DEV Community: Idris Adeniji

Your UI is Not Part of Security: The Reality of BOLA

Idris Adeniji — Thu, 04 Sep 2025 10:09:03 +0000

When building applications, it’s tempting to assume that security lives in the user interface (UI). After all, the UI dictates what the end user can see and do.

But here’s the truth: attackers rarely care about your UI. They go straight to your APIs.

And when your APIs don’t enforce authorization properly, you’re facing one of the most common and dangerous vulnerabilities in the OWASP top 10 today: BOLA (Broken Object Level Authorization).

🔎 What is BOLA?
BOLA happens when backend systems fail to validate whether a user is authorized to access a specific object.

Example:

✅ Normal behavior (legitimate user request):

GET /api/users/123

❌ Attacker tweaks the request:

GET /api/users/124

If the backend doesn’t enforce authorization, the attacker can now access another user’s data.

The scary part? This doesn’t require advanced tools. A proxy like Burp Suite or even curl is enough.

🚫 Why the UI is Less Irrelevant to Security
Many developers think:

“The UI only shows data the user should see.”

“There’s no button for that, so it can’t happen.”

But here’s the problem: 👉 The UI is just a client of your API.

Attackers skip the UI entirely and target endpoints directly. If your backend doesn’t enforce proper checks, it doesn’t matter what the UI does.

💥 The Business Impact of BOLA
BOLA is more than a coding oversight — it’s been behind major real-world breaches.

The risks include:

Exposure of sensitive personal or financial data
Unauthorized transactions or account takeovers
Compliance violations (GDPR, HIPAA, PCI DSS)
Loss of customer trust and reputational damage

Because BOLA attacks are so straightforward, they’re often the first thing pentesters and attackers try and you can defend against them by doing the following:

Always enforce authorization on the backend
Apply least privilege
Centralize access control logic
Test beyond the UI
Automate in CI/CD

✅ Key Takeaway

Security doesn’t live in your UI. It lives mostly in your APIs, backend logic, and consistent enforcement of object-level authorization.

If your defense strategy stops at the interface, you’ve already lost.

Because attackers never click the button — they rewrite the request.

#ApiSecurity #OWASP #OWASP #security #cybersecurity

Deploying A NodeJS App With Elastic Beanstalk

Idris Adeniji — Wed, 05 Jul 2023 07:18:11 +0000

Managing applications on the cloud can be a complex task, especially when it involves handling multiple environments, scaling, and deploying updates. However, there's a solution that can alleviate these challenges: AWS Elastic Beanstalk. This service provided by Amazon Web Services offers a user-friendly platform for deploying, managing, and scaling applications in the AWS Cloud.

In this tutorial, we will delve into the fundamentals of Elastic Beanstalk and guide you through the process of deploying a NodeJS app connected to an RDS database. Let's begin!

Introduction to AWS Elastic Beanstalk

AWS Elastic Beanstalk is a fully managed service designed to simplify the deployment, management, and scaling of applications on AWS. It takes care of provisioning the necessary resources, including EC2 instances, RDS databases, and load balancers.

Elastic Beanstalk handles the deployment, monitoring, and maintenance tasks of your applications, enabling you to focus on coding and delivering new features.

One of the advantages of Elastic Beanstalk is that it leverages CloudFormation to provision resources. The great news is that you don't have to write CloudFormation templates yourself. Elastic Beanstalk takes care of it automatically.

Now that we have a basic understanding of Elastic Beanstalk, let's explore the process of deploying a NodeJS app with a RDS connection.

Preparing the NodeJS Source Code
Before deploying our app to Elastic Beanstalk, we need to perform a few steps. Although it took me hours to figure this out, I'll guide you through the process, and you'll be able to deploy your app in about 10 minutes.

Deploying Your Own App
First, ensure that your package.json file includes the start command, and that this command is configured to run your app. By default, Beanstalk executes npm start, and if it cannot find it, an error will be thrown.

package.json file with start command

Configuring environment variables is a crucial aspect when working with AWS Elastic Beanstalk, particularly when it comes to RDS connections. It is important to adhere to the pre-defined naming conventions set by AWS. For more detailed information, you can refer to this article provided by AWS.

