🔑👨‍🏭 Provide secure IT tools

Picture this. You’re an Engineer working on BAU..debugging apps, tweaking databases and you come across a Base64 string.

A quick search finds you a Base64 decoder website which you use, unveiling a secret contained within. But upon examining the secret you decide it is not relevant and return to debugging.

What just happened might be okay. But did it cross your mind if the decode took place inside your browser or remotely? Was it saved on a database or inside logs? What happens if the site ever suffers a security breach? Or maybe what you actually just used was a phishing site.

Online utility sites are commonly used in organizations because well.. convenience. I am not suggesting they are malicious- it’s hard to discern if they’re genuine.

Devs, engineers, infra teams often use them to provide a long list of utility functions like; encoding, hashing, parsers, validators, prettifiers, transformers. Data can be sent back to servers contain sensitive information like security tokens, passwords, customer PII. It’s crucial it stays within the confines of your organization.

I personally think it’s a slightly overlooked area of Engineering which can do with addressing.

One quick way to solve this is by providing a vetted list of external apps. A feature to consider is ‘in-browser’ or ‘offline’ apps— where data is computed locally and not transmitted remotely.

Examples of ‘local’ apps

1. CyberChef (https://gchq.github.io/CyberChef/)
   • Recommended (Created by our very own GCHQ)
2. DevUtils (https://devutils.com/)
3. encoding.tools (https://encoding.tools/)

An approved list of apps might be good enough because they address the biggest concern (external data transmission).

But, external apps can present their own issues regardless of being genuine e.g. rogue deployments, change in functionality, supply chain attacks.

What’s the best solution?

Short of developing your own, a compromise is to set up your own instance of an open source web application such as IT-Tools, offering 75+ functions, works ’in-browser’ and it’s a static site (which helps limit the attack surface).

Organizations can retain full control over the instance which is probably a second important feature.

Summary

If you think this is just a nice to have. I’d argue it’s an area Security teams should consider looking at. I have witnessed this take other forms; regex tools to split production connection strings, XSLT validators.

Engineers need these tools often and it’s a bit of a wild west with everyone doing things their own way. A poorly equipped engineer may misplace their trust and inadvertently cause a security blunder, emphasizing the importance for a secure engineering tool-set.