From 049ba7e1a60fcfc2b124529ccbe312d49d508423 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 11:46:38 -0600 Subject: [PATCH 01/15] draft for PR --- .../2023-11-22-how-we-saved-over-100k/item.md | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 website/blog/2023-11-22-how-we-saved-over-100k/item.md diff --git a/website/blog/2023-11-22-how-we-saved-over-100k/item.md b/website/blog/2023-11-22-how-we-saved-over-100k/item.md new file mode 100644 index 000000000000..2c4f13fa9c15 --- /dev/null +++ b/website/blog/2023-11-22-how-we-saved-over-100k/item.md @@ -0,0 +1,156 @@ +--- +title: “How we saved over $100k when we built our security stack” +description: “You don’t have to spend a lot developing a good security posture from the beginning. Here’s how we built Authentik Security’s stack with mostly free and open source tools.” +slug: 2023-11-22-how-we-saved-over-100k +authors: + - name: Jens Langhammer + title: CTO at Authentik Security Inc + url: https://github.com/BeryJu + image_url: https://github.com/BeryJu.png +tags: + - authentik + - FOSS + - security budget + - security stack + - Red Team + - Blue Team + - SBOM + - hardening + - penetration testing + - monitoring + - SSO + - insider threats + - certifications + - security + - identity provider + - authentication +hide_table_of_contents: false +image: ./security-stack.png + +--- + +> **_authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a [public benefit company](https://github.com/OpenCoreVentures/ocv-public-benefit-company/blob/main/ocv-public-benefit-company-charter.md) building on top of the open source project._** + +--- + +There was an article recently about nearly 20 well-known startups’ first 10 hires—security engineers didn’t feature at all. Our third hire at Authentik Security was a security engineer so we might be biased, but even startups without the resources for a full-time security hire should have someone on your founding team wearing the security hat, so you get off on the right foot. + +As security departments are cost centers (not revenue generators) it’s not unusual for startups to take a tightwad mentality with security. The good news is that you don’t need a big budget to have a good security posture. There are plenty of free and open source tools at your disposal, and a lot of what makes good security is actually organizational practices—many of which don’t cost a thing to implement. + +>We estimate that using mostly non-commercial security tools saves us approximately $100,000 annually, and the end-result is a robust stack of security tools and processes. +> + +Here’s how we built out our security stack and processes using mostly free and open source software (FOSS). + + + +# Blue Team efforts + +Security efforts can mostly be grouped into two categories: Blue Team and Red Team. Your Blue Team is defensive, meaning guarding against potential attacks. The Red Team is offensive, actively seeking for weaknesses and potential vulnerabilities. Startups with scant resources should focus on Blue activities first. + +## Visibility: Do you know what is happening in your environment? + +The first step is to get eyes into your environment through SIEM (Security Information Event Monitoring). A security person’s worst nightmare is things happening without them knowing about it. You can’t react to an attack that you don’t know is happening! You need a tool that monitors your team’s device logs and flags suspicious activity. + +We’re an all-remote and globally distributed team, which makes monitoring both harder and more important; team members can log in from anywhere, at any time, and we don’t have a central headquarters to house a secure server for backups, for example. We needed something that’s available worldwide and compatible with our endpoint device architectures, cloud infrastructure, and SaaS solutions. + +We settled on [Wazuh](https://wazuh.com/platform/siem/), which has been around for a long time, is open source and well supported. We’ll acknowledge that it is a bit harder to deploy than some other, proprietary solutions. This can often be the case with FOSS, and it’s a tradeoff you have to accept when you’re not paying for something. + +If you don’t want to use something that’s tricky to stand up, you can of course pay for a tool with which you’ll get customer support and all those good things. Your first priority should be picking something that fits your company’s needs. + +We also use Grafana’s [Loki](https://grafana.com/oss/loki/) (which is free for self-hosted environments) for certain types of log aggregation. Logging is still a staple for security awareness, so do your research for the best logging and analysis solution. + +The general idea behind having good visibility is to gather as many data points as possible while minimizing ongoing maintenance overhead. Make no mistake, this step is not only crucial, but never-ending. Companies are always standing up and tearing down infrastructure, on- and off-boarding employees, etc. Without visibility and monitoring of these activities, it’s easy to leave something exposed to opportunistic attackers. + +## Understand your dependencies: SBOMs for the win + +If you’re a small, early-stage startup, you’re more likely to get caught in a large-scale, net-casting campaign than in any sophisticated, targeted attacks. That means it’s critical to have awareness of your dependencies, so you can quickly understand if a critical vulnerability affects any part of your software supply chain. When the [Log4Shell vulnerability](https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896) surfaced in December 2021, the companies that were aware of their dependencies were able to mitigate quickly and close the attack window. + +This is where a Software Bill of Materials (SBOM) comes in handy. Your SBOM isn’t just a checkbox exercise for auditing and compliance requirements. We use OWASP’s [Dependency Track](https://dependencytrack.org/) (also free and open source) to ingest our SBOM and help identify parts of the codebase that may be at risk from new vulnerabilities. We also use [Semgrep](https://semgrep.dev/) for code scanning with pattern-based recognition. It’s open source and free to run locally. + +It’s also worth mentioning that if your company’s product is open source, or you have an open core model (a proprietary product built on open source), you may qualify for access to free tooling from GitHub for your open source project: we use [Dependabot](https://github.com/dependabot) for automated dependency updates and [CodeQL](https://codeql.github.com/) for code analysis to identify vulnerable code. + +## Hardening + +Now that you’ve got visibility into your environment, your next step is hardening: reducing or eliminating potential threats. We can group these efforts into two categories: *organizational security* and *product security*. + +### Organizational security + +Raise your hand if you’ve worked at a small startup and have seen the following: + +- Shared credentials +- Spreadsheets for IT/People teams to create all logins for new employees on the day they join +- Team members introducing new software/tooling at whim + +It can be a free-for-all at small companies, and while the risk is low at that scale, it can be much harder to introduce more rigorous processes later. The team will be resistant because you’ve added friction where there wasn’t before. + +Ideally, you want to introduce secure-by-default practices into your team and company early on: + +- Multi-factor authentication +- Single sign on +- Just-in-time permissions +- Evaluation of new tooling + +In the case of open source software, you can inspect the code to check how data is being handled, how secure the databases are, what exact kind of data is being transferred, saved, etc. Another team best practice is around vetting the tools and dependencies that the team uses; even if you don’t have time or resources to do a full vet of every new piece of software your coworkers want to use, at least check for certifications. + +Here at Authentik Security, we tackle a lot of risk factors with one shot: [authentik](https://goauthentik.io/). By using SSO, we can ensure every new employee has the correct credentials for accessing the appropriate workplace apps, and that every departing employee immediately has access revoked with one click. We can also quarantine suspect users, essentially cutting off access to all systems quickly. Ironically, one of the most common initial access points is ex-employee credentials. + +These all contribute to ‘defense in depth’—adding layers of security and complications to make it as hard or annoying as possible for attackers to get around. These practices typically cost $0 to implement and will set you up for good security posture as you grow. + +### Product security + +This layer is really anything to do with securing the actual product you’re building (not you company). This typically means getting third-party penetration testing (if you don’t have a dedicated Red Team—more on this below) and remediating vulnerabilities you’ve surfaced through your monitoring and dependency tracking efforts. + +# Red Team efforts + +As we mentioned above, the Red Team is offensive, meaning they attack the company (physically or remotely) to poke holes in your own defenses before the real bad actors can. + +## Internal penetration testing + +Now that we have implemented monitoring, and hardened a few things, it’s time to test how well we did. This is where we take the attacker’s point of view to try to break in and test our own controls over our systems, to expose weaknesses. Just recently we discovered that Authentik had a bunch of domains that we’d left open, unmonitored. It’s a constant, iterative loop of unearthing holes via your internal penetration testing (also called pentesting or white box testing) and finding ways to plug them. + +There are a lot of tools to choose from here (everyone likes breaking into things!). You’re never done choosing your stack—the threat landscape evolves constantly and so does the tooling to keep up with it. You’ll want to pay attention to new developments by keeping an eye on discussions on Twitter, Reddit, Hacker