To illustrate this point, let's consider a quick example. When configuring the hostname for the RDS, you must use the specific environment variable designated as RDS_HOSTNAME. If you use a different variable name, such as DB_HOSTNAME, your application will be unable to establish a connection.

In the AWS Elastic Beanstalk console, you have the flexibility to define custom environment variables according to your specific requirements.

Here's an example of how your DB connection configuration should be structured:

Elastic Beanstalk DB configuration

Elastic Beanstalk (EBS) by default runs on port 8080. So we have to configure our app to run on port 8080. It's always a best practice to add the port number in environment variables and configure it in the EBS console.

Elastic Beanstalk port

In order for Elastic Beanstalk to read our environment variables, we should add a file called .ebextensions in the project root directory with the following code:



commands:
    setvars:
        command: /opt/elasticbeanstalk/bin/get-config environment | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""' > /etc/profile.d/sh.local
packages:
    yum:
        jq: []

.ebextension to get env variables

Install the dependencies by executing npm install and zip your code along with node_modules by executing the following command:



zip [filename].zip -r ./

Remember the zipped file should contain all files and subdirectories in the root folder and should not be inside any other folders. This is because Elastic Beanstalk will check for the package.json file in the root folder and it'll throw an error if it can't find it.

Now our app is ready, let's create the Elastic Beanstalk application.

Creating an Elastic Beanstalk Application

Step 1: Configuring Your Environment

To create an Elastic Beanstalk app, follow these steps:

Open the AWS Management Console and select Elastic Beanstalk from the Services menu. Click on the "Create Application" button. Choose the "Web server environment" option then
Provide a name for your application.

Getting started with AWS Elastic Beanstalk

Give your application a name

Choose Managed platform in "Platform type", and Node.js in "Platform", and leave the rest as it is.

Then choose Upload your code in the "Application code" section and upload the zip file.

Screenshot of the above selections

Then set the version label to 1 and choose Single instance in the "Presets" section and click Next.

Note: Prefer High availability for production environment.

More setup config

Step 2: Configuring Service Access

In this section, we will configure the necessary IAM roles for Elastic Beanstalk and EC2. Follow these steps:

For the service role, select "Create and use a new service role." This will automatically create a new role with the required permissions.

If you wish to SSH into your EC2 instance via the terminal, create a key-value pair and select it. If not, you can skip this step.

Create an IAM role with the following permissions:

AWSElasticBeanstalkWebTier
AWSElasticBeanstalkWorkerTier
AWSElasticBeanstalkMulticontainerDocker

Add the created role to the "EC2 instance profile."

Proceed to the next step.

Configure service access screen

Step 3: Set up networking, database, and tags
Now, turn on the Enable database toggle and choose mysql Engine. Fill out the other fields based on your needs.

Filling out the other options

Be super careful while selecting the "Database deletion policy". As I'm creating the sample app I selected the Delete option which will delete the database when the Elastic Beanstalk application is deleted.

If you're working on a production database, it's always a best practice to choose the Create Snapshot or Retain option.

Database deletion policy

Step 4: Configure instance traffic and scaling
You don't need to change anything here unless you particularly need it. If you're building this sample app, leave the fields with default values. By default Elastic Beanstalk will create an Amazon Linux machine.

You can leave the default values unless you need someting in particular.

Step 5: Configure updates, monitoring and logging
Choose Basic in "Health reporting" and uncheck Managed updates activation.

More config

Add your environment variables and click Next.

Add environment variables

Finally, review all your configurations and proceed with next. It takes time to provision the RDS, so feel free to grab a glass of coffee

Review config and proceed when ready.

Once you have completed all the necessary configurations, you should observe that the health status of your Elastic Beanstalk application turns green, indicating a successful deployment. Additionally, a domain URL will be generated for your application, which you can use to access it.

