charge of corporate security for a web development shop, I am not cool with this. I am like totally not cool with this.

I'm not talking about you sharing your personal Netflix account with friends and family (that may not be as security savy as you are). I'm talking about building systems that tightly couple user and resource or charge for additional accounts, thereby encouraging the user to share his or her credentials!

Even though I'm not 'cool', I 'get it'. I mean, I really get why laziness (after all it's a core virtue) would compell engineers to couple users to resources.

I mean this:

User table coupled via one-to-many to resource table

Is easier than this:

User coupled via many-to-many to resource table

It gets even more complicated if you include authorization (AuthZ, permissions, not every user has equal rights).
And provisioning new users is hard, deprovisioning even harder if you don't properly track usage.

So why would you complicate this? Or at the very least why not charge for this additional complexity?

 

1. auditting or in case Shit Hits the Fan.

Malware infections. Sniffed credentials via unprotected networks. Simple shoulder surfing. Disgruntled ex-employees.
These scenarios are not as uncommon as you might think.

When those credentials are being used illegally your customers will want to know the source and take further steps.

 

2. the Principle of Least Privilege

Do your customers really want their intern or summer worker to be able to access ALL of their DNS records? Should a password change by their admin break their server side batch import processes?

 

3. password management

If you're forcing your users to share accounts they will need to do proper password management and even if they use a password manager (like the excellent LastPass) they will fail to remember to reset the password for every shared account that user may have had access to.

 

Hall of Fame

Some examples of service providers that do an excellent job at making this separation.

AWS

Amazon Web Services start you off with an email and password that form your 'root' account but gently encourage you to use the Identity & Access Management service free of charge.

GitHub

GitHub allows you to add collaborators to your private repositories but also make Organizations free of charge.

 

Hall of Shame

Recent examples I ran into that tightly couple users and resources.

CloudFlare

Only if you are an Enterprise customer, for pricing "Call for a quote".

Platform.sh

The pricing model includes paying per user.

Other...

Let me know the different ways in which service providers mess this up!

 

Fin

If you want to read more I highly recommend the 17 page plus appendixes SANS Institute InfoSec Reading Room: The Use and Administration of Shared Accounts report.

If you liked this you may like reading about Brute Forcing Slack URLs or 4 security headers you should always use.

Last but not least, if you can read Dutch, maybe you want to read more about Ibuildings and security.

Discuss on Hacker News.