News, etc. When a new way to attack something develops (and it always will), someone will go create the special automation tooling to address that threat. (Then your attackers are going to go grab that tool and see if they can hack their way in. It’s a constant wheel.) + +At Authentik we use the [Kali Linux](https://www.kali.org/) distribution, which has a host of hacking tools on it, for penetration testing. It’s well known within the security world and is open source and free to use. + +Testing can be a tough one for small startups, because you likely won’t have a dedicated Red Team and commercial pentesting doesn’t come cheap. If you can save on your tooling though, that can help to free up resources for contracting out this type of work. The main goal you’re after is trying to identify the low-hanging fruit that inexperienced actors may exploit. + +## A note on insider threats + +[Okta has been in the news](https://goauthentik.io/blog/2023-10-23-another-okta-breach) (again!) after its second major breach in two years. A team member [unknowingly uploaded a file containing sensitive information to Okta’s support management system](https://www.crn.com/news/security/okta-faces-potential-for-reputational-risk-after-second-major-breach-in-two-years-analysts), highlighting the risk of insider threats. + +Your employees are a risk factor—whether through malice, ignorance, or carelessness. It’s not unheard of for someone to accidentally save a password publicly to the company’s cloud. It can be an honest mistake, but it’s very-low hanging fruit for a bad actor just watching your cloud assets. + +With the rise of Ransomware as a Service, there’s also always the possibility that a disgruntled employee can act as an initial access broker: either accidentally or purposefully giving their credentials or their access to someone else. It’s obviously not possible to prevent all possible compromises, so it’s important that your tooling is set up to alert you to unusual activity and your processes are in place so you can react quickly. + +# Do you really need certifications? + +Apart from using security certifications like ISO/IEC 27001 and SOC 2 to evaluate vendors that make the software you are using, certifications can vouch for your organizational security, which might be important to your customers, depending on what your product does and who your customers are. + +For us at Authentik Security, [our source code](https://github.com/goauthentik/authentik) is available for inspection, but that doesn’t tell people anything about how we handle emails, payment information, and so on. That’s where a third-party certification comes in: an auditor verifies your security practices, which in turn signals to your customers that you can be trusted. + +Certifications can be expensive though, and as a cash-strapped startup, you may not want or be able to invest in a certification. However there’s nothing stopping you from ingraining some of those good security practices in your company’s culture anyway. That way, you’re already building a strong security posture and when the time comes, you’re not rushing to implement processes that feel unnatural to the team. + +Again, it comes back to getting off on the right foot so that you’re not spending 10-20x the amount of money later in people time and resources to course correct later. + +# Security doesn’t have to be a big-company luxury + +People imagine that large corporations have security all figured out, but a large security department doesn’t guarantee that they have any idea what other teams are doing. As a small company, you do have one thing going for you: it’s much easier to have eyes on everything that’s happening. You’re more tightly knit and you can encompass more with fewer resources. + +If you talk to a lot of security people, their happy place is when no one is doing anything. Then your job’s pretty easy. Unfortunately, if you want your company to succeed, you need your developers to develop, your salespeople to talk to prospects, your CEO to meet with whomever they need to meet with. These are standard operations that all put the company at risk, but it’s your job to mitigate that risk the best you can. + +Our security engineer likes to say they work alongside teams, not blocking them. If security says it’s their job to make sure there are no vulnerabilities, and it’s the development team’s job to make new features, how do you get these two sides to work together? + +Realistically, everything has vulnerabilities. You’re never going to have a completely safe, locked-down environment. So, you partner with other teams and find a compromise. Establish a minimum threshold people have to meet to keep going. If you’re too inflexible, those teams won’t want to work with you and they won’t tell you when they’re making new virtual machines or writing new code. + +# Repercussions + +You don’t need to be a security company for these things to matter. This advice applies no matter what type of product you’re building. + +[Some 422 million individuals were impacted by data compromises in 2022](https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/). As consumers we have almost become numb to news of new breaches. A company gets breached, they offer some sort of credit protection, cyber insurance might go up a bit, but life goes on. + +If you’re still not motivated to invest in your security posture (or trying to win over teammates who prioritize feature shipping over everything), consider the [case of SolarWinds](https://www.sec.gov/news/press-release/2023-227). The company appears to have exaggerated their internal security posture, leading to an indictment from the SEC. + +So not only is security important, it could actually keep you out of jail. + +*What’s in your security stack? Let us know in the comments, or send us an email at hello@goauthentik.io!* From d9390897263f97eac583b401e43135b5ba0fa3f5 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 12:17:16 -0600 Subject: [PATCH 02/15] fixed head-levels --- .../2023-11-22-how-we-saved-over-100k/item.md | 51 +++++++++---------- 1 file changed, 24 insertions(+), 27 deletions(-) diff --git a/website/blog/2023-11-22-how-we-saved-over-100k/item.md b/website/blog/2023-11-22-how-we-saved-over-100k/item.md index 2c4f13fa9c15..61d3601097ae 100644 --- a/website/blog/2023-11-22-how-we-saved-over-100k/item.md +++ b/website/blog/2023-11-22-how-we-saved-over-100k/item.md @@ -1,5 +1,5 @@ --- -title: “How we saved over $100k when we built our security stack” +title: How we saved over $100k when we built our security stack description: “You don’t have to spend a lot developing a good security posture from the beginning. Here’s how we built Authentik Security’s stack with mostly free and open source tools.” slug: 2023-11-22-how-we-saved-over-100k authors: @@ -25,30 +25,27 @@ tags: - identity provider - authentication hide_table_of_contents: false -image: ./security-stack.png - --- > **_authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a [public benefit company](https://github.com/OpenCoreVentures/ocv-public-benefit-company/blob/main/ocv-public-benefit-company-charter.md) building on top of the open source project._** --- -There was an article recently about nearly 20 well-known startups’ first 10 hires—security engineers didn’t feature at all. Our third hire at Authentik Security was a security engineer so we might be biased, but even startups without the resources for a full-time security hire should have someone on your founding team wearing the security hat, so you get off on the right foot. +There was an article recently about nearly 20 well-known startups’ first 10 hires—security engineers didn’t feature at all. Our third hire at Authentik Security was a security engineer so we might be biased, but even startups without the resources for a full-time security hire should have someone on your founding team wearing the security hat, so you get started on the right foot. As security departments are cost centers (not revenue generators) it’s not unusual for startups to take a tightwad mentality with security. The good news is that you don’t need a big budget to have a good security posture. There are plenty of free and open source tools at your disposal, and a lot of what makes good security is actually organizational practices—many of which don’t cost a thing to implement. ->We estimate that using mostly non-commercial security tools saves us approximately $100,000 annually, and the end-result is a robust stack of security tools and processes. -> +> We estimate that using mostly non-commercial security tools saves us approximately $100,000 annually, and the end-result is a robust stack of security tools and processes. Here’s how we built out our security stack and processes using mostly free and open source software (FOSS). -# Blue Team efforts +## Blue Team efforts Security efforts can mostly be grouped into two categories: Blue Team and Red Team. Your Blue Team is defensive, meaning guarding against potential attacks. The Red Team is offensive, actively seeking for weaknesses and potential vulnerabilities. Startups with scant resources should focus on Blue activities first. -## Visibility: Do you know what is happening in your environment? +### Visibility: Do you know what is happening in your environment? The first step is to get eyes into your environment through SIEM (Security Information Event Monitoring). A security person’s worst nightmare is things happening without them knowing about it. You can’t react to an attack that you don’t know is happening! You need a tool that monitors your team’s device logs and flags suspicious activity. @@ -62,7 +59,7 @@ We also use Grafana’s [Loki](https://grafana.com/oss/loki/) (which is free for The general idea behind having good visibility is to gather as many data points as possible while minimizing ongoing maintenance overhead. Make no mistake, this step is not only crucial, but never-ending. Companies are always standing up and tearing down infrastructure, on- and off-boarding employees, etc. Without visibility and monitoring of these activities, it’s easy to leave something exposed to opportunistic attackers. -## Understand your dependencies: