E.g., in Azure, in theory, we should PoLP the access controls. But Azure's tutorials and guides often recommend using Contributor (Azure role that entails access to almost everything, except granting more access), and which permissions an API call requires is, AFAICT, undocumented. And sometimes, the error doesn't tell you.¹
I want to allow SSH into systems. Copying keys about the landscape is one employee departure away from having keys on systems that don't need to be there. The last time I set up LDAP … I had to learn about object classes, and some sort of object-oriented tree database when all I want is a list of users & perms. (I understand LDAP's design better now, and I even like it, but it the onboarding is braindeath.)
There are any number of k8s dashboards that would give my coworkers better vis … and basically none that have an auth story.
The examples are endless.
¹heck, sometimes the error isn't even grammatically correct English.
Tyically there's a hierarchy of security documents/practices. you start with principles work, like in this repo. then you look at technologies you use and start getting into specific examples.
For many platforms/services there will be security best practice sections on their sites and that's a starting point, but then as you mention even their tutorials often don't follow good practice.
The challenge for people writing standards docs is similar, new things come along all the time. How much time is availble to be dedicated to writing detailed guidance.
To give one example, the CIS benchmarks that a lot of orgs use to harden their environments are written almost purely by volunteers, so keeping them updated is a tricky game.
E.g., in Azure, in theory, we should PoLP the access controls. But Azure's tutorials and guides often recommend using Contributor (Azure role that entails access to almost everything, except granting more access), and which permissions an API call requires is, AFAICT, undocumented. And sometimes, the error doesn't tell you.¹
I want to allow SSH into systems. Copying keys about the landscape is one employee departure away from having keys on systems that don't need to be there. The last time I set up LDAP … I had to learn about object classes, and some sort of object-oriented tree database when all I want is a list of users & perms. (I understand LDAP's design better now, and I even like it, but it the onboarding is braindeath.)
There are any number of k8s dashboards that would give my coworkers better vis … and basically none that have an auth story.
The examples are endless.
¹heck, sometimes the error isn't even grammatically correct English.