Thank you for not having just dumped it like that, but adding quick-start guides, examples and even did some additionnal security checks, it's just awesome for little organizations <3
thank you - We know from our own experience using other open source projects that having documentation, and guides to get started really helps.
We know there is more to do there too (some of the feedback in this HN post has helped highlight areas we need to improve the docs) and we will be adding to the docs so over the next while.
- ease of migration was a big one, we had 100+ instances of bitly's oauth2_proxy, and were able to seamlessly migrate them to this, without any changes to the services being protected.
- when we built this, there were far fewer solutions than there are today. For example, Ory's Oathkeeper ( https://github.com/ory/oathkeeper) was released after we were already using sso internally at BuzzFeed.
Yes, as mentioned in the blog post, we worked with Security Innovation to do a week long security assessment with full access to source code, design documents and endpoints.
We also have a long term consulting arrangement with a widely respected security architect, and they helped review our design and implementation.
Additionally, BuzzFeed has a bug bounty program on hackerone (https://hackerone.com/buzzfeed), and have invited partipating researchers to report on any issues found. We’ve paid out bounties for a number of minor issues, which were addressed prior to open-sourcing.
> In preparation for open sourcing we also engaged with Security Innovation, a widely respected agency who count Microsoft, Symantec, and Amazon as clients, to do a more in-depth, week long assessment, with full access to source code and design documents. This found no major issues, which gives us the confidence to open source sso today.
That is understood, and is always why we engaged with some of the top researchers who contribute to our bug bounty program, from the start with this project.
For example offering increased bounties during certain windows, or providing early access to the source code.
We highly value our bug bounty program, and find it to be a very effective mechanism for continuous security validation.
I'll write a tech blog post in the near future about how we facilitate our program.
> we have made sso a priority target for penetration testing by researchers on our bug bounty program — we’ve paid bounties for a number of reported issues!
While that makes it clear that they cared about penetration testing, it isn't what the person was asking to that you replied to -- they asked if they had contracted with an independent company to do testing. This did not seem to be answered by the article, and seems like a reasonable question to ask.
It’s one of our two standard languages - the other being Python - and whilst the vast majority of our services are Python, Golang is being used for growing and significant number too.
Touching on my first point, we have observed people enjoy writing Go apps, and it is a great fit particularly where performance and scalability are needed.
Therefore when engineers have moved to another team internally, they often will evangelize Golang to their new team members.
So we expect it to continue to grow and thrive here!
This is our identity aware proxy, which we've been using internally for a year.
The blog post explains our motivations behind creating it, and open-sourcing it. It's available today, under MIT license.
We'll be keeping an eye on the thread, and happy to follow up to any questions!