SBOMs for the win +### Understand your dependencies: SBOMs for the win If you’re a small, early-stage startup, you’re more likely to get caught in a large-scale, net-casting campaign than in any sophisticated, targeted attacks. That means it’s critical to have awareness of your dependencies, so you can quickly understand if a critical vulnerability affects any part of your software supply chain. When the [Log4Shell vulnerability](https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896) surfaced in December 2021, the companies that were aware of their dependencies were able to mitigate quickly and close the attack window. @@ -70,26 +67,26 @@ This is where a Software Bill of Materials (SBOM) comes in handy. Your SBOM isn It’s also worth mentioning that if your company’s product is open source, or you have an open core model (a proprietary product built on open source), you may qualify for access to free tooling from GitHub for your open source project: we use [Dependabot](https://github.com/dependabot) for automated dependency updates and [CodeQL](https://codeql.github.com/) for code analysis to identify vulnerable code. -## Hardening +### Hardening -Now that you’ve got visibility into your environment, your next step is hardening: reducing or eliminating potential threats. We can group these efforts into two categories: *organizational security* and *product security*. +Now that you’ve got visibility into your environment, your next step is hardening: reducing or eliminating potential threats. We can group these efforts into two categories: _organizational security_ and _product security_. -### Organizational security +#### Organizational security Raise your hand if you’ve worked at a small startup and have seen the following: -- Shared credentials -- Spreadsheets for IT/People teams to create all logins for new employees on the day they join -- Team members introducing new software/tooling at whim +- Shared credentials +- Spreadsheets for IT/People teams to create all logins for new employees on the day they join +- Team members introducing new software/tooling at whim It can be a free-for-all at small companies, and while the risk is low at that scale, it can be much harder to introduce more rigorous processes later. The team will be resistant because you’ve added friction where there wasn’t before. Ideally, you want to introduce secure-by-default practices into your team and company early on: -- Multi-factor authentication -- Single sign on -- Just-in-time permissions -- Evaluation of new tooling +- Multi-factor authentication +- Single sign on +- Just-in-time permissions +- Evaluation of new tooling In the case of open source software, you can inspect the code to check how data is being handled, how secure the databases are, what exact kind of data is being transferred, saved, etc. Another team best practice is around vetting the tools and dependencies that the team uses; even if you don’t have time or resources to do a full vet of every new piece of software your coworkers want to use, at least check for certifications. @@ -97,15 +94,15 @@ Here at Authentik Security, we tackle a lot of risk factors with one shot: [auth These all contribute to ‘defense in depth’—adding layers of security and complications to make it as hard or annoying as possible for attackers to get around. These practices typically cost $0 to implement and will set you up for good security posture as you grow. -### Product security +#### Product security This layer is really anything to do with securing the actual product you’re building (not you company). This typically means getting third-party penetration testing (if you don’t have a dedicated Red Team—more on this below) and remediating vulnerabilities you’ve surfaced through your monitoring and dependency tracking efforts. -# Red Team efforts +## Red Team efforts As we mentioned above, the Red Team is offensive, meaning they attack the company (physically or remotely) to poke holes in your own defenses before the real bad actors can. -## Internal penetration testing +### Internal penetration testing Now that we have implemented monitoring, and hardened a few things, it’s time to test how well we did. This is where we take the attacker’s point of view to try to break in and test our own controls over our systems, to expose weaknesses. Just recently we discovered that Authentik had a bunch of domains that we’d left open, unmonitored. It’s a constant, iterative loop of unearthing holes via your internal penetration testing (also called pentesting or white box testing) and finding ways to plug them. @@ -115,7 +112,7 @@ At Authentik we use the [Kali Linux](https://www.kali.org/) distribution, which Testing can be a tough one for small startups, because you likely won’t have a dedicated Red Team and commercial pentesting doesn’t come cheap. If you can save on your tooling though, that can help to free up resources for contracting out this type of work. The main goal you’re after is trying to identify the low-hanging fruit that inexperienced actors may exploit. -## A note on insider threats +### A note on insider threats [Okta has been in the news](https://goauthentik.io/blog/2023-10-23-another-okta-breach) (again!) after its second major breach in two years. A team member [unknowingly uploaded a file containing sensitive information to Okta’s support management system](https://www.crn.com/news/security/okta-faces-potential-for-reputational-risk-after-second-major-breach-in-two-years-analysts), highlighting the risk of insider threats. @@ -123,7 +120,7 @@ Your employees are a risk factor—whether through malice, ignorance, or careles With the rise of Ransomware as a Service, there’s also always the possibility that a disgruntled employee can act as an initial access broker: either accidentally or purposefully giving their credentials or their access to someone else. It’s obviously not possible to prevent all possible compromises, so it’s important that your tooling is set up to alert you to unusual activity and your processes are in place so you can react quickly. -# Do you really need certifications? +## Do you really need certifications? Apart from using security certifications like ISO/IEC 27001 and SOC 2 to evaluate vendors that make the software you are using, certifications can vouch for your organizational security, which might be important to your customers, depending on what your product does and who your customers are. @@ -133,7 +130,7 @@ Certifications can be expensive though, and as a cash-strapped startup, you may Again, it comes back to getting off on the right foot so that you’re not spending 10-20x the amount of money later in people time and resources to course correct later. -# Security doesn’t have to be a big-company luxury +## Security doesn’t have to be a big-company luxury People imagine that large corporations have security all figured out, but a large security department doesn’t guarantee that they have any idea what other teams are doing. As a small company, you do have one thing going for you: it’s much easier to have eyes on everything that’s happening. You’re more tightly knit and you can encompass more with fewer resources. @@ -143,7 +140,7 @@ Our security engineer likes to say they work alongside teams, not blocking them. Realistically, everything has vulnerabilities. You’re never going to have a completely safe, locked-down environment. So, you partner with other teams and find a compromise. Establish a minimum threshold people have to meet to keep going. If you’re too inflexible, those teams won’t want to work with you and they won’t tell you when they’re making new virtual machines or writing new code. -# Repercussions +## Repercussions You don’t need to be a security company for these things to matter. This advice applies no matter what type of product you’re building. @@ -153,4 +150,4 @@ If you’re still not motivated to invest in your security posture (or trying to So not only is security important, it could actually keep you out of jail. -*What’s in your security stack? Let us know in the comments, or send us an email at hello@goauthentik.io!* +_What’s in your security stack? Let us know in the comments, or send us an email at hello@goauthentik.io!_ From e9d10610509146bdf01f5991befc70aaf5269c73 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 12:30:08 -0600 Subject: [PATCH 03/15] tweaks --- website/blog/2023-11-22-how-we-saved-over-100k/item.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2023-11-22-how-we-saved-over-100k/item.md b/website/blog/2023-11-22-how-we-saved-over-100k/item.md index 61d3601097ae..d19b82cc0259 100644 --- a/website/blog/2023-11-22-how-we-saved-over-100k/item.md +++ b/website/blog/2023-11-22-how-we-saved-over-100k/item.md @@ -96,7 +96,7 @@ These all contribute to ‘defense in depth’—adding layers of security and c #### Product security -This layer is really anything to do with securing the actual product you’re building (not you company). This typically means getting third-party penetration testing (if you don’t have a dedicated Red Team—more on this below) and remediating vulnerabilities you’ve surfaced through your monitoring and dependency tracking efforts. +This layer is really anything to do with securing the actual product you’re building (not your company). This typically means getting third-party penetration testing (if you don’t have a dedicated Red Team—more on this below) and remediating vulnerabilities you’ve surfaced through your monitoring and dependency tracking efforts. ## Red Team efforts From 4a4f9faf7e970fb18a56122c2099d2cf6041e7b4 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 14:12:32 -0600 Subject: [PATCH 04/15] new title --- .../item.md | 153 ++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 website/blog/2023-11-22-building-an-oss-security-stack/item.md diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md new file mode 100644 index 000000000000..11bee7ae5c2d --- /dev/null +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -0,0 +1,153 @@ +--- +title: Building an OSS security stack with Loki, Wazuh, and CodeQL to save $100k +description: “You don’t have to spend a lot developing a good security posture from the beginning. Here’s