Celebrate the achievement of a successful deployment with the green health status 🎉, and rejoice as you receive your generated domain URL 🥳.

Success!

When you hit the domain-url/ you should see your application load fine.

Conclusion
In this article, we've successfully deployed a NodeJS app with an RDS connection using AWS Elastic Beanstalk. This powerful service simplifies the deployment and management process, allowing you to focus on developing and scaling your applications.

If you are stuck at any point feel free to drop your comments below. I'll be happy to help.

Hope you enjoyed reading this article!

Exploring the Comprehensive Security Services in AWS

Idris Adeniji — Fri, 23 Jun 2023 01:26:50 +0000

Early this year, I made up my mind to put up a lot of materials regarding Security (Cloud, Infrastructure and Application) because there is a pressing need not just to build products but to build them securely and reducing users risk to the barest minimum.

In this article, I'll take you through an overview of the various security services provided by Amazon Web Services (AWS), a leading cloud provider offering a comprehensive range of security services designed to protect data, applications, and resources. Read along as I briefly explore their functionalities and how they contribute to a secure cloud environment.

AWS Identity and Access Management (IAM):
IAM is a fundamental and one of the most used service which enables centralized control over AWS resource access. It facilitates the creation and management of user accounts, groups, and roles, allowing administrators to assign fine-grained permissions. IAM helps implement the principle of least privilege by implementing policy based access, ensuring that users have only the necessary access to perform their tasks.

AWS CloudTrail:
CloudTrail provides a detailed audit trail of API calls made within an AWS account. It captures events related to account activity, including actions taken through the AWS Management Console, SDKs, command-line tools, and other AWS services. The recorded logs enable security analysis, resource change tracking, and incident response, promoting transparency and accountability.

AWS CloudWatch:
CloudWatch is a monitoring and observability service that offers robust capabilities for collecting and analyzing operational data. From monitoring log files and metrics to setting alarms and reacting to changes in performance, CloudWatch aids in detecting and resolving security-related issues promptly. It plays a crucial role in monitoring the security posture of AWS resources.

AWS Config:
AWS Config provides a detailed inventory of the configuration of AWS resources within an account. It continuously monitors and records the configuration changes, providing a comprehensive view of resource relationships and dependencies. By establishing a baseline and evaluating configuration compliance against predefined rules, AWS Config assists in maintaining security best practices and compliance requirements.

AWS Security Hub:
Security Hub acts as a centralized dashboard for managing security and compliance across multiple AWS accounts. It consolidates findings from various services, including AWS GuardDuty, Amazon Inspector, and AWS Macie, providing a holistic view of security posture. With automated security checks, prioritized alerts, and integration with third-party tools, Security Hub simplifies the identification and remediation of security risks.

AWS GuardDuty:
GuardDuty is a threat detection service that utilizes machine learning algorithms and threat intelligence to identify malicious activity within AWS environments. It continuously analyzes log data and network traffic, looking for patterns indicative of unauthorized access, compromised instances, or reconnaissance attempts. GuardDuty enhances threat visibility and assists in mitigating potential security threats.

AWS WAF:
Web Application Firewall (WAF) is a managed service that protects web applications from common web exploits and attacks. It allows fine-grained control over HTTP/HTTPS traffic and helps mitigate threats such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks. WAF integrates with other AWS services to provide proactive security for web applications.

AWS Shield:
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS against volumetric, state-exhaustion, and application layer attacks. It provides automatic protection and defends against large-scale DDoS attacks by leveraging global threat intelligence and machine learning algorithms. AWS Shield ensures the availability and performance of applications during attacks.

AWS Secrets Manager:
Secrets Manager enables secure storage and management of secrets, such as database credentials, API keys, and secure tokens. It eliminates the need for hardcoding secrets in applications, enhancing security and simplifying their rotation and management. Secrets Manager integrates seamlessly with AWS services and supports automatic secret rotation for various databases, reducing the risk of unauthorized access.

