Hello,
Reading this on the inter webs got me thinking… does Fly have a similar stance on security?
There was also a recent introduction of public ports free-for-all (sure, I’m not calling it the right thing).
It would be cool to not do the same and instead, when deploying an org, ask something like, “Psst, do you want me to scan your org periodically for open ports so you can confirm they’re as expected?”
Showing this* in a page in the dashboard will also be welcomed, I’m sure.
*this = ports visible within the org & also public ports.
EDIT-ing in the most important part:
Ports visible & what protocol is on that port.
The cost of such scans (which may be delegated to a competent product perhaps) could be passed down to the customer. “Gimme $5/mo then.”
May not be required for Fly if it wants to focus on small-ish or non-enterprise deployments.
Trigger warning, sorry, I’m sure I may not be using the most appropriate/polite words when speaking of org goals.
Enterprise readiness will be a whole new set of things to address.
On the same topic, are you folks at Fly open to infra suggestions/conversations from/with the community or is this an employees-only thing?
Understandable if it’s the latter as y’all shouldn’t divulge too much about the beast, etc.
In an email conversation with AWS, they claimed it was the company’s
responsibility to configure and secure their asset, and that they
are not actively searching for this misconfiguration. This makes sense,
yet I found this surprisingly easy, & they can solve it without much effort.
I have done it on my own, pretty well, in my spare time.
https://aws.amazon.com/compliance/shared-responsibility-model/