how we built Authentik Security’s stack with mostly free and open source tools.” +slug: 2023-11-22-how-we-saved-over-100k +authors: + - name: Jens Langhammer + title: CTO at Authentik Security Inc + url: https://github.com/BeryJu + image_url: https://github.com/BeryJu.png +tags: + - authentik + - FOSS + - security budget + - security stack + - Red Team + - Blue Team + - SBOM + - hardening + - penetration testing + - monitoring + - SSO + - insider threats + - certifications + - security + - identity provider + - authentication +hide_table_of_contents: false +--- + +> **_authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a [public benefit company](https://github.com/OpenCoreVentures/ocv-public-benefit-company/blob/main/ocv-public-benefit-company-charter.md) building on top of the open source project._** + +--- + +There was an article recently about nearly 20 well-known startups’ first 10 hires—security engineers didn’t feature at all. Our third hire at Authentik Security was a security engineer so we might be biased, but even startups without the resources for a full-time security hire should have someone on your founding team wearing the security hat, so you get started on the right foot. + +As security departments are cost centers (not revenue generators) it’s not unusual for startups to take a tightwad mentality with security. The good news is that you don’t need a big budget to have a good security posture. There are plenty of free and open source tools at your disposal, and a lot of what makes good security is actually organizational practices—many of which don’t cost a thing to implement. + +> We estimate that using mostly non-commercial security tools saves us approximately $100,000 annually, and the end-result is a robust stack of security tools and processes. + +Here’s how we built out our security stack and processes using mostly free and open source software (FOSS). + + + +## Blue Team efforts + +Security efforts can mostly be grouped into two categories: Blue Team and Red Team. Your Blue Team is defensive, meaning guarding against potential attacks. The Red Team is offensive, actively seeking for weaknesses and potential vulnerabilities. Startups with scant resources should focus on Blue activities first. + +### Visibility: Do you know what is happening in your environment? + +The first step is to get eyes into your environment through SIEM (Security Information Event Monitoring). A security person’s worst nightmare is things happening without them knowing about it. You can’t react to an attack that you don’t know is happening! You need a tool that monitors your team’s device logs and flags suspicious activity. + +We’re an all-remote and globally distributed team, which makes monitoring both harder and more important; team members can log in from anywhere, at any time, and we don’t have a central headquarters to house a secure server for backups, for example. We needed something that’s available worldwide and compatible with our endpoint device architectures, cloud infrastructure, and SaaS solutions. + +We settled on [Wazuh](https://wazuh.com/platform/siem/), which has been around for a long time, is open source and well supported. We’ll acknowledge that it is a bit harder to deploy than some other, proprietary solutions. This can often be the case with FOSS, and it’s a tradeoff you have to accept when you’re not paying for something. + +If you don’t want to use something that’s tricky to stand up, you can of course pay for a tool with which you’ll get customer support and all those good things. Your first priority should be picking something that fits your company’s needs. + +We also use Grafana’s [Loki](https://grafana.com/oss/loki/) (which is free for self-hosted environments) for certain types of log aggregation. Logging is still a staple for security awareness, so do your research for the best logging and analysis solution. + +The general idea behind having good visibility is to gather as many data points as possible while minimizing ongoing maintenance overhead. Make no mistake, this step is not only crucial, but never-ending. Companies are always standing up and tearing down infrastructure, on- and off-boarding employees, etc. Without visibility and monitoring of these activities, it’s easy to leave something exposed to opportunistic attackers. + +### Understand your dependencies: SBOMs for the win + +If you’re a small, early-stage startup, you’re more likely to get caught in a large-scale, net-casting campaign than in any sophisticated, targeted attacks. That means it’s critical to have awareness of your dependencies, so you can quickly understand if a critical vulnerability affects any part of your software supply chain. When the [Log4Shell vulnerability](https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896) surfaced in December 2021, the companies that were aware of their dependencies were able to mitigate quickly and close the attack window. + +This is where a Software Bill of Materials (SBOM) comes in handy. Your SBOM isn’t just a checkbox exercise for auditing and compliance requirements. We use OWASP’s [Dependency Track](https://dependencytrack.org/) (also free and open source) to ingest our SBOM and help identify parts of the codebase that may be at risk from new vulnerabilities. We also use [Semgrep](https://semgrep.dev/) for code scanning with pattern-based recognition. It’s open source and free to run locally. + +It’s also worth mentioning that if your company’s product is open source, or you have an open core model (a proprietary product built on open source), you may qualify for access to free tooling from GitHub for your open source project: we use [Dependabot](https://github.com/dependabot) for automated dependency updates and [CodeQL](https://codeql.github.com/) for code analysis to identify vulnerable code. + +### Hardening + +Now that you’ve got visibility into your environment, your next step is hardening: reducing or eliminating potential threats. We can group these efforts into two categories: _organizational security_ and _product security_. + +#### Organizational security + +Raise your hand if you’ve worked at a small startup and have seen the following: + +- Shared credentials +- Spreadsheets for IT/People teams to create all logins for new employees on the day they join +- Team members introducing new software/tooling at whim + +It can be a free-for-all at small companies, and while the risk is low at that scale, it can be much harder to introduce more rigorous processes later. The team will be resistant because you’ve added friction where there wasn’t before. + +Ideally, you want to introduce secure-by-default practices into your team and company early on: + +- Multi-factor authentication +- Single sign on +- Just-in-time permissions +- Evaluation of new tooling + +In the case of open source software, you can inspect the code to check how data is being handled, how secure the databases are, what exact kind of data is being transferred, saved, etc. Another team best practice is around vetting the tools and dependencies that the team uses; even if you don’t have time or resources to do a full vet of every new piece of software your coworkers want to use, at least check for certifications. + +Here at Authentik Security, we tackle a lot of risk factors with one shot: [authentik](https://goauthentik.io/). By using SSO, we can ensure every new employee has the correct credentials for accessing the appropriate workplace apps, and that every departing employee immediately has access revoked with one click. We can also quarantine suspect users, essentially cutting off access to all systems quickly. Ironically, one of the most common initial access points is ex-employee credentials. + +These all contribute to ‘defense in depth’—adding layers of security and complications to make it as hard or annoying as possible for attackers to get around. These practices typically cost $0 to implement and will set you up for good security posture as you grow. + +#### Product security + +This layer is really anything to do with securing the actual product you’re building (not your company). This typically means getting third-party penetration testing (if you don’t have a dedicated Red Team—more on this below) and remediating vulnerabilities you’ve surfaced through your monitoring and dependency tracking efforts. + +## Red Team efforts + +As we mentioned above, the Red Team is offensive, meaning they attack the company (physically or remotely) to poke holes in your own defenses before the real bad actors can. + +### Internal penetration testing + +Now that we have implemented monitoring, and hardened a few things, it’s time to test how well we did. This is where we take the attacker’s point of view to try to break in and test our own controls over our systems, to expose weaknesses. Just recently we discovered that Authentik had a bunch of domains that we’d left open, unmonitored. It’s a constant, iterative loop of unearthing holes via your internal penetration testing (also called pentesting or white box testing) and finding ways to plug them. + +There are a lot of tools to choose from here (everyone likes breaking into things!). You’re never done choosing your stack—the threat landscape evolves constantly and so does the tooling to keep up with it. You’ll want to pay attention to new developments by keeping an eye on discussions on Twitter, Reddit, Hacker News, etc. When a new way to attack something develops (and it always will), someone will go create the special automation tooling to address that threat. (Then your attackers are going to go grab that tool and see if they can hack their way in. It’s a constant wheel.) + +At Authentik we use the [Kali Linux](https://www.kali.org/) distribution, which has a host of hacking tools on it, for penetration testing. It’s well known within the security world and is open source and free to use. + +Testing can be a tough one for small startups, because you likely won’t have a dedicated Red Team and commercial pentesting doesn’t come cheap. If you can save on your tooling though, that can help to free up resources for contracting out this type of work. The main goal you’re after