Securing your apps and user data with Google Cloud: Introducing AACTT- Security Journey

9 thoughts on “Securing your apps and user data with Google Cloud: Introducing AACTT- Security Journey”

  • Alexander Barbiero says:

    at least should be a https request, if u want an overkill solution you can also encrypt the image send to the server decrypt on the server add the cat, encrypt back send to the user and decrypt again

  • 1) Anything that "sends" photo back to the phone can be exploited to also send viruses/backdoors to user phone 2) someone might inject more code to original python programme and redirect users somewhere they don't want to be going or request access to user photos/files (which many users will autoaccept). But I'd AACTT different from usual encryption that come with using GCP services?

  • Some thoughts:

    1. I guess using the client SDK, we can make sure the Client-server communication is encrypted at highest standards and without having to build any extra encryption mechanisms.
    2. If we use client SDKs, we can directly upload to cloud storage with few easy steps which also takes care of resumable upload and security.
    3. Using Custom auth claims can add one level of security if you're using firebase
    4. Need to setup Cloud IAM for Extensible Service Proxy to secure endpoints.
    5. Using code obfuscation at client side
    6. Tighter Security rules if using Firebase for Cloud storage, Firestore, etc.

  • Abhideep Chakravarty says:

    How to handle DDoS
    How to handle authZ for the photos
    How do you ensure the photo is not hacked if stored for later download

  • guillaume blaquiere says:

    Is the used binary (in the subprocess) is safe? Is there CVE known on it?
    What is the version of base image for the container? Is the root user deactivated?
    Is the image type is checked? How to prevent malicious picture upload?
    How to prevent automatic picture submission and then DDOS attack or service over consuming?

  • I bet a signed url is used somewhere in this mix. 🙂 I'd definitely use a signed url for uploading then I'd trigger a cloud function to move the image over to another bucket for processing once it's uploaded. Then you can use a very short file retention policy on the bucket you upload the files to.

Leave a Reply

Your email address will not be published. Required fields are marked *