Amazon Macie:
Amazon Macie is an AI-powered service that automates the discovery, classification, and protection of sensitive data stored in AWS. It leverages machine learning algorithms to analyze data across multiple AWS services, such as Amazon S3, Amazon RDS, and Amazon Redshift, identifying personally identifiable information (PII), sensitive financial data, intellectual property, and other types of sensitive content.

Amazon Inspector:
Amazon Inspector assesses the security and compliance of applications running on AWS. It performs automated security assessments by analyzing the configuration and behavior of resources, identifying vulnerabilities, and providing actionable recommendations for remediation. Inspector helps ensure that applications adhere to security best practices and industry standards.

AWS Certificate Manager (ACM):
ACM simplifies the process of provisioning, managing, and deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for applications running on AWS. It eliminates the need to purchase and configure certificates manually, ensuring secure communication between clients and applications. ACM integrates seamlessly with other AWS services and supports certificate renewal and automatic deployment.

AWS KMS:
AWS Key Management Service (KMS) is a managed service that aids in the creation and control of encryption keys. It enables the encryption of data at rest and in transit, protecting sensitive information stored in various AWS services. KMS provides granular access control and integrates with other AWS services to enhance data security.

AWS Firewall Manager:
Firewall Manager simplifies the management of AWS WAF rules across multiple accounts and applications. It provides centralized control and policy enforcement for firewall rules, enabling organizations to ensure consistent security measures across their infrastructure. Firewall Manager streamlines rule creation, enforcement, and monitoring, enhancing security and compliance.

Conclusion:
Amazon Web Services offers an extensive range of security services that cater to different aspects of cloud and infrastructure security far more than is listed in this article. From identity and access management to threat detection, encryption, and compliance management, these services provide organizations and users with the tools and capabilities to build and maintain a secure cloud environment. By leveraging AWS's robust security services, businesses can ensure the protection of their data, applications, and resources, and meet their security and compliance requirements in the cloud.

PS: I'll be writing a more detailed article about each of the services described here, and how to use them to achieve a more secure environment.

Feel free to reach out on LinkedIn , Twitter or Instagram

Container Security For NodeJS Applications

Idris Adeniji — Tue, 31 Jan 2023 09:54:57 +0000

Attention all developers and DevOps and DevSecOps professionals!

Are you building node based apps and utilising containers ???

Want to ensure the security of your containers while keeping them lightweight and fast? Look no further than Node Alpine Container Images!

These images, based on the Alpine Linux distribution, offer a smaller attack surface with fewer vulnerabilities compared to larger, more feature-rich images. Alpine Linux is known for its small size and security-focused approach, making it the perfect choice for containers.

An image showing a debian based node 14 image and its equivalent alpine node 14 image.

In addition, Node Alpine Container Images include only the necessary libraries and dependencies, reducing the risk of known vulnerabilities and minimising the need for regular security updates. This makes it easier to manage your containers and reduces the risk of security breaches.

So if you're looking for a secure, efficient, and lightweight solution for your container needs, switch to Node Alpine Container Images.

PS: Not saying Alpine is 100% secured, in-fact some other security tool finds few vulnerabilities on this same alpine image in my post, but it's drastically reduced when compared to other node images and when making the switch ensure that you test your application again to ensure you don't have broken features due to the change in container images.

#Containers #Security #NodeAlpine #DevOps #DevSecOps #appsec #linux #building #alvacoder

Prevent Your Heroku Project From Sleeping Due To inactivity

Idris Adeniji — Mon, 18 Jan 2021 10:20:40 +0000

Its no news that Heroku puts your app to sleep after an hour of been idle (when there is no traffic/visit on your app). It takes around 5 to 10 seconds to spin your app back to life, this is known as a cold start and may not be ideal especially if its a hiring manager or recruiter checking out your portfolio/project.

Here is a tool you can use to regularly ping your heroku project to prevent it from going into sleep mode. Its called Kaffeine.

Currently Heroku requires all free hosted application to have a sleep time of 6 hours daily.

With Kaffeine, you can decide what time your app sleeps and keep it awake for the rest of the day.

Click here to check out this free tool, Kaffeine.