is trying to identify the low-hanging fruit that inexperienced actors may exploit. + +### A note on insider threats + +[Okta has been in the news](https://goauthentik.io/blog/2023-10-23-another-okta-breach) (again!) after its second major breach in two years. A team member [unknowingly uploaded a file containing sensitive information to Okta’s support management system](https://www.crn.com/news/security/okta-faces-potential-for-reputational-risk-after-second-major-breach-in-two-years-analysts), highlighting the risk of insider threats. + +Your employees are a risk factor—whether through malice, ignorance, or carelessness. It’s not unheard of for someone to accidentally save a password publicly to the company’s cloud. It can be an honest mistake, but it’s very-low hanging fruit for a bad actor just watching your cloud assets. + +With the rise of Ransomware as a Service, there’s also always the possibility that a disgruntled employee can act as an initial access broker: either accidentally or purposefully giving their credentials or their access to someone else. It’s obviously not possible to prevent all possible compromises, so it’s important that your tooling is set up to alert you to unusual activity and your processes are in place so you can react quickly. + +## Do you really need certifications? + +Apart from using security certifications like ISO/IEC 27001 and SOC 2 to evaluate vendors that make the software you are using, certifications can vouch for your organizational security, which might be important to your customers, depending on what your product does and who your customers are. + +For us at Authentik Security, [our source code](https://github.com/goauthentik/authentik) is available for inspection, but that doesn’t tell people anything about how we handle emails, payment information, and so on. That’s where a third-party certification comes in: an auditor verifies your security practices, which in turn signals to your customers that you can be trusted. + +Certifications can be expensive though, and as a cash-strapped startup, you may not want or be able to invest in a certification. However there’s nothing stopping you from ingraining some of those good security practices in your company’s culture anyway. That way, you’re already building a strong security posture and when the time comes, you’re not rushing to implement processes that feel unnatural to the team. + +Again, it comes back to getting off on the right foot so that you’re not spending 10-20x the amount of money later in people time and resources to course correct later. + +## Security doesn’t have to be a big-company luxury + +People imagine that large corporations have security all figured out, but a large security department doesn’t guarantee that they have any idea what other teams are doing. As a small company, you do have one thing going for you: it’s much easier to have eyes on everything that’s happening. You’re more tightly knit and you can encompass more with fewer resources. + +If you talk to a lot of security people, their happy place is when no one is doing anything. Then your job’s pretty easy. Unfortunately, if you want your company to succeed, you need your developers to develop, your salespeople to talk to prospects, your CEO to meet with whomever they need to meet with. These are standard operations that all put the company at risk, but it’s your job to mitigate that risk the best you can. + +Our security engineer likes to say they work alongside teams, not blocking them. If security says it’s their job to make sure there are no vulnerabilities, and it’s the development team’s job to make new features, how do you get these two sides to work together? + +Realistically, everything has vulnerabilities. You’re never going to have a completely safe, locked-down environment. So, you partner with other teams and find a compromise. Establish a minimum threshold people have to meet to keep going. If you’re too inflexible, those teams won’t want to work with you and they won’t tell you when they’re making new virtual machines or writing new code. + +## Repercussions + +You don’t need to be a security company for these things to matter. This advice applies no matter what type of product you’re building. + +[Some 422 million individuals were impacted by data compromises in 2022](https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/). As consumers we have almost become numb to news of new breaches. A company gets breached, they offer some sort of credit protection, cyber insurance might go up a bit, but life goes on. + +If you’re still not motivated to invest in your security posture (or trying to win over teammates who prioritize feature shipping over everything), consider the [case of SolarWinds](https://www.sec.gov/news/press-release/2023-227). The company appears to have exaggerated their internal security posture, leading to an indictment from the SEC. + +So not only is security important, it could actually keep you out of jail. + +_What’s in your security stack? Let us know in the comments, or send us an email at hello@goauthentik.io!_ From f910150ec8474fd8f9e1caf4503248ab4fb6bf75 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 14:12:59 -0600 Subject: [PATCH 05/15] renamed with new title --- .../2023-11-22-how-we-saved-over-100k/item.md | 153 ------------------ 1 file changed, 153 deletions(-) delete mode 100644 website/blog/2023-11-22-how-we-saved-over-100k/item.md diff --git a/website/blog/2023-11-22-how-we-saved-over-100k/item.md b/website/blog/2023-11-22-how-we-saved-over-100k/item.md deleted file mode 100644 index d19b82cc0259..000000000000 --- a/website/blog/2023-11-22-how-we-saved-over-100k/item.md +++ /dev/null @@ -1,153 +0,0 @@ ---- -title: How we saved over $100k when we built our security stack -description: “You don’t have to spend a lot developing a good security posture from the beginning. Here’s how we built Authentik Security’s stack with mostly free and open source tools.” -slug: 2023-11-22-how-we-saved-over-100k -authors: - - name: Jens Langhammer - title: CTO at Authentik Security Inc - url: https://github.com/BeryJu - image_url: https://github.com/BeryJu.png -tags: - - authentik - - FOSS - - security budget - - security stack - - Red Team - - Blue Team - - SBOM - - hardening - - penetration testing - - monitoring - - SSO - - insider threats - - certifications - - security - - identity provider - - authentication -hide_table_of_contents: false ---- - -> **_authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a [public benefit company](https://github.com/OpenCoreVentures/ocv-public-benefit-company/blob/main/ocv-public-benefit-company-charter.md) building on top of the open source project._** - ---- - -There was an article recently about nearly 20 well-known startups’ first 10 hires—security engineers didn’t feature at all. Our third hire at Authentik Security was a security engineer so we might be biased, but even startups without the resources for a full-time security hire should have someone on your founding team wearing the security hat, so you get started on the right foot. - -As security departments are cost centers (not revenue generators) it’s not unusual for startups to take a tightwad mentality with security. The good news is that you don’t need a big budget to have a good security posture. There are plenty of free and open source tools at your disposal, and a lot of what makes good security is actually organizational practices—many of which don’t cost a thing to implement. - -> We estimate that using mostly non-commercial security tools saves us approximately $100,000 annually, and the end-result is a robust stack of security tools and processes. - -Here’s how we built out our security stack and processes using mostly free and open source software (FOSS). - - - -## Blue Team efforts - -Security efforts can mostly be grouped into two categories: Blue Team and Red Team. Your Blue Team is defensive, meaning guarding against potential attacks. The Red Team is offensive, actively seeking for weaknesses and potential vulnerabilities. Startups with scant resources should focus on Blue activities first. - -### Visibility: Do you know what is happening in your environment? - -The first step is to get eyes into your environment through SIEM (Security Information Event Monitoring). A security person’s worst nightmare is things happening without them knowing about it. You can’t react to an attack that you don’t know is happening! You need a tool that monitors your team’s device logs and flags suspicious activity. - -We’re an all-remote and globally distributed team, which makes monitoring both harder and more important; team members can log in from anywhere, at any time, and we don’t have a central headquarters to house a secure server for backups, for example. We needed something that’s available worldwide and compatible with our endpoint device architectures, cloud infrastructure, and SaaS solutions. - -We settled on [Wazuh](https://wazuh.com/platform/siem/), which has been around for a long time, is open source and well supported. We’ll acknowledge that it is a bit harder to deploy than some other, proprietary solutions. This can often be the case with FOSS, and it’s a tradeoff you have to accept when you’re not paying for something. - -If you don’t want to use something that’s tricky to stand up, you can of course pay for a tool with which you’ll get customer support and all those good things. Your first priority should be picking something that fits your company’s needs. - -We also use Grafana’s [Loki](https://grafana.com/oss/loki/) (which is free for self-hosted environments) for certain types of log aggregation. Logging is still a staple for security awareness, so do your research for the best logging and analysis solution. - -The general idea behind having good visibility is to gather as many data points as possible while minimizing ongoing maintenance overhead. Make no mistake, this step is not only crucial, but never-ending. Companies are always standing up and tearing down infrastructure, on- and off-boarding employees, etc. Without visibility and monitoring of these activities, it’s easy to leave something exposed to opportunistic