avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3786

Abstract

arison operators, and bitwise operators on this type too.</p><p id="c4da">It’s important to note that there is another type, called <code>bytes</code> which is different from the above in that it is a dynamically sized array, and not a value type but a reference type. It is basically shorthand for <code>byte[]</code>.</p><p id="ad39">When you can limit the length of your data to a predefined amount of bytes, it is always good practice to use some of <code>bytes1</code> to <code>bytes32</code> because it is much cheaper.</p><h2 id="0118">Enums</h2><p id="aea7"><b>Enums</b> in Solidity are a way to create user-defined types. Enums are explicitly convertible to integer types, but not implicitly. Enum values are numbered in the order they are defined, starting from 0.</p><p id="ed00">Enums are not part of the ABI (Application Binary Interface — more on this in a later lesson, but it’s basically how you encode Solidity code for the Ethereum Virtual Machine, and how you get data back). This means that if your function returns an <code>enum</code> for example, it will be automatically converted to a <code>uint8</code> behind the scenes. The integer returned is just large enough to hold all enum values. With more values, the size gets increased too (<code>uint16</code> and up).</p><p id="cdb6">The below code, taken from the <a href="https://docs.soliditylang.org/en/v0.4.24/index.html">Solidity docs</a>, defines an enum with four possible values, creates a variable of that enum named <code>choice</code> and a constant called <code>defaultChoice</code>that will hold a default value.</p><div id="cf29"><pre><span class="hljs-keyword">enum</span> <span class="hljs-title class_">ActionChoices</span> { GoLeft, GoRight, GoStraight, SitStill } ActionChoices choice; ActionChoices <span class="hljs-type">constant</span> <span class="hljs-variable">defaultChoice</span> <span class="hljs-operator">=</span> ActionChoices.GoStraight;</pre></div><p id="66a9">Now we can define some functions to interact with our <code>enum</code>.</p><div id="c0bb"><pre><span class="hljs-title function_"><span class="hljs-keyword">function</span> <span class="hljs-title">setGoStraight</span></span>() <span class="hljs-keyword">public</span> { choice = ActionChoices.GoStraight; }

<span class="hljs-title function_"><span class="hljs-keyword">function</span> <span class="hljs-title">setChoice</span></span>(ActionChoices <span class="hljs-keyword">new</span><span class="hljs-type">Choice</span>) <span class="hljs-keyword">public</span> { choice = <span class="hljs-keyword">new</span><span class="hljs-type">Choice</span>; }</pre></div><p id="6bc2">The first one simply sets the <code>choice</code> to <code>GoStraight</code> while the second one sets it to the choice that the caller passes into the function. As we can see after deployment, the <code>setChoice</code> function expects a <code>uint8</code> value, which corresponds to the <code>enum</code> value declared at that number.</p><figure id="e997"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*1pKNPVy4UUBCSLi2-SIckg.png"><figcaption>Testing enums in Remix</figcaption></figure><p id="7917">If we want to get the value of <code>choice</code> and <code>defaultChoice</code>, we can define the following functions:</p><div id="1f02"><pre><span class="hljs-keyword">function</span> <span class="hljs-title">getChoice</span>() public view returns (ActionChoices) { <span class="hljs-keyword">return</span> <span class="hljs-type">choice</span>; }</pre></div><div id="43e7"><pre><span class="hljs-function">function <span class="hljs-title">getDefaultChoice</span>() <span class="hljs-keyword">public</span> pure <span class="hljs-title">returns</span> (<span class="hljs-params"><span class=

