User authentication and session management with Amazon Aurora DSQL

Vercel Flags no longer requires SDK Keys for Vercel deployments

Vercel Flags giờ đây tự động xác thực thông qua OIDC tokens ngắn hạn mà không cần SDK Keys hay biến môi trường FLAGS cho các triển khai trên Vercel. Chỉ cần vercel link và vercel env pull là đủ cho phát triển local, trong khi các dự án cũ vẫn giữ nguyên yêu cầu SDK Keys cho các trường hợp đặc biệt.

Lập trình viên cần đọc bài này để hiểu cách tối ưu hóa quản lý tính năng động (flags) trong dự án Vercel mới nhất, giảm thiểu rủi ro về bảo mật khi sử dụng SDK Keys và khám phá giải pháp tự động hóa cho phát triển và triển khai.

Cryptographic Failures in Authentication and Session Management

Cryptographic failures in authentication and session management are among the most critical web application security risks. Common mistakes include using outdated password hashing algorithms (MD5, SHA-1) instead of bcrypt/Argon2/scrypt, missing or weak salts, insecure encryption modes like ECB, hardcoded secret keys, weak or predictable session tokens, JWT misconfigurations (e.g., accepting alg:none), improper session invalidation, and IV reuse. A practical security checklist covers both authentication and session management controls, including enforcing TLS 1.3, using AES-GCM, setting cookie flags (Secure, HttpOnly, SameSite=Strict), and rotating signing keys regularly.

Microsoft 365 Hardening and Huntress Managed ISPM

Huntress analyzed over 12,000 Microsoft 365 tenants and found more than 60% were missing at least half of recommended security controls. Key gaps included missing MFA configurations (66%), standard users with admin-level access (55%), and insufficiently restricted admin accounts (59%). A live demo showed how a standard user account could be escalated to Global Admin in under six minutes using no novel exploits. The root causes are fear of user disruption, exception accumulation, and configuration drift going undetected. Huntress Managed ISPM addresses this by owning the hardening framework, providing a Learning Mode for safe Conditional Access rollouts, automated deployment waves, and continuous drift remediation in minutes rather than 24-hour scan cycles. The product integrates with their ITDR SOC so active threat findings feed back into closing the specific gaps that enabled each attack.

UNC1151 Ghostwriter Hackers Target Belarusian Politician in Gmail Phishing Campaign

The UNC1151 (Ghostwriter) threat group ran a targeted phishing campaign against Belarusian pro-democracy politician Yury Hubarevich using a fake Google account-security warning in Russian. The attack chain used a compromised Ukrainian site to redirect victims to a fake Gmail login page that employed a real-time WebSocket connection to capture credentials and MFA codes, effectively bypassing SMS-based and OTP multi-factor authentication. Researchers at Censys traced the campaign through certificate artifacts and infrastructure pivoting to a broader phishing network targeting users in Belarus and Ukraine, including users of regional portals. Key takeaways for security teams include prioritizing phishing-resistant MFA (hardware keys/passkeys) for high-risk users, training users to verify account warnings via official channels rather than email links, and monitoring certificate reuse and domain naming patterns to uncover related phishing infrastructure.

Fully Automated AI Inference on AWS, Azure, and Google Cloud with Pulumi

A step-by-step guide to deploying a zero-touch Ollama GPU inference server on AWS, Azure, and Google Cloud using Pulumi IaC. The setup uses a shared cloud-init script to install NVIDIA drivers, run Ollama, and pull a model automatically after a single pulumi up. Credentials are handled via Pulumi ESC with OIDC, eliminating static cloud keys across all three providers. The post also contrasts this approach with a Terraform/Akamai equivalent, noting that a runtime readiness check is not infrastructure and should not be modeled as a resource. Cost estimates, security considerations, and extension ideas are included.

Kong Konnect Has Two Front Doors and Neither One Is the One I Want

An exploration of Kong Konnect's two API authentication surfaces — the platform admin API (using personal access tokens) and the Dev Portal developer API (using portalaccesstokens) — and why neither enables fully automated, agent-first onboarding. The author benchmarks Kong against SoundCloud's programmatic onboarding flow and finds Kong lands in a 'paste a token' bucket: the first credential still requires a human clicking through a UI. A complete Node.js script is provided that automates everything after that bootstrap step, supporting both admin listing and developer application registration with Key-Auth or OIDC/DCR credentials. The post closes with a call for Kong to publish a stable, documented public developer portal API that lets agents onboard end-to-end without manual console interaction.

Okta: Integration with Google Workspaces, Part 1 — Provisioning

Hướng dẫn từng bước tích hợp Okta với Google Workspace qua giao thức SCIM, bao gồm cấu hình xác thực API, quyền OAuth, đồng bộ hai chiều, quản lý mật khẩu và xác minh hoạt động người dùng.

Lập trình viên nên đọc bài này để hiểu cách tự động hóa và an toàn hóa việc quản lý người dùng giữa Google Workspace và Okta bằng SCIM, giúp tiết kiệm thời gian và tránh rủi ro khi xử lý thủ công.