attackers. - -### Understand your dependencies: SBOMs for the win - -If you’re a small, early-stage startup, you’re more likely to get caught in a large-scale, net-casting campaign than in any sophisticated, targeted attacks. That means it’s critical to have awareness of your dependencies, so you can quickly understand if a critical vulnerability affects any part of your software supply chain. When the [Log4Shell vulnerability](https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896) surfaced in December 2021, the companies that were aware of their dependencies were able to mitigate quickly and close the attack window. - -This is where a Software Bill of Materials (SBOM) comes in handy. Your SBOM isn’t just a checkbox exercise for auditing and compliance requirements. We use OWASP’s [Dependency Track](https://dependencytrack.org/) (also free and open source) to ingest our SBOM and help identify parts of the codebase that may be at risk from new vulnerabilities. We also use [Semgrep](https://semgrep.dev/) for code scanning with pattern-based recognition. It’s open source and free to run locally. - -It’s also worth mentioning that if your company’s product is open source, or you have an open core model (a proprietary product built on open source), you may qualify for access to free tooling from GitHub for your open source project: we use [Dependabot](https://github.com/dependabot) for automated dependency updates and [CodeQL](https://codeql.github.com/) for code analysis to identify vulnerable code. - -### Hardening - -Now that you’ve got visibility into your environment, your next step is hardening: reducing or eliminating potential threats. We can group these efforts into two categories: _organizational security_ and _product security_. - -#### Organizational security - -Raise your hand if you’ve worked at a small startup and have seen the following: - -- Shared credentials -- Spreadsheets for IT/People teams to create all logins for new employees on the day they join -- Team members introducing new software/tooling at whim - -It can be a free-for-all at small companies, and while the risk is low at that scale, it can be much harder to introduce more rigorous processes later. The team will be resistant because you’ve added friction where there wasn’t before. - -Ideally, you want to introduce secure-by-default practices into your team and company early on: - -- Multi-factor authentication -- Single sign on -- Just-in-time permissions -- Evaluation of new tooling - -In the case of open source software, you can inspect the code to check how data is being handled, how secure the databases are, what exact kind of data is being transferred, saved, etc. Another team best practice is around vetting the tools and dependencies that the team uses; even if you don’t have time or resources to do a full vet of every new piece of software your coworkers want to use, at least check for certifications. - -Here at Authentik Security, we tackle a lot of risk factors with one shot: [authentik](https://goauthentik.io/). By using SSO, we can ensure every new employee has the correct credentials for accessing the appropriate workplace apps, and that every departing employee immediately has access revoked with one click. We can also quarantine suspect users, essentially cutting off access to all systems quickly. Ironically, one of the most common initial access points is ex-employee credentials. - -These all contribute to ‘defense in depth’—adding layers of security and complications to make it as hard or annoying as possible for attackers to get around. These practices typically cost $0 to implement and will set you up for good security posture as you grow. - -#### Product security - -This layer is really anything to do with securing the actual product you’re building (not your company). This typically means getting third-party penetration testing (if you don’t have a dedicated Red Team—more on this below) and remediating vulnerabilities you’ve surfaced through your monitoring and dependency tracking efforts. - -## Red Team efforts - -As we mentioned above, the Red Team is offensive, meaning they attack the company (physically or remotely) to poke holes in your own defenses before the real bad actors can. - -### Internal penetration testing - -Now that we have implemented monitoring, and hardened a few things, it’s time to test how well we did. This is where we take the attacker’s point of view to try to break in and test our own controls over our systems, to expose weaknesses. Just recently we discovered that Authentik had a bunch of domains that we’d left open, unmonitored. It’s a constant, iterative loop of unearthing holes via your internal penetration testing (also called pentesting or white box testing) and finding ways to plug them. - -There are a lot of tools to choose from here (everyone likes breaking into things!). You’re never done choosing your stack—the threat landscape evolves constantly and so does the tooling to keep up with it. You’ll want to pay attention to new developments by keeping an eye on discussions on Twitter, Reddit, Hacker News, etc. When a new way to attack something develops (and it always will), someone will go create the special automation tooling to address that threat. (Then your attackers are going to go grab that tool and see if they can hack their way in. It’s a constant wheel.) - -At Authentik we use the [Kali Linux](https://www.kali.org/) distribution, which has a host of hacking tools on it, for penetration testing. It’s well known within the security world and is open source and free to use. - -Testing can be a tough one for small startups, because you likely won’t have a dedicated Red Team and commercial pentesting doesn’t come cheap. If you can save on your tooling though, that can help to free up resources for contracting out this type of work. The main goal you’re after is trying to identify the low-hanging fruit that inexperienced actors may exploit. - -### A note on insider threats - -[Okta has been in the news](https://goauthentik.io/blog/2023-10-23-another-okta-breach) (again!) after its second major breach in two years. A team member [unknowingly uploaded a file containing sensitive information to Okta’s support management system](https://www.crn.com/news/security/okta-faces-potential-for-reputational-risk-after-second-major-breach-in-two-years-analysts), highlighting the risk of insider threats. - -Your employees are a risk factor—whether through malice, ignorance, or carelessness. It’s not unheard of for someone to accidentally save a password publicly to the company’s cloud. It can be an honest mistake, but it’s very-low hanging fruit for a bad actor just watching your cloud assets. - -With the rise of Ransomware as a Service, there’s also always the possibility that a disgruntled employee can act as an initial access broker: either accidentally or purposefully giving their credentials or their access to someone else. It’s obviously not possible to prevent all possible compromises, so it’s important that your tooling is set up to alert you to unusual activity and your processes are in place so you can react quickly. - -## Do you really need certifications? - -Apart from using security certifications like ISO/IEC 27001 and SOC 2 to evaluate vendors that make the software you are using, certifications can vouch for your organizational security, which might be important to your customers, depending on what your product does and who your customers are. - -For us at Authentik Security, [our source code](https://github.com/goauthentik/authentik) is available for inspection, but that doesn’t tell people anything about how we handle emails, payment information, and so on. That’s where a third-party certification comes in: an auditor verifies your security practices, which in turn signals to your customers that you can be trusted. - -Certifications can be expensive though, and as a cash-strapped startup, you may not want or be able to invest in a certification. However there’s nothing stopping you from ingraining some of those good security practices in your company’s culture anyway. That way, you’re already building a strong security posture and when the time comes, you’re not rushing to implement processes that feel unnatural to the team. - -Again, it comes back to getting off on the right foot so that you’re not spending 10-20x the amount of money later in people time and resources to course correct later. - -## Security doesn’t have to be a big-company luxury - -People imagine that large corporations have security all figured out, but a large security department doesn’t guarantee that they have any idea what other teams are doing. As a small company, you do have one thing going for you: it’s much easier to have eyes on everything that’s happening. You’re more tightly knit and you can encompass more with fewer resources. - -If you talk to a lot of security people, their happy place is when no one is doing anything. Then your job’s pretty easy. Unfortunately, if you want your company to succeed, you need your developers to develop, your salespeople to talk to prospects, your CEO to meet with whomever they need to meet with. These are standard operations that all put the company at risk, but it’s your job to mitigate that risk the best you can. - -Our security engineer likes to say they work alongside teams, not blocking them. If security says it’s their job to make sure there are no vulnerabilities, and it’s the development team’s job to make new features, how do you get these two sides to work together? - -Realistically, everything has vulnerabilities. You’re never going to have a completely safe, locked-down environment. So, you partner with other teams and find a compromise. Establish a minimum threshold people have to meet to keep going. If you’re too inflexible, those teams won’t want to work with you and they won’t tell you when they’re making new virtual machines or writing new code. - -## Repercussions - -You don’t need to be a security company for these things to matter. This advice applies no matter what type of product you’re building. - -[Some 422 million individuals were impacted by data compromises in 2022](https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/). As consumers we have almost become numb to news of new breaches. A company gets breached, they offer some sort of credit protection, cyber insurance might go up a bit, but life goes on. - -If you’re still not motivated to invest in your security posture (or trying to win over teammates who prioritize feature shipping over everything), consider the [case of SolarWinds](https://www.sec.gov/news/press-release/2023-227). The company appears to have exaggerated their internal security posture, leading to an indictment from the SEC. - -So not only is security important, it could actually keep you out of jail. - -_What’s in your security stack? Let us know in the comments, or send us an email at hello@goauthentik.io!