Options

"hljs-built_in">uint</span></span>)</span> { <span class="hljs-keyword">return</span> <span class="hljs-built_in">uint</span>(defaultChoice); }</pre></div><p id="c2f2">As we can see if we try this out in Remix, the first function returns a <code>uint8</code> while the second returns a <code>uint256</code>.</p><figure id="e514"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*jmaOFb9GhXz7FWC4ONMa_A.png"><figcaption>Testing enums in Remix</figcaption></figure><h2 id="3c7c">Fixed point numbers</h2><p id="2ecc"><b>Fixed point numbers </b>represent fractional numbers by storing a fixed number of digits of their fractional part. No matter how large or small the fractional part is, it will always use the same number of bits.</p><p id="cdcd" type="7">Fixed point numbers are not fully supported by Solidity yet. They can be declared, but cannot be assigned to or from.</p><p id="f872">We can differentiate between signed fixed point numbers, declared with the <code>fixed</code> keyword, and unsigned fixed point numbers, declared with the <code>ufixed</code> keyword.</p><p id="3c1c">It can also be declared as <code>fixedMxN</code> or <code>ufixedMxN</code> where <code>M</code> represents the number of bits the type takes, and <code>N</code> represents the number of decimal points. <code>M</code> has to be divisible by 8 and a number between 8 and 256. <code>N</code> has to be a number between 0 and 80.</p><p id="96e1">They function with the following operators:</p><ul><li>Comparisons: <code><=</code>, <code><</code>, <code>==</code>, <code>!=</code>, <code>>=</code>, <code>></code> (evaluate to <code>bool</code>)</li><li>Arithmetic operators: <code>+</code>, <code>-</code>, unary <code>-</code>, unary <code>+</code>, <code>*</code>, <code>/</code>, <code>%</code> (remainder)</li></ul><h2 id="09b7">Conclusion</h2><p id="bd3a">In this lesson, we looked at what value types are available in Solidity and how each one works.</p><p id="28de">Thank you for staying with us till the end. If you enjoyed reading this piece please keep in touch and follow Solidify to keep up with our lessons on Solidity. In the upcoming articles, we will deep dive into the intricacies of the language, progressing from beginner to advanced level.</p><p id="067c">If you are new to Solidity, check out the previous lessons about setting up a local development environment and writing your first smart contract.</p><div id="6b76" class="link-block"> <a href="https://readmedium.com/how-to-setup-your-local-solidity-development-environment-c4c8195810f3"> <div> <div> <h2>How to Setup Your Local Solidity Development Environment</h2> <div><h3>Get started with smart contract development</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*HHko-o9m1sVngmTeRVYgKA.jpeg)"></div> </div> </div> </a> </div><div id="3ad1" class="link-block"> <a href="https://readmedium.com/lesson-1-your-first-solidity-smart-contract-1ba7e641f9a3"> <div> <div> <h2>Lesson 1: Your First Solidity Smart Contract</h2> <div><h3>In the previous lesson, we looked at how to set up your local Solidity development environment. Here we will continue…</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*7r7HSYkbn73NrmR_skvh5w.jpeg)"></div> </div> </div> </a> </div></article></body>

A Cloud Security Center of Excellence

ACM.241 What I think is most effective and why

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Governance | Data Breaches | Cybersecurity

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Finally getting back to my series on Automated Cybersecurity Metrics after a hiatus for personal matters and a penetration test. While testing I jotted down so many ideas that came to mind as I was helping a customer try to prevent a data breach.

In my last post I wrote about how you can lock and unlock critical assets when you need to make changes to them. This is one example of automation that helps prevent misconfigurations.

In this post I consider automated solutions such as the above compared to a Cloud Security Center of Excellence.

Cloud Security Center of Excellence

I often get asked to speak to companies about “Cloud Center of Excellence.” It’s honestly not my favorite topic. I can tell you what we did to try to improve security at Capital One and how we improved communication over time across teams spread across continents. We had a such things as “centers of excellence.” Did it stop a breach? No.

Why not? Because at the end of the day you have people making architectural decisions beyond these centers of excellence and those people need to make the decisions that are in the best interest of cybersecurity.

I would much rather talk to you about your cloud security architecture.

Cloud Security Architecture

I can explain to you what went wrong in the Capital One breach and why — to the best of my knowledge, based on speaking to people involved in that breach. I also analyze other significant breaches, how they happened and some times write about them. Many times the source of the breach and prevention comes down to system architecture and design that prevents people from doing things they shouldn’t — in a way that probably makes their job easier in the process.

Automated Governance

The other thing is, you can train people all day long, but at the end of the day, people make mistakes. Training is very important and helps you get buy-in for what you really need to be doing — automated governance.

I’ve got a whole series going on how you can automate different aspects of your infrastructure to reduce risk here:

Why are people so attracted to the concept of “Cloud Security Center of Excellence?”

First of all, it’s promoted by the big cloud platforms as something you should be doing. I am guessing that is why people keep asking me about it. They read about what they should do to secure their cloud and one of the first steps is a Cloud Security Center of Excellence. Ok, we can do that.

Do people like this topic because it is a feel-good topic? You may have read, as I did, that people most remember you not for what you did but how you made them feel. People like to feel special and “excellent” perhaps.

Additionally, for those who are not extremely technical and cannot assess and contribute to a technical solution, perhaps this feels like something they can do to contribute. It makes them feel like they are solving a problem.

But are they really? For those who are less technical, I wrote a book at the bottom of this post where I try to explain the technical aspects of cybersecurity and what causes data breaches in a manner that anyone can grasp. My aunt who is very non-technical even read it in a show of support and said she could understand it. :-D

To stop data breaches we need to prevent what causes them

Once you understand what actually causes data breaches you may be able to implement more effective means of stopping breaches.

