allan.reyes.sh

Keeping Secrets Out of Logs

Fri, 02 Aug 2024 00:00:00 +0000

"This is the blog version of a talk I gave at LocoMocoSec 2024. It’s mostly a lightly edited transcript with some screenshots, so if you’d prefer, you can watch the video or just flip through the slides."

This post is about how to keep secrets out of logs, and my claim is that (like many things in security) there isn’t a singular action or silver bullet that lets you do this. I would go so far as to say that there’s not even an 80/20 rule, where one action fixes 80% of the problem. It’s not like preventing SQL injection with prepared statements or preventing buffer overflows by using memory-safe languages.

Mental Models

Sun, 17 Mar 2024 00:00:00 +0000

I really like lists! I also really like mental models. This post is about both.

I use “mental models” quite loosely here: any kind of model, law, idiom, aphorism, etc. that helps me take something about how the world works and capture, compress, and distill it down to something named. They’re like pointers in an index that help me retrieve and recall the right page (and the content that lives there).

Read-once Objects

Sun, 22 Oct 2023 10:00:00 -0400

Hello! In the previous post, I covered tainted types as the second of a domain primitives series.

Tainted types helped us package dangerous user input into a value object to ensure that all the areas where it propagated to are handled correctly. We’ll extend the value object concept to create a container for sensitive data. It’s one of my favorite domain primitives. They are fantastic for storing and tracking sensitive data, and preventing them from leaking into logs. (I’m sure you’ve been there.)

Tainted Types

Sun, 22 Oct 2023 09:00:00 -0400

Welcome! In the previous post, I covered branded types as the first of a domain primitives series.

Where branded types helped us ensure upstream code is correct, we can flip the script and use another type of domain object (specifically, a value object) to ensure that downstream code is correct. As the adage goes, “always validate user input!” We can “taint” user input as it enters our system and force everything that handles it to either validate or sanitize it.

Branded Types

Sat, 21 Oct 2023 09:00:00 -0400

Code that handles bare string primitives with important semantic and security concerns isn’t using the type system to its fullest extent.

—Brendan Eich, probably

This is the first post of a series on domain primitives that show how they lay a secure foundation for software. I’ll discuss alternatives to string primitives using an Express web server written in TypeScript as an example, but the concepts introduced here can be generalized to replace any primitive and they can be used in other languages that support type guards.

Always Tell When You Stop Telling

Sun, 05 Feb 2023 00:00:00 +0000

Most services and systems that provide webhooks often lack a critical feature: telling you when it’s been changed or shut off. This is a particularly fragile and dangerous setup if you rely on receiving these events for rare but critical events. It might seem obvious, but I see this missing everywhere, and I wish that weren’t the case!

On Telling

Let’s say you’re using Tailscale (a lovely product) to manage access to your infrastructure and you’ve set up webhooks to notify you of any changes to access control lists. You’ve set this up for ingestion into your fancy logging pipeline or SIEM and you’ve set up various detection rules or notifications so you can know when the state of your system has unexpectedly changed. What happens if or when the renowned evil attacker, Mallory (she’s everywhere!), gets access to the control plane?

Literature Insights

Mon, 23 Jan 2023 00:00:00 +0000

This is an “evergreen” page that I’m backfilling from reading notes and keeping updated moving forward. I distill and compress the #1 thing I learned or took away from various pieces of literature (except books, but feel free to check out my reading pipeline). It’s far from perfect: run-on sentences galore to fit into the arbitrary one-sentence restriction. Nonetheless, I hope this piques your interest and encourages you to read the source material. Items that are italicized are some of my favorites.

Every Online Course I've Taken

Thu, 10 Feb 2022 00:00:00 +0000

👇 Enough blabber? Jump down to courses or degrees.

These courses were offered mostly by Coursera, edX, Udacity, (free) and Georgia Tech, with the latter spanning three masters programs (paid). Topics were mostly in computer science, machine learning, data analytics, and security. I want to be clear right out of the gate: I took way too many courses, and I do not recommend to others to follow suit. (See the FAQ for more details.) Bottom line: I think a more focused approach would be a far more efficient use of one’s time.

Dear Recruiter

Mon, 07 Feb 2022 00:00:00 +0000

"Hi! I hope this standard letter saves us both some time, which we could all use a little bit more of these days."

👋 Thanks for reaching out. I’m always open to hearing about new and exciting opportunities and what amazing things that people are building. I do get a high volume of recruitment emails, and I totally acknowledge and am thankful for how lucky I am to be in that position.

About

Sat, 05 Feb 2022 00:00:00 +0000

"You’ve stumbled on my user manual!"

I’m a father, software engineer, and veteran. The first one is most important—I love those little kiddos! But also, if you ever hop on a call with me and hear utter chaos in the background, just know that I am barely holding it together.

While I enjoy working on security and reliability, I’m an avowed software generalist that loves parachuting into and learning about new domains. I’ve accepted it and just lean into it at this point; I am an obsessively curious person and I enjoy learning how to do new things. This site is basically a loose collection of the things I learn and manage to write down.

Reading Pipeline

Sat, 05 Feb 2022 00:00:00 +0000

A list of books in various stages of my reading pipeline. There are no affiliate links. Also see: complementary lists for courses and papers, articles, and talks.

Currently Reading

Patterns of Enterprise Application Architecture

On the Radar

Snoozed

Finished

Books I’ve read, ordered from most recent to some time in ~2022 when I started writing this down.

CV

Sat, 01 Jan 2022 00:00:00 +0000

"Hi! I’m Allan. I build and break software."

I am a software engineer with a penchant for security, reliability, and devops. You can learn more about me from my leadership philosophy or reading list.

Work

A Healthcare Software Company (2025-present). for details.

The YAML-Norway Law

Wed, 20 Jun 2018 00:00:00 +0000

YAML Ain’t Markup Language (YAML) is a human-readable data serialization language, and if you ever try to abbreviate “Norway,” you just might run into a surprising outcome.

Here’s an example:

NI: Nicaragua
NL: Netherlands
NO: Norway # boom!

Does it work? NO|No|no, but not “NO”. NO is parsed as a boolean type, which with the YAML 1.1 spec, there are 11 ways to say false:

n
N
no
No
NO
false
False
FALSE
off
Off
OFF

The correction:

Write Your Leadership Philosophy

Fri, 29 Dec 2017 00:00:00 +0000

At best, it represents who you are and what you can deliver as a leader, and at worst, it’s a contract for what you aspire to be.

I first wrote down my leadership philosophy about a decade ago by writing down all the values and practices I embraced. At the time, every great leader and commander I served with had a written philosophy—so, I thought I should craft one myself. It changed a lot since then, and I’ve changed a lot.

Give Your Users a Taste of Badassery

Sat, 18 Oct 2014 00:00:00 +0000

Wow! I love your app because I start out completely useless. I’m fumbling up this learning curve and I have no idea what I’ll be able to do once I spend the time to master it!

— no user ever

Start your users with this feeling:

Credit: reddit

…before you start them at level 1:

Privacy Policy

Wed, 01 Oct 2014 00:00:00 +0000

I do not employ analytics, trackers, affiliate links, or page view counters. Ain’t nobody got time for that. If you do happen to find something that violates that privacy statement, reach out to me so I can fix it, because it’s likely a programming mistake.

While I don’t personally collect anything, this site is hosted using GitHub pages, so you should check their privacy policy, specifically:

Please note that GitHub may collect User Personal Information from visitors to your GitHub Pages website, including logs of visitor IP addresses, to comply with legal obligations, and to maintain the security and integrity of the Website and the Service.