_ From c0935a11eaaa65b97066b8448c7f9a96f1cef046 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 14:31:43 -0600 Subject: [PATCH 06/15] change author --- .../blog/2023-11-22-building-an-oss-security-stack/item.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md index 11bee7ae5c2d..7b093aa5305d 100644 --- a/website/blog/2023-11-22-building-an-oss-security-stack/item.md +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -3,10 +3,9 @@ title: Building an OSS security stack with Loki, Wazuh, and CodeQL to save $100k description: “You don’t have to spend a lot developing a good security posture from the beginning. Here’s how we built Authentik Security’s stack with mostly free and open source tools.” slug: 2023-11-22-how-we-saved-over-100k authors: - - name: Jens Langhammer - title: CTO at Authentik Security Inc - url: https://github.com/BeryJu - image_url: https://github.com/BeryJu.png + - name: authentik Security Team + url: https://goauthentik.io +# image_url: https://github.com/goauthentik/authentik/main/website/static/img/icon.png tags: - authentik - FOSS From f36ebcd4d8de3dfb204580f0a9241cedab1b4232 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 14:39:55 -0600 Subject: [PATCH 07/15] add icon --- website/blog/2023-11-22-building-an-oss-security-stack/item.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md index 7b093aa5305d..8fa349272fa5 100644 --- a/website/blog/2023-11-22-building-an-oss-security-stack/item.md +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -5,7 +5,7 @@ slug: 2023-11-22-how-we-saved-over-100k authors: - name: authentik Security Team url: https://goauthentik.io -# image_url: https://github.com/goauthentik/authentik/main/website/static/img/icon.png +# image_url: https://goauthentik.io/img/icon.png tags: - authentik - FOSS From 010aee49107560193142a2d2f94999d369aef195 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 14:41:54 -0600 Subject: [PATCH 08/15] add icon again --- website/blog/2023-11-22-building-an-oss-security-stack/item.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md index 8fa349272fa5..b3f64cc3ff48 100644 --- a/website/blog/2023-11-22-building-an-oss-security-stack/item.md +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -5,7 +5,7 @@ slug: 2023-11-22-how-we-saved-over-100k authors: - name: authentik Security Team url: https://goauthentik.io -# image_url: https://goauthentik.io/img/icon.png + image_url: https://goauthentik.io/img/icon.png tags: - authentik - FOSS From 486a4e6a605ca884192f374a220125fd05376f98 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 15:14:05 -0600 Subject: [PATCH 09/15] add iamge --- website/blog/2023-11-22-building-an-oss-security-stack/item.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md index b3f64cc3ff48..1362a53419c5 100644 --- a/website/blog/2023-11-22-building-an-oss-security-stack/item.md +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -5,7 +5,7 @@ slug: 2023-11-22-how-we-saved-over-100k authors: - name: authentik Security Team url: https://goauthentik.io - image_url: https://goauthentik.io/img/icon.png + image_url: ./Rectangle 18.png tags: - authentik - FOSS From b9efca0a9a767e403a89be7d1f4aae6adbe69e95 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 15:16:12 -0600 Subject: [PATCH 10/15] image fights --- .../icon.png | Bin 0 -> 2050 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 website/blog/2023-11-22-building-an-oss-security-stack/icon.png diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/icon.png b/website/blog/2023-11-22-building-an-oss-security-stack/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..d738c33cce363dca7417732012596c75e42b12de GIT binary patch literal 2050 zcmV+d2>thoP)e` z3qvqg<>;Dj_zUrIg*7_w%<4Ej#V@*oHTByYG{Lqa=#&tkQtPbSf8ImKMIjp2q^nM+gKGEjm$N80gGW zDtMwKFpq8alaSwx^Vs-t=ZaFng@6x0lQgSWTV*p+Pr0&2lY%pY66`Q&I*Ex<@@i!@ z+$Q@0(4^zH+Kp=rPykgGj{)oWJG?mD{q3w^b8<{c4NtTkDCA@UXdDot8k53}W$wmC z6e5VGDG?kcT?m>Uu(xuKnnu$=C2hkn0G0PNHBPkPE@MJ2g4l{cJJYk+K2GC*<4*0c z7m@ZjwiB|~M3D#Tc znUyH*r6@A68wNE;(sZFr|5JqHVa#h|;g%R8ct9mSVO+;OC1P%{lGtVl^1p zu>os$w89X<497l&9H3Xhtzh6zZc!hVHeAKyawAhyi%$6l>;r=&-#$ASSSoy;YW%iw zAGin&kr`uyp@)}3B}M03LH}A7bqN7o&pzqMUVeK4@BN585&xaa{I`IM3>&vFUJCD2_xUew+S%51Vn%QZhkeMpm`k@l&Af z>FWuSKA1E~$K2BptkR+M3>5Yh7z9)?YdRUTeUv%bTi?H!!(DXoHc=Jv|T%MlEwY(fUnxCdn--FCnnZE*s zd>6XK)yc4*!@AA8K+}Vi&82zVy*E6Yc(Hq=aIq!CYrfhoj`t0zbjD;!@^xOkCqs$V z31NS3fO#q87$|813-SrqI4>xotC6$H0=Mx2zs|7F2}D>=5@T%fZT8b=b3>c#ERD%f z*g8BmVXho=;2C!4b*MH2T_(eKYJ>V{)|X|Cxm_Xod(dNRwJ=o3!NQ( z29_`!-N;Gu4=5B8u(ig7E2^w)KFFeRqGTYR7M$(fvaAe9JCAX@NDPhb*eD=uqv^#uSc7&v~0 zuj7aklVS*L08J10<~6CY;n=a84a$DdI3N`3)O@~!16o8_4;lv?fcjCHmmv0_m+(3W~tg2OQ`rP&7w8mmt9PSlg7Gj-s~XV@8@HJWiVL zAB+6YNXYq}E6RJCY_}dm#Jv1qBtPXxq!9Pus-~_tHeBi2#Zd|Pkf(Ob zs`N~E1h1*FjeXwxAvp~LowId^BV4mL2sCdnBhfFrZ*whpg^i5~BODD0gllj_XA gjYgxHq)$ literal 0 HcmV?d00001 From 550b4b5a725b3666def11628449ee77745caaca3 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 15:16:49 -0600 Subject: [PATCH 11/15] change frontmatter --- website/blog/2023-11-22-building-an-oss-security-stack/item.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md index 1362a53419c5..c14397acb3fa 100644 --- a/website/blog/2023-11-22-building-an-oss-security-stack/item.md +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -5,7 +5,7 @@ slug: 2023-11-22-how-we-saved-over-100k authors: - name: authentik Security Team url: https://goauthentik.io - image_url: ./Rectangle 18.png + image_url: ./icon.png tags: - authentik - FOSS From f0fc4efff62350981280e97ab810ffb09c99bd37 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 15:27:46 -0600 Subject: [PATCH 12/15] remove image --- .../icon.png | Bin 2050 -> 1763 bytes .../item.md | 3 +-- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/icon.png b/website/blog/2023-11-22-building-an-oss-security-stack/icon.png index d738c33cce363dca7417732012596c75e42b12de..1b9bc9197d83c90ef7e42bf360f80f0ccfb51932 100644 GIT binary patch delta 1733 zcmV;$20HnI5aSIYiBL{Q4GJ0x0000DNk~Le0000`0000;2nGNE0AZAJTah6&e+GC- zL_t(|0qvZ7Y*SSn$A7c9|1je!L99~CqqfFwM&b#9QY%~Ss z1|q72;S9nRf$%Zbwk(Y=N)o|}(ozlOPChMw3;_Z6W3GDaqZmNKYGz%<*Kvij4ZJ{U1 zZ&97WKfzk~O{;f$52Zx@^Eu$T4{1;$|(DJYD4sd9YMkm(ChmQQVecB-N}beNF(B!FnLN=t8UrGTD{82F>&PtlNHb=_J|E# z6=kEr;zR`Om@__?f8G3M1?n}H$vu!Ed%9UJ)SHa>2UwU$6TVsGywBBZaoiP%XSuib zbGPkc(aOLWkoHo*@sE8}QDUiez-W4EAbAR3WO1H}F5u`>ix4+;Q};{){xQZ=LiM=J3^Ppx5wjetS;|xf{&- za*%xn%!D|e2IdYQQTG%c~7a&!G;Fvhy4XcG(mWK>qW2w@@a@m+;9M0$#K zV-XZgM6h_}e^F`DwC*nkYpey_%lJ2FkIE{5EP4(sgyBS@cT4?_H773*(iZUR!ySaU zIy#ROR)K|x8Au~S5dJq9W5eCdO<*Aes}^w<>`X>d)sz7T(Xls>Z^mR0rhJMwl<>MF z?Tbn~<+W>%4c0j1DSVej@15=;oE29`Yyb-(*eC6ef6ib*ml03v1~R0I(nq-Zz7&(E za0NCs1;9cGk#)~U(ao3@ELFl?P1V)?t`&yn7SG`Ep5d({*RV6GbJY8`fW_$9+M!n# zF61Su9es+n3UI7O@3FRUjr`j!@|ES+XW0VA~ux3>nhx)u-jfo}l}96#ln*@T+=K0`dPFtGz^V=7nY zUnxjT;AXp#bK(~i5Ps&Sz8Leda-fG$tiW|+e-QR`rVEH)p6*7}cvTzEK?Z_Adquwc^>8{VGZCz7 z{!!O)Hjk6qA%ozSwHHHTA#Oet*{7Yff2mwnTS8-<@Yk zebB~TfBaWI%%^$9v!$dJET$3FGj)4eQbD{(3TmZ>YqM%kv>H2|`;w9;m9WOwz=sB! zH*vhw9VLjWj7Ra46kyyw9PVR|LJAdH=n1H=Rjc_p?*qpI1hyX!H$iM8;y;P bjp_UgH%ThSlCjX(00000NkvXXu0mjf*U%#Z delta 2022 zcmV0#MLDK5lrXdWpsZ(U3T&ej$hhVGGQz z*n^>v9O%!^+Qm`%^jT7x^FdNMpG5)WDhO>z_%jkLg7G6GxcJv2eedov6buv+!K;K+ z2Ez_&Wkst++r*EszP=;V9t7}k9se^#7;t^B#Q5>(tyKsDi>Uq7QVrr#{$Sl z2m}%>I#FI2=*&_oc%mdQk8Spokl&2+*!Xehic-OafDb^EG^ z>@a9LiHTA2YGpOtCi?-Uu(xuKnnu$=C2hkn0G0PNHBPkPE@MJ2g4l{c zJJYk+K2GC*<4*0c7m@ZjwiB|~M3|!+-f7r1BYj?E55Wx(`K7|~hSHZ1d;7)E)AC)#-#p7}#Q&Wph`3CF* zgCyTRI~Z6he4c9jws9Z02n~@LV}qfGmqH~)=UYMlS{8K)0bS2N>BwGwdjaqLh&&Ph zoyz>TfQt+pw=iB2xJHVO?R-Huz`&U-B`l><|AV0EmoC96e^@xpuqkr7d+eZt`@%c< zMl|s9?hM;~l3<}-Quq>R`XnVdl^2Yah;=NsbCd?5jfMVD2yX#*g$qO^RwRy1xP$;J zSp2_wl!oF33eLD0G`*5)G^Oo*nG?sL0Smet1(o57Sk#eUUvF`;f+}aOm2v9}L@YhM zl?=(YA0#Zxf8AzHEhbf7ev!0j0XU~+AB@{LcSI!C+}jUv+2%u3d{GsR8M~e%Y*(gj z8qZ?i&o`opmn~2L`$&606{NO7HX-4?osTlnc~A_dHT7aaUj^= zp6SfO)wr-R0a<`68k*U5Ki@6;Txodj0F8sBmohdzgH1y{3<6K2>1_mb#xRf`r{dzg z36Kp0k?N5*}_onBWDAr?5 zO&l~`f3OWtxo=&tb2taGBpFPyZR<1W7F03_L!faW*bMxXp26bX)KN0yvTO?B0o>>D zhX0Zx|=y(r(Ls;U9ap0Y|(6U|?A=31Ry2aJWu%E-af6co<(}R@FrFq=FH$0nov3sO&u_eT7 zzS=F0_YJ9Z#$-wIbzZzDLy6T1VSjFbc`4)=C}{!<@(I^CFDRm`k+aGIxA6hL&alr3 zL|9J}V{Gwl_S0u`L!0a@jmc2hIy^REt{ijV8FuJ(s5S##Cc~_ae#0T!Om^4DagiIj ze-rZ<-}%Q`?CT+e*nA^uak6(#Z?8OSPU5i9o^UioHr|(fix#qiJ~(J5?#?zOkdO3e z6wSKm=K{Qb?tuOP{j*mP-fl#i9-XwJ`6y`mC1aceBMpCZGM7pNSMt!=d_pQ>KYJ>V z{)|X|Cxm_Xod(dNRwJ=o3!NQ(29_`!f8EGQ@((B!60o(#ge$77Y(B`MaiU}(%q|Ut zw3m_@9m#VUEx5~Q!CgiR?lM|%m(hZ|jG6&nlJPU`aSDTqfPA~aMWl?s&&ipbc_5Vt zP9R$FOiy4EW-BghboB)QD;PL_hOgs@5|d&GYyeFU_~tdKvEkUUn+?i-&^RCzf9uqI zzJmi=L|6|R2ONOu{9q(MDuGSf=WVI4Ee=T3HXqwe|F2N^h|dIuc@((ect;aISm7yvvr3fT(dU_G;c5? z(J#Aib1is_H-0^uB-n1pt9z`84;rHw*!2L0~i-hACjtd6uAzJi?o86Mu1g zRu`4|FSm%!&$P`1qaAGe7p8jl>j_XAjYgx Date: Tue, 21 Nov 2023 21:29:11 +0000 Subject: [PATCH 13/15] Optimised images with calibre/image-actions --- .../icon.png | Bin 1763 -> 1266 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/icon.png b/website/blog/2023-11-22-building-an-oss-security-stack/icon.png index 1b9bc9197d83c90ef7e42bf360f80f0ccfb51932..e55ee9ebf768e860eb2d57dc7e3f89a1084f4c6c 100644 GIT binary patch delta 1226 zcmV;*1U38P4e|+)IDZ7BNklP zG&Z-ppWm9C?r!eLo$g-lZsvpU<#ump?swnpH{YM#T+WCQBY#GW80iGTq2dEx33mCC zzv)SSIFRsdyQwc=+*kY!l(s~-Z)ID6^IRqa$&VAb8B**Zy+V2rhwQaWV{zLztO*nx z=`d&uRq<=+@B=M{H!EzL2A}MBcoC%~{yh%2U|EMIPygDbZh{wqc$$9S@+{#kr-9CP zBfP45iXX}hpnosf$K4EXUW1B)P3c?T09zeiTmyg@D1Isf>*F8k0I#YQX+4uFz(BEc zIsqg{xj((-J6v3$6}&k;lN!K^;7{uZ5WMs(P}%(&S|A#L2A~0G0A>Zy6EKdF-(6K- z@E0O`u=k_K{&Y9yBRBV7qR0OEzT&=a7I-k0SCp{(-+w(Aj7E=L-S*f$QGhi!