Hacker News new | past | comments | ask | show | jobs | submit | Atotalnoob's comments login

It passes all of the tests for dotnets implementation of linq….

Seems pretty bug free for a first version.


There are the issues others mentioned, but also you could write something word for word of what an LLM says.

It’s statistically unlikely, but possible


Good news then, your GitHub admins can enable Gemini for you without issue.


“Without issue” is an optimistic perspective on how this works in many organisations.


Just add this to the end of the error message “If this resource exists, you will need to add permission X. “


A late reply, but thats not how AWS IAM (or most advanced authz systems) work. AWS IAM is a “capability” system with dynamic policies; its nothing so simple as a “role” based authorization contrary to some product naming. To wit, every authz evaluation is a dynamic evaluation of policy and context. Each check uses one or more policies with one or more policy statements that are combined with some boolean logic and predicate rules. The policies may be associated (sourced) with the particular request based on calling principal, principal attributes, the target resource, a related resource, or even other metadata like AWS Org membership. Thats combined with the point in time context from the request (ex action name, parameters), request metadata (eg time), principal (id, tags, etc), resource (arn, attributes, tags), and some more “system” specific context variables. You (and the authorizing service) need ALL of that information to perform an authz evaluation.

This is complicated by dynamic data, like time or source address or caller principal tag values, so even identical requests may have different results. There are also complications like DENY statements and “unless” predicates that entirely defeat a simple “resource x requires y” approach.

Evem if you solve all of those challenges via magic you end up back at information disclosure where your adversary is now capable of rapidly enumerating and testing all your authz policies!


Problem on a lot of teams is people skip over #2 in my experience.

Good devs always do #2, bad devs skip it.


That's easy to solve. When they ask me it might take an hour or two until I come back to them. If they were just trying to us me as a rubber duck the problem will have been solved by then. And it's not only devs. Also PMs have this behaviour. Sitting it out before asking what they need makes most question vanish.


Extra points for the ones that sit down at step 4 and lay out all the things they've already tried so the context on the problem is clear


When you use a cloud provider to setup a VM, what policies do you apply to it in order to ensure it’s secure?

Wiz and other tools in the same space tell you and tracks compliance across your fleet.

Idk if wiz does this, but their competitors have “compliance packs” which are preset compliance patterns, IE hipaa, finra, etc.

That way you click a button and it tells you every change you need to make to be compliant

Edit: this is all just examples


I don't know anything about cloud VMs, but I'm confused about how this is possible. Wouldn't determining whether you are HIPAA complaint depend on auditing all kinds of application details about how information flows through the system and how authentication and authorization are done? How could this be validated statically by looking at cloud VM config? Is Wiz doing some kind of AI magic over your whole codebase?

I am sure I am misunderstanding something, but I'm not sure what.


> I am sure I am misunderstanding something, but I'm not sure what.

You're missing that a lot of "security" is in reality just a bunch of check-boxes for a form that someone asks you to fill out.

The security you need to really think about is outside of those checkboxes, and it seems like Wiz is not for this type of security, but the former.


Exactly


They scan for everything they can and report on that. They don't claim to be able to tell you if you're 100% compliant--they just claim to be able to alert you if some subset of the requirements are out of order.

And that still provides a lot of value to the right customers.


It probably appeals to the kind of businesses that see compliance as a list of checkboxes. Just make sure employees have signed the nda and contract and stuff. Doesn't matter if they are a salesperson and the nda says they can't talk about the product.


HIPAA was an example.

Yes there are other parts to HIPAA than just VM config, but it’s just giving you policies and checks out of the box


They don't only look at the configuration of the VM, they also look inside the data inside the VM.


Cloud configuration can create compliance issues that are distinct from codebase compliance issues


Figures. Crazy how badly I midsized this problem. When I was working on a cloud provider I suspected this would be a big problem space for building in, but I thought it was in the low billions, I was thinking (I guess stupidly) that the clouds and tools around them would be kind enough to create a lot of standardization so as at least this stuff wasn't junk. I get wanting to create a bit of friction, but thought "this is a bad place to make high friction". I guess it's pretty bad given the size of this acquisition? Or GCP just wants surface area data on other cloud providers (I presume this would aid in that, but I don't know)?


Idk about other clouds, but Google didn’t eat their own cloud dog food when I was there. We had people food (borg) that was kinda impossible to separate from the infrastructure of google3 (and Google dev processes) and so cloud was built different. It wouldn’t surprise me if that organization just had no awareness of how bad the friction really was for long enough for Wiz to get really good at it?


I'm not at Google, but the usual thinking is that the public product fixed a lot of the design warts of the internal one, but it's only 90% feature compatible, and the internal migration has an opportunity cost that's higher than the cost of maintaining two similar products.


You are telling me it’s a huge excel sheet with all my cloud resources (some colored red) in?


Yes?

They have other capabilities, but that’s the primary value add.

Imagine you are working for a fortune 100 company with hundreds of thousands of cloud resources. You can’t manage them individually.


But...don't these companies already have cloud security engineers on their payrolls?

/s


I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.

The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.


What about a license for devs to use when it’s commercial, but their company won’t buy it?

Kind of like how Quokka has a “personal pro” license.

https://quokkajs.com/pro/


That's the idea behind individual license. It's a non-transferable license that's cheaper than business.


Triplebyte is the company.

You still interview with the end companies, but technical interviews aren’t given.


Fascism.


What kind of marketplace do you use?


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: