Apple announces a bounty program while AWS announced a bunch of new and interesting features.
Apple’s bounty program
After a long time of barely (and grudgingly) acknowledging vulnerability reports, Apple announced at the latest Blackhat conference that they’ve finally instigated a bounty program. What this means is that when security researchers come across a vulnerability in Apple’s software, they can report this to Apple in exchange for a monetary compensation. While almost every other major IT company already had these, Apple resisted it until now.
Currently there is only a small list of researchers for whom this actually counts, but that list is supposed to grow in the future. Similarly, the areas that Apple is willing to pay for (currently limited to iOS and iCloud) will also expand. The amounts paid out range up to $200.000, with Apple saying that if the researcher donates it to charity they will match that donation.
As always with these things however, there is more money to be made from 3rd parties. These companies claim they will use anything they pay for responsibly, but as there are only two ways to use vulnerabilities (patch or exploit) and they’re not in the business of patching I’m sure you can decide for yourself whether that’s true or not.
Application Load Balancer
AWS held their New York summit last week, and they had a number of interesting new announcements for it. I’m not going through all of them, but there are a couple that jumped out to me. First of these is their new Application Load Balancer or ALB.
The ALB has some interesting improvements over the traditional ELB, and as the name implies it’s focused more on handling the load for applications than simply servers. This means that while it might not be suitable for everyone, if you do have more complex applications or even microservices it will bring benefits.
So, what’s so special about it? First of, it introduces content-based routing. Instead of simply passing along every call, the ALB looks at the HTTP(S) headers and allows you to send different URLs to different servers. This means that you can have different servers handle different functionalities of your application, but all using the same load balancer. There is currently a limit of 10 different routes per ALB, but there’s a good chance this will already allow you to make some improvements in your architecture.
The next big change is that the ALB comes with full support for containers. By which I mean that not only will it allow you to more easily handle multiple ports on your servers, but it also allows you to run health checks on a per container basis. So no longer are you limited to just a single health check per server. As a side effect of all of this, it also allows you to get metrics for each container and the metrics have improved. Some details on how all of this works with ECS are detailed by AWS in a separate article.
Lastly, the ALB comes with support for Websockets and HTTP/2. These were definitely missing in traditional ELBs and will probably be a major reason for people to switch.
Transit VPC
Another interesting new addition to the AWS tool chain is the Transit VPC. This is a special type of VPC that allows you to connect other VPCs, regardless of whether they’re in other regions of even other accounts. What makes this different and useful is that it therefore allows you to create private networks that span multiple regions/accounts while still making use of a single connection to your office. So instead of setting up a private connection to each VPC in each region, you can instead use this to have a single connection and from there easily access everything else (obviously dependent on your credentials).
S3 IPv6 support
S3 buckets now have the option to support IPv6 addresses. This is a good step, but before you celebrate keep in mind that it’s still quite limited. First of all, it’s only S3 that supports it. If you use Cloudfront to access your S3 assets, you are still limited to IPv4. And that doesn’t even mention other AWS services such as the ELB/ALBs, which don’t support it either. Similarly, it isn’t supported for features like website hosting, BitTorrent access, or the accelerated access that was introduced several months ago.
That still leaves plenty of use cases though, so it’s definitely useful. Of course, the most important thing to remember here is to update your bucket and IAM profiles with IPv6 addresses so you don’t accidentally allow people access that shouldn’t have it or deny access to people that should.