Your org still treats security like a nightclub with a bored bouncer. Check the ID, wave them through, hope for the best. Meanwhile, attackers stroll in with backpacks full of malware and long-lived tokens. You call it “zero trust.” I call it negligence.
"They’re checking IDs while attackers carry bags full of malware.”
Identity without environment proof is cosplay. If your controls verify who’s asking but not what they’re actually running, you’ve already lost. See the pattern in recent breaches: session cookies and OAuth tokens get lifted, SSO looks “fine,” and the attacker impersonates you all the way to prod. CircleCI’s 2023 postmortem spelled it out: malware stole a 2FA-backed session and the actor escalated into production. That wasn’t a missing TLS flag; it was missing runtime verification and binding of credentials to a measured environment.
“They trust :latest tags in production.”
If your deploys float on :latest, you aren’t running software—you’re running a slot machine. Even the NSA/CISA Kubernetes Hardening Guide warns to tag images properly to avoid surprise rollouts; Docker’s own docs tell you to pin base image versions. Floating tags kill provenance, reproducibility, and rollback. Which is awkward when you claim to care about SBOMs and attestations.
“They issue 30-day tokens and call it zero trust.”
Zero trust is continuous verification with short-lived authorization, not “bearer tokens that live longer than new hires’ laptops.” Read NIST SP 800-207 and then tell me with a straight face that your 30-day PATs align with it. (They don’t.) The industry is moving to tighter lifetimes and scoped tokens for a reason.
Receipts: recent, public faceplants (practices, not people)
Session theft → production access.
CircleCI: malware on an engineer’s laptop stole session cookies, enabling impersonation and access to prod. If your controls don’t bind credentials to environment state, this keeps happening.Contractor creds + no MFA → mass data theft.
Snowflake customer instances: Mandiant reports infostealer-harvested credentials leveraged at scale; the campaign hammered dozens of tenants. Stop pretending bearer creds are “zero trust.”Support artifacts leaking session tokens.
Okta’s 2023 support case breach involved HAR files containing session tokens, cascading into downstream customers. If your revocation story is “rotate later,” you’re part of the problem.Forged tokens + signing key drama.
Microsoft’s Storm-0558 incident: actor used forged auth tokens after acquiring a consumer MSA signing key, impacting enterprise mailboxes. Trust = cryptography + key hygiene + short lifetimes. All of it.A phone call beats your SOC.
MGM/Caesars 2023: social engineering detonated operations and revenue. If your “identity proof” crumples over the phone, bind access to evidence the caller can’t fake.
(Want more? Docker/CIS guidance has told you for years to stop floating tags; vendors are shortening token lifetimes because long-lived secrets keep burning everyone.)
The fix (no fairy dust, just grown-up engineering)
Check IDs and the bag. Gate every capability behind attestation-gated, short-lived credentials that die fast and travel with offline-verifiable proof:
Attest → Mint → Use → Freeze.
No attestation, no token. Change the runtime? Re-attest. Misbehave? Freeze with a p95/p99 propagation target and enforce it at verifiers (no “phone home” required). (Yes, this is the “TLS for agents” pattern done right.)Bind credentials to reality.
Tokens carry: environment digest, policy version, dataset/tool allowlist, lineage hash, and a freeze epoch. Without a matching proof bundle, they’re just decorative JSON.Kill
:latest.
Pin images. Immutable tags only. Your SBOM and SBOM-adjacent fantasies are useless if the thing you ran isn’t the thing you attested.Short-lived or it didn’t happen.
Zero trust means short sessions and re-auth. Vendors are finally forcing shorter lifetimes (npm, GitHub). Take the hint.
How to tell your CISO keeps the lights on (and their job)
- No bearer tokens older than coffee.
- Every prod call requires a scoped, short-lived, environment-bound token.
- Gateways verify offline proofs of custody/attestation, not vendor vibes.
- Freezes hit the estate within a measured window, and your logs prove it.
- No
:latest—ever. Reproducible, attestable, roll-backable deployments only.
If you insist on a shopping list
- Zero-Trust refs: NIST SP 800-207 (read it, implement it).
- Image discipline: Pin base images; follow Docker/CIS guidance.
- Token discipline: Enforce short TTLs; scope by default; continuous verification. (Note how major ecosystems are locking this down.)
Bottom line: If your security program still waves people through on an ID check while ignoring the bag—long-lived tokens, floating tags, unverified runtimes—you’re not practicing zero trust. You’re practicing survivor bias.
Fix the gate. Or enjoy writing your next breach notification.
Top comments (0)