More on data breaches and what caused them here. How much would a Cloud Security Center of Excellence prevent the following breaches?

Is setting up a Cloud Security Center of Excellence the best use of your time out of the gate if you already have people working in the cloud? Only if you are going to use that group to decide what you cloud policies should be and get them implemented in a manner that stops people from performing egregious security misconfigurations. Because those automated policies and zero trust IAM and network policies are what stop data breaches.

Data breaches will still happen

Even if you take every measure to reasonably stop a data breach they will likey continue to happen, but on a less dramatic scale. One important aspect of cybersecurity is detecting and responding to cyber attacks.

In addition to architecting your governance and policies, you need to architect systems and logs such that you can quickly spot and stop cyber attacks. Although I can speak to these topics some of my colleagues at IANS Security actually do that for a living and can bettter answer those questions.

I work mainly on the prevention side, helping you design your policies so hopefully you have less need for the response side of the equation. But even when designing systems to prevent a breach, you have to design the systems to give you the data you need when a security event occurs to properly investigate and respond to it. That’s one of the things I evaluate on a cloud security assessment.

Should we forget the Cloud Security Center of Excellence?

Giving people props for doing the right thing in cybersecurity is not a bad thing and can only help. A cloud security center of excellence may bring together people who can promote security down to the rest of the organization. Having discussions may help foster communication and understanding of what is blocking people from implementing cybersecurity best practices.

These centers of excellence may promote support throughout the organization for your cybersecurity efforts. If you don’t have buy in from the people actually doing the work they will simply ignore you. Trust me, I’ve seen it in action and wrote about that in other posts and my book. So bringing together some of your most important “security champions” — another popular term I don’t really love talking about to be honest, may help promote security throughout your organization.

But at the end of the day, security should just be a requirement and something everyone does. It’s your job. It’s like — when you write code, you check it into source control. It will not get deployed unless you check it into source control. It’s a requirement and you can’t bypass it. Period.

Even if people want to do the right thing — they make mistakes. It happens. That’s one of the top sources of data breaches in the last Verizon Data Breach Investigations Report — data accidentally sent to the wrong person in some manner. It happened to me when I was selling my house. I was sent information to pay off someone else’s house — not mine! Of course I got in touch with the appropriate people to make sure that didn’t happen.

Preventing mishaps as well as intentional misconfiguration is what automated governance does for you. There are rules people need to follow and if they want to deploy their code they follow the rules.

How you design your automated governance matters

Now, the way you design the rules is very important. You need to design the system so it does not impede progress — unnecessarily. That doesn’t mean we follow the trend that has proven not to work over and over again — where the security team just makes recommendations and gets out of the way.

If you missed it, misconfigurations was still one of the highest sources of data breaches on the list in the last Verizon Data Breach Investigations Report.

Training

What about getting people to do the right thing? Don’t you need training for that? Yes — the right kind of training is highly effective at raising security and helping people understand how to think about security.

But a one time training to explain cross site scripting is not that effective. You need to get to the root of problems which is something I’m addressing here — possibly to become a book with more information in the not too distant future.

One of the great things about properly designed automated governance is that you can bake training right into the process. When someone makes a mistake, you don’t just block them. You explain to them:

  • What they are not allowed to do.
  • Why
  • How to fix it

That can all be baked into a well-designed system for governing actions in the cloud. The beauty of cloud platforms is that you can automate responses to pretty much any action. You can write policies in code as I explain in the link above. That’s pretty cool.

Are cloud security center of excellences helping?

I wonder how many companies involved in data breaches had cloud center of excellence and security champions versus those who have automated governance and security controls baked into their deployment pipeline?

We don’t have a lot of statistics on that point. But we have some.

More than once I’ve been hired by a company — after a breach — that wanted me to review their deployment pipeline, perform a security assessment, or a penetration test, so see if they were doing things correctly. After the breach, those companies had all taken a more automated and controlled approach to security.

Research reports also show that those who implement automated security controls pay less in the case of a data breach than others. I reference that statistic in my book.

For this reason, I wish more people would contact me for an cloud security assessment, penetration test, or call me at IANS research with questions about automated governance and cloud architecture before a breach.

Do you need help designing a secure deployment system? I can answer questions about that. Are your developers fighting against security? Hire me for training or get your security team and your developers on a call and maybe I can help. At a minimum follow this blog for more insights into how you can implement security strategies that make a difference — and help stop data breaches.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Cloud Security
Governance
Center Of Excellence
Misconfiguration
Cybersecurity
Recommended from ReadMedium