`Uc>l z0K+gc2qgd60BjOqL!qYj0EM-)YGuA)Z*>Gf6utMM+_)aMLLa(puvI4*B9MlNSK%r8`c z@1X&{Xn*nolhu-+_5jJEKB=Aaf+ui z=st93!_mj4F#d#C`vyAvW!(TqKe*I%=asUaPdJ~G+5)5~<3jTQ?U6*O?~Gmm6(@7A%jq-7qDK1X2y#yqUG&KLYsy0=}f z(G&Mu=xuRlJmxh3>piY8X!llJw%L>5;#RiWw04-@7z5A%Gyn}i1JD5MGJuto0D6L- z@D%LIT4}85_Od{iJ=%_?%=(#`6duJDd^SCRTh_1A4Pf}_Yr2zCa7rhD6$xW01AqLx zB~B-RPo+Ak>vNC0`Z@rl<$E@pi7CEc2Y{YrGLwm6DZea`{Crmf6!2lDlcP=bgT91| z-3Ty{>==&p^<+N58(XXb?UN?E2_UVkV=Zl-3VWz&(8C=MP=qg;V6S1Rv}{T0vFO5} zH}~o%ucH7enDzvGe#5Z}ZBf`p_d}69O=yQN**k&ahbShUNGf^peXW=ajWu3#d?)M` ow_fp7!O8RmJ4TEcF=E8XU!TuHfU@CcaR2}S07*qoM6N<$f-iVrfB*mh delta 1727 zcmV;w20;1p3F8frIDY^Eb5ch_0Itp)=>Px#1ZP1_K>z@;j|==^1pojBcu7P-RCodH zoO^6jRUF5EzjNDeUE220Y5s(&?7ARdF1cKWk!(b7c z(J7{LlfG!A1(*zrm#0FqF%!izAfQsI%Z=f*=>n>dzJ?EXK?Z{a^Fx)z4;kmC3P>{x zNAc~Shs*~xpm&TDQw3B`Tn;H7TMiXGUc5KtDVc7nfPaWI3oL{{RcTsnp(o03QJuj* z!CLrDtAYBZ;6$(-IKeal9YQnRqo+S)#Xs6yYylI*7BE55T0kP)#$Rwm_{H<6CE+p! zVr_I;NORuVYl%NZmqqN6%}mAtX$+4myU^S6PdKf6iUY_h8VIBS*7cTkF1%kjWvJIS z$}WtoEPn#CNoxUbfF5;OWYcR}e`Jh+xjPSczz}pv!^?>f8a0c0UP=+90Rz@Rs+fEm zpv(t{p35zx9c%m-V2IH2ukH?XIK~?1+1c3_Aq}{$fJQ7s1@tA{nLMr_Fs3I{H{RHd zRTdpV!Vl2v`wUVHZa&?~hfYW%;+imdN>;0G*?-1by~@ckapeS)70@R3hz(s8Wuw93 zL(LW)oXFw6^LiKxAt?l?PAf& zz!;GBQo!+#eN<6msdd0;dTJnf3SVS#o{28t=u?XjI7O@T-QlS7RXDu9heeKSEQ?&- z=YJjr3S~VT-#PyfBVr(TD^Z2pDpE;*g#atI3?xV zU_l&i7tLqKFe;qE!kj^u^C{eM^soMmG_P-+^c3ds)oY;F@NRy4PYJmj%=&VWeFn^g zIGzUP4j)nX6dvT}IyLecfX{Ms{bVr4x__r=6AS)iR93qPVIl7EU4=A6dWv;p5fn^B zuz2NBY0|XrF9vI@1>DQ{H)xN_Du66{4lIP>M51>~{f;#!FAvfd@aw}Jgt$67j}%sc zg@_qQBSH}VHyC5X-ONp3Aq1-yaTe@MMpD(30SD2sH;`|}WDur&iZ_(-x+Lw3N`E`$ zwQG+J);Q!Te3wP9o!bwF$Sk2DQ2t5BGs@0Sp{J<(k=qn)^OOJg_ja18HL_SAXYUDM(D< zX1kGd;ujPUe&(jW81u1mpodVbz;$CHSbyRaAD%YOgR@H~qf5_2DcqVv9mn1NvtScp zz^I(7q4@~d^ozZ@C_!ui6T}uUL2LmN#1=3?OxvAh?EEm}*Wl%`Z+MaIQ%EvAgIdpr zghR2W3Fr{|6(tjY?1X1HzkhHn`g2G!(o@9Y*#re72$|P}yX9|SF*ttSYMOx9*mj=p zcnmCr1o+BiCqjF`TGW^-V0Vx{1b~$7PaaBmDesii>pNhofH`}3p#fnXSO5j8Cmv+_ zI8ey0mF$auf=q^Ry~FGG8mFcUh+m%WM$~v!8_z)of zS3bYEQHpJDvNIk|&k0#@E1y2AVfpgN3LwNod^p)RpQn=NKw%r9eoAvV4}|~0j*X3tjg5`z{0lcp VD#ntr(AWR~002ovPDHLkV1h^?CA$Cs From 9d70d28d8659d44133b24744c847425a9452eae6 Mon Sep 17 00:00:00 2001 From: Tana Berry Date: Tue, 21 Nov 2023 15:32:45 -0600 Subject: [PATCH 14/15] tweaks --- website/blog/2023-11-22-building-an-oss-security-stack/item.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/item.md b/website/blog/2023-11-22-building-an-oss-security-stack/item.md index 884cfffa3ddc..edbb338eaab1 100644 --- a/website/blog/2023-11-22-building-an-oss-security-stack/item.md +++ b/website/blog/2023-11-22-building-an-oss-security-stack/item.md @@ -3,7 +3,7 @@ title: Building an OSS security stack with Loki, Wazuh, and CodeQL to save $100k description: “You don’t have to spend a lot developing a good security posture from the beginning. Here’s how we built Authentik Security’s stack with mostly free and open source tools.” slug: 2023-11-22-how-we-saved-over-100k authors: - - name: authentik Security Team + - name: authentik Security Team url: https://goauthentik.io tags: - authentik From 0769501c2db19ed4eda31de22a4da3727f64a8af Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 21 Nov 2023 23:29:02 +0100 Subject: [PATCH 15/15] fix icon Signed-off-by: Jens Langhammer --- .../icon.png | Bin 1266 -> 7670 bytes .../item.md | 1 + 2 files changed, 1 insertion(+) diff --git a/website/blog/2023-11-22-building-an-oss-security-stack/icon.png b/website/blog/2023-11-22-building-an-oss-security-stack/icon.png index e55ee9ebf768e860eb2d57dc7e3f89a1084f4c6c..94aa045e835121e163e43eea4f14801188c5f793 100644 GIT binary patch literal 7670 zcmdTpc{o&WxCf!E$yOAaU)e@fvSlq)QmBxv$dbsK>@p)+GGr@DVkl8$--Qv`*GOb- zWXV2^ZJ3#J&l&xm=icZ3b)VExL@cPYR066wRN9%&2&+yWif8`1LJ7NUc zp8*@~ri|zqxPBO|@aswmQcz?q`c8aKo^dnGqq4kz$R$W*{Q&qQQ1T z6oWW49s6Na>$t^KInyDL=b;@3O*L#LzmA5Uj#nDEv%8thtz#{koP28_`||?PH*JLh z4EM+x-x;XL&B?XD56Slb`S-!-RacsUUE5EJl<%yFzIuO8V|h}FwO8}YGr`k_h*Nqh zOnvxOH~Y?0XC{u?;)!-?76Q?!gN9?>@i}?2%*o>QCc^{QUqlBlym>UIg>{MsYh4R5 z-%SrSEK#H^csm+K_=xKgSsaDuvCFeF93La5LhOXp1eyDfF_pHqmMFG1s;`%bF_EU!D(p#DVTdRp+x zcSoh4bqI{7c6Pp2)Vj;%5ga6Wwy5e|XB;Mn)E%28;0B6OAu*dW++8}i*z{u^bj&!` z*83zmITfbSpw;&2Z)>;L*{;RTT|*f>!+ns)ZX0lOCQ10?mE2E{Ix0q#ihkbJUNg@U zF8!WAIn~l~fxz2nkePa93O|!`#XswK>D(<8Utmv%pO$UaezJ4f8Px{cXA;KK4u?3m z7uZ#~s&0EFnC>{;I+WGBHno3w+i;0a7CY6^7eo=v+h+JCsVB7# zEZiGy>Xi4>-cJRs5ygGx^eC5{hJE48i%Ovh;omLj)$FSq4x3X0aX}{$*I%M#c0+;4 z-)*=n(q}WZGVvC<`|3^ZZ0b+go_^jMp1;q+VZOmMK$_(m zu@n~`S+|d8PB^)tP(TcH8msm>n7|Yp{^@R9Vsi88_INO~>fPj*tvijEwTyS|E*Pop za%Y{5T&zQ_c?MtBYMxHq=lyt4*ygNeV|(WyMay>4g)w04aj2*a#k)V-|Bt>_^Eq(j zWvHkgl{Nd=avj8uNCZBYthZc$_+hsXB_u6trDfac5%0k68Mre+?5_*OgkQTTeXcCy zMLY;OfRDzQ^@s4*%u$vh$fvFR8d)}oQvnRxTB3_v^!akN_fBG|L;}G_l#vt5`;#FbPio8#8!U zb{4MWzESJ;#_?s){$9m#2z~ce{oNhxb-&83Y*5NKiw*)&{<)yNcDG-M`nwS|P8LIq zv+d9OOvZ+-2yh_IQe2tdsQ&mGW@jYt|MZIp;#6BzmKu4t5!IH$&dBAUlYeFdzncga z$n$7rp8V-BAG`}9`kH5f;%?3qawUknw=B+ZLCfqFg2LO6{edJ-k(i!_mr6jLoVOsb)%7U&nzJr~C%fZwuiCRe?6ShEmVaifx(Gc=F!i4B6UmPAaU0~Dr z%&Nh)6B-m=x^kg@-LxAh{jpTbEp+c-_!VUw%i+6AQW_6W-N%1qf@YKeC-{|Ed(Fn_ zL=eth^`C(UBnoILyI(8wJ>#!i-Snjuz!d&yu!fcy>7W&#+KQA0hE-!{1V%k)>BX1c zRRIL{9E2pCF|(%|4q*J{9EygA-1#)<4szW9{H<F**@Q zARh=v0_lJ_z=Eb1VcC181L5@WI}Cmc>^)h~;{Q%dhd?5KhvBI-Y}!;B6$n!tcqai2 zT%7H7q*gMocu#_4J@c_ftbF0Z$*J3cjGkT@!-t7r6giLA=>w`FA?<{;kukcpd!z*vuj^G$eCR7hR( zkyGDb{oyNe?dt@zQ;OjSn?eXZxt04nE(lRS&3mO~{^h3;jNR;zk_eSK{hZb6v>xlD zm=N4Yzf`fveBjvxw9d#PskK^_=2j}V?S*oU5ZE3q+ z;3p(7$%2M&0Mc<*r-)oiJ#ngAdGf#x%7`^plNT})Y^WiuJ|!joaZH&0wQWRg)_iyV z?Z5i`3eqEwm4&fm3!{~Nwq8noAEQXs`1uHGLN-5&hjkepY{Ml{iUPUn&cEkGKY2U+ zh8zPe8@%rIcf_d4$#Sc=z>cgxx4`j7PhN#&O9Cu38|YE(^ZiZ8kI5N)r$(ESEDa$^ zU|GxpaOz5dW-_Fe#w`<6_V9U+f64Xc$D`8J>=X}I`|z64kPE;bs-etL>GG%f zSYr=Nd%ICXO;fRF8FljL!Oo)H+ zLU|#@rV{NEMf!2Gn6Tttef~^qV_0rgmF6B59(0=u$u(8!0kmMI(;-@*Q?cpUax%B-C#`Y(ojsM!Xd8;3lrsA%Z zNX7B1Z{Vh=LN6ZcN8(It&u&HDS9O048JH6UhrgKc>uyP-eX%r;Z|MIbpimIGa#Jxqp1_5O_mj zM@$C_+p*OCJoe>3s1MZ-QC4qRZg^A9P^{;?G~$`->ksa^nDMG@#b#lptjmK3ViWSx z`nxMzUTu1TPN*JPE)L_pfXrI`rGp(DJsn;$=R%RR)l2NUZhM}pGX!t*>W#oi+cb?pZ{8{*!( zRy?{*;dW8{m|^*4M2+k)K38=$PNm{!@No+{^7KXIA;?$JH=w%5`JY58hTw6lA}@jv z8p;`-XdVma{>U7_DHk=HWog#6wX5J&X1maNAy}oR;7jo2rsM*-(C7eUQH>I@(oktI zajZ9W*!jnuU52igS)Vx~rc#YXVVkoHpKH?<@FA>VZdtx5?ylahSazBp1B?_XGR9)? zgs3AtbIkLoCg+_+FSa)X3_I1NH#<)c4$jvk9%b1Q(dB364^eBV437tx{B*KT@JW%1 zs~4bU`hWu#Nu-hL6-!)|(TH2midaB)2E$ZG|F+0Ucz^p;d{#Hjbc-XeI#sO9Sy`HI zPWH85HVO(s(~q!v-~H>qgQ=S+=LNAJ_*c=P9C5jKXc-`VhC#F@d*+y*j(LUMK#Knr z@@@f93c`2`MArIPSJliUg5;Yi6|>et^5=+}7v@^>jA41_m8~M&Z1T21N>Udgr(Iay zJss+nB#fnCJ&`!u+F2ypQ>{||@LeWXiq}$?D#8VmBB*H6UE&DqV?uiF*t6iYFq%A3 zWCT*$+cAPZpC_XR8XAI~?!feoO@Kb(kEBG9T98*=<2*ad`C?>hxSBJe36WgkNh9%7 zM>0hn9?_;E02c>G>1qDxEHRprTz~A!*H3+tckOAC8vEWE6j#&b z2&ndBrgzp>n$dRS?8rYhZWWWY4woq0Vk$?Bks7NI5&R z@Ae0M5Z)k9n=)TdsL7g1_4CYSG2{x&$OyLiR*QnyR-h&zRi$WC;fGz@$E6`J-9)Ol z&zdm2ZHca&C@&#6aU$eM) zyc}`}c(=eU&17+eH@WOQ-b)f(LMnLhd#y*9I+sOP=cnY?w3aUv+bgIdGH!SBDU=IO z567Dq5TA*9xh21sNs3r1=~XKIva-v$vg=yl=Mi0ah~_I%xxj7t!g$x`)01bopR8e% zO}X`ZQGHWE2KVtw#v*W_c&t+xE#8A%qa^Yo7X4SE@I!9|gDs-g4sjJ)1tdSfd`{_I_ zhQO~CZo_!@7K@1?4w;66D2n`0k`T0cGhcQCEUcP>U{&Np^_LZD`YqMU#lY(eFBa_a zIb2fIhdJY;nxEuhD$Rc+>-$z1EcyxEIJePppNd&_RNE$(6nP|6hNrj>-b4;7V@%g9 z1#w_%n0{0vgIh<1YWG9JM%@E+A&TtCF?(PjUQLf_5a4% zjQrsX@Ok%&5w5pv^5*l^MVB*EE)^YQGF_wIpgy%Kt19t|$xeLns7R((z!xe4jrsPH z6F!^BB^^FSfdY8`z54Lbb9H^ayHvl4$#DMN@?F0H*W~P;v-`EQ=&V#yJY%Wf!ugvC zQvq#+wSY3nt9h~O3R#!gEXxGdgDlI>v#S17tC@7eGU`HY6C=8)mbZ}fHLN*xBg)9^ zgu*&;eG-2lz_Ngi4ON-l9(QZk^wH+p7HP$#NxQD3Jzi{ig9Sq`f?xq`?$ASt-$*TX z{FV8x_O`W35l$xU*Mt)JJf2Ygh0x-cfXZ_nk+c|}FlVxhrA|@Ct#1IZjEh+2*2bsW zpDhd20_PZ9Z!v0UK^5Di&WPKK5c3ISG%o;kb4i(p2)leMlvHy3?d4q~-n~iFzG&$1 zhdpAdmXGkH?$7MNuD7{1O${AMI;awcVp12gEkxR&pz<&7!I5;Zw_xikV#0983H6+0 z2>^j$sW%+sFxip3>(9Ts{ED0qMAL|yYGt*iKFP6E;Y2rKxY5vWyg6`nk1<7+&Q$TA z+ww~@@7?|*{hS$p5z$|O|X z<-q$iQ&nC*V&ZQykn-e_IxFZwy3JhC^b%QFfco7B>Lt|G%zNn_NyOcP?E`GS=b3W2 z>7}WVriiUr-(`T(o4Wo44}ZTe1@WXK4P?Wek>ar93oLJMxRqHmYa|G(0NJ5Vl2)c@1_4d4yq16MlnxDqycE(iNKVk+YU54s`i{gG5*i&?7-WYmW@Sx_rnv<5LB3YgSnr-$mK^jC}``j3#& z37lz#ji=#S*UbBO6 zG}gry4g=r(?9#|J_uwY7R0?GUy^k}(FFwpbX%Qgx#>+=Vjhf>!K05jYuxoqB#teyT^;)*I(au1=GQFs1o4 zYEK-tyzf^an|bj)8YNSgBXygjSA%zN@U@wShCrhJnpW>E9|1f(!oCJiD>H>cpwlOh z7(#uV@sY)j)9rnUg3#9zmim_}Xm*dwO$@X0jhc{slD2>6DeT%J*)|`F zgbWG@!BcHfJNoJ_o?obU85KRo8bkHF1)!wNQvX%xA#{}gNm{WmV_i~H3&w8M2er46 zNLG$@$@&I|uoi|n^U&w82=`1Qu~hw{Vk^cPez-?Uswd|gF?zm4O9k|4zy~j)2<^%u zxT7`Z{qBwwNl`s6WTMQ@59_@+LBeMD6u(XHrZYNGaLxjDr!%Oz9_BpJ54)1}Wbzj~ zA!>IFOr`mpf>Fw#db{IO(W@E?N@_y3%4`BO8qyU0Ha_G50mGR&BAXx#>U@-8wC|rI z#`ud2mm!G`$6MU+92C0G`(-~HXZcxuX$2pc(ZKcM+IdeQ8^$lE!p9(iDIT`U(>D*B>V00JXPX&HToqxe>@#`BtdTYcTKnudQK9`YHzB3w^>;*( zjLp^ip2<#rsqQF*VUC?j#s{vUC0X^Om>0W36Ci4Z4KFDO-wa;*ctd*m_hQY#Tjv?B zL5eBXFN$MgOpl#@e$uK#=Q5N}xq@N%P>%xnN$q@>*C)25sY7s48pt(%kaIpLBMXvP z#b7clbjwI^=0&lj)m5qcb6Gxa6IS)GjQ(xifeCN!KxJGJ!fH652|AgVg}zH5q0)<` zUNtTxH%I0Ar+rC}?D*2SIiYhSAbo?;>b43ASN%Fg`Ku(l+=6}RQQx=Kdemh>EIS-a z7v-P>x}3X;ZR26(d_hu5Wu5&!wCGo2%7s%CD`ZB+EQLJ>}6fCZS%a$6{NXD#%_vLdS?s;6Woh z5M)EBB`;KETLg`QTpk6e>sktjwc%inHrNrHK-|1%npFY)22aqogmqD(Q)KYkqz;&I zoDnU71SSM|+Wb3Iqzr4T!iG{bJnXDomSdp)X~iBN)yN-yZP=L}nkNnnLSGQbXLTbS zZTz08?*F8B9M;(`c5~9;ymw5ta5U%(yMTeYi}_BDOKjcAGy>L?x1?p*rhYr&X}>;I zzmfR>BxysR>^^OuEhsZbfuyGQ*>PK=m$qFx-$Dlw{AfZ{(%3(p-AU$&6Ro5?yn7M3 wBQ=o?^B8yKZe>zWnoA!1G4%iOk9i(s=;WvyFxr;*0IQ*+t*4cL(dy}c03P`3QUCw| delta 1261 zcmV)-{;sag@cKMRO=}CS#knnB0sV`vMSNsi> zwnVpYWm|yrTqXm_j}y2VQtTkTLV6H~?6pf{aoabn2^1XZFlY-^@oVVt11*I&D{Pwv zpX_*e5v3*mJr1{ES%)T1|JtQ)f){~!nttE%Ea5GufzEa#ysCPNAIc1%e=pg`-3)JD zgNlMp>093bTOD3p1ArJPekud&;~(h&uc{SkJ(DWHK(TW=0VGGcKfUEUTwI|Qyg5CS z8o-L+PwNK|y!0$k+5H+?AR2%MpaEzAW(Cj_FpiSnT~%N37b1JG_oK)DbT{TBH}_wn z$Nu@g;=XPccrcb%l(75Xe?1tCMvqIq!!R-kB>&j}Y!YBYp{Di# zg|)M4WxilVfARv8)smm~0Lh|0 zsh#tJDNn&sI{w{!opd2YVXe~|AWHUPjq1}+=)mK#npv4^w-cx?dg z4FpWZ9R*CFQ(RF$bq_BE$u0xIf7KG8r}*BuWr~ z)2-Qnmp(wren@!Ne?1NNyh#4pg8ShB+|jPhO_=~pH2ehUK6Gcp(Z{AR{)AZj20Hv@ z-2g^ExYTs#m9m~sIG>Z+0;DM8Lh}IakwmHQj9vg0T#kG&i{&S7Z>|=c4ENwwtpJkO z{VMK6tmhgoWlA=du)Znm@4rni3v~Iu_34m?ZNHXU#If+M*$mrMZ8IRdt=#-{koFb|mQ{X+={=y)Y@?&Pdf z==EH?+|Ejy|BPZ`vcf>Iuj{mNouvEZHx#j)NG{oV{UdDW)xNBW<-)B5>1dPft`|{o zZtB8Sh`HQNf4*Yx*0HptWgd?{M_~ZQJgl|O7yMJYw_UE$6Zc!_ZEo=WHa&n_*00hHVEE{3x|33HN+*C731cY(fBd^8PA7m*r8=qWbC0|FIsl~Q zdp4ViDZXC^fSzPBlZjy|zbugad{+Y$@L{HtqfPaLzJ!b22r!WB7>@MyWIn+gTdV@@ zlP0?fAg!!pEp46(d#Gv9!yOM$gfE$3uVJaQY)R^|=)#~k_v$CFqW~(H_5^%>!?6l& zQP@WJLy