Five years ago, my security reviews were full of mitigations mostly abandoned today: selinux, ddos protection, ids, etc. Not that they were bad, but cloud infrastructure and containers have matured way beyond what we could foresee back then, and we're better off.

For example, I advocated using HAProxy in AWS for better rate limiting and ip blacklisting. I even wrote a long doc on how to do it https://github.com/jvehent/haproxy-aws. We never used it, mostly because scaling out is generally cheaper and simpler, then straight to cloudflare-type offerings.

Endpoint security (aka. osquery/mig/grr) makes little sense in the short-lived-immutable world we live in today. Auditing provisioning confs solves most needs. Also, systems rarely get popped, and when they do, freezing for forensics is mostly trivial.

IDS straight up doesn't work. Sure, you can route outbound traffic to a NAT instance with IDS, but that's impractical and yields little value when 99.9% of traffic is HTTPS.

Netflow auditing is just as good and doesn't require extra infra.

Even TLS configurations are darn good out of the box nowadays. The need for our Server Side TLS guidelines has reduced dramatically. It's good to see secure-by-default becoming the standard for infra providers.

That's not to say we're done, but we're moving up the stack. Supply chain, authentication (oidc is a mess), fraud detection, etc... The OWASP Top 10 continues to drive the focus of most security teams. Just don't let your budget go to waste on already solved problems.

And before you spend 6 months deploying a complex system, ask yourself "Am I solving the most critical security problem my organization is facing right now?".

Threat hunting is my pet peeve: it's cool, so engineers rush to it, when much lower hanging fruits are still uncovered.

- Can you lock accounts across all your internal and third party apps in a timely manner?
- Can you tell which version of openssl is installed across your production infra?
- Is Kevin over there on vacation in Moscow, or is this access fraudulent?
- What's this new dependency?

Even with mature cloud infrastructure to help you, covering the basics takes years of continued effort. So don't launch yourself into that shiny new project until you're damn sure 1) it solves a critical problem and 2) you have 2 years of runway to finish it.

A relentless focus on removing components of your infra will increase security faster than any new technology ever would.

Gone the puppetmaster, turn off that jenkins, get rid of the central syslogs. All of this can be done by your provider, for less money and more security.

For a somewhat organized list of stuff we care about, see https://wiki.mozilla.org/Security/FirefoxOperations#Security_Checklist

Doesn't include the infra provisioning piece, like AWS IAM or Kubernetes. This is to be continued...