Peter Senge has a great definition in The Fifth Discipline
> Mental models are deeply ingrained assumptions, generalizations, or even pictures of images that influence how we understand the world and how we take action.
Isn't open source proof that you don't need buts in seats in the same office? If open source projects can do it, why can't most businesses? What's the limiting factor in business? Is it communication? Is it antiquated management practices?
Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure.
Open source's organizational issue is that maintainers tend to prefer what's fun to work on, and often boring administrative work or difficult bugs go unfixed, especially if they have cut through multiple levels module ownership. Maintainers often start to resent the project ("burn out") because they're not paid but are expected to do these things that just aren't fun.
The real power of open source is that there are enough up and coming people who haven't learned this, and so if maintainers aren't supported it doesn't matter, there will be a new library to migrate to in the future by a new college grad, and this is one reason why things tend to be so unstable and short-lived.
The most successful open source projects have large corporate backing, like Kubernetes or Linux. And even Linux is a weird case, as a lot of architectural decisions and feature development are wonky because you often can't get the e.g. IO and Network subsystem guys to agree to the same idea.
Open source is heavily decentralized, see the classic paper The Cathedral and the Bazaar. An enterprise (whether profit-seeking or non-profit) is a 'cathedral' by definition, hence they will always be burdened by the constraints of "office"-like work.
>The great ones are a treasure: and they are rare. And in order to stay great, they regularly need to go back to the well to refresh their own hands-on technical abilities.
Similar to principle 9 from the Toyota Way.
>Grow leaders who thoroughly understand the work, live the philosophy, and teach it to others.
Keeping up with security news is important for situational awareness, but it can be time consuming. This is a tool I wrote for my own benefit to reduce signal to noise. It runs entirely on Github using pages and actions. Source: https://github.com/ericalexanderorg/SecurityNews
Technology can bring benefits if, and only if, it diminishes a limitation. -Dr. Eliyahu M. Goldratt
Goldratt was critical of ERP systems, not because they couldn't bring benefit; rather, because many businesses adopted through a cargo cult mentality and viewed them as magical silver bullets. Many companies never understood where their bottlenecks were (Theory of Constraints) and would make things worse with an ERP system, with some going bankrupt.
SSRF to metadata service to S3 access was the entry point. There's a lot of focus on the SSRF and metadata service components but the S3/IAM component is possibly more intriguing. Did the role/account follow the principle of least privilege? If not, how did they miss it? This is the company that opened sourced Cloud Custodian. They're capable of identifying risks and creating tooling to reduce lead time on finding those risks.
Possibly more intriguing: I'll bet Capital One deals with more compliance initiatives than 99% of the public sector. Another Heartland Payment Systems example? Did leadership have a false sense of safety after passing an audit?
That was a bush league SSRF that should have been caught by just about any static analysis tooling. That tells me something broke down early in the process.
That said, it's almost impossible to implement least privilege with EC2 instance roles unless you manage application identity in a separate control plane. Otherwise you have a single role that must satisfy the union of all access requirements for infrastructure automation, software deployment, logging, monitoring and discrete application runtime components. It's a mess and IMHO a terrible architecture.
The fact that the STS creds for that role are then made available via unauthenticated network service which then are by default active from any endpoint on the planet unless explicitly locked down is insanity. Furthermore, locking said roles down requires discrete references to VPC endpoints and CIDR ranges that are unique to individual regions and have to be able to breathe with the environment. This makes your IAM lockdown policies gnarly and volatile, not a good recipe for availability.
It's no mean feat to really prevent this kind of thing in a fast-moving environment. Defense in depth is essential.
Why? About 23% of the classified breaches in this data set are due to compromised valid accounts and any MFA would probably have prevented the breach. Often security isn't about out running the bear, it's about out running the person next to you.
It's sensational to make a claim that's based on the opinion of a few people in the world, some who are motivated to sell a product. It's plausible criminals are following the path of least resistance (occum's razor) but I'd like to see data backing the claim that "most cybercrime doesn't involve computer hacking". Open data can help security teams make data driven decisions towards the pursuit of reducing risk.
Number of incidents and impact on people are different things, right. I wonder when targets impacting more end-users end up happening. Taking out something like the Playstation network or Netflix will have a large impact in that way.
> Mental models are deeply ingrained assumptions, generalizations, or even pictures of images that influence how we understand the world and how we take action.