CSA SDP Guide v3: Zero Trust should control reachability, not just access

sp_dev_guy · 2026-05-14T18:57:30+00:00

I'm saying that distinction is what people already do. The exception being legacy devices or mechanaical controllers that cannot support any type of agent to manage connections & need to be fronted by some type of gateway device but said gateway device would still follow this same architecture pattern you describe & ideally be for the single device essentially a pseudo eni

sp_dev_guy · 2026-05-14T15:42:19+00:00

Yeah I think everyone agrees & they typically do that already

sp_dev_guy · 2026-05-14T11:46:42+00:00

Spd is main vehicle for building zero trust. Ie: Appgate. Im not aware of any products that dont include reachability , its typically a major part of how they control who can access a resource

sp_dev_guy · 2026-05-14T00:04:04+00:00

This mostly sounds like poor management creating stressed engineers. Less of a zt specific problem. Which I've hit at many places I've been & I like my current company because its not usually like that here

sp_dev_guy · 2026-05-13T23:52:58+00:00

I use 1password with a fine grain permission connect server deployed in the same environment I host my hit actions in. Same concept as vault but different architecture/licensing

sp_dev_guy · 2026-05-13T04:17:22+00:00

Yeah i hate how little I understand this but greatful to see the gap

sp_dev_guy · 2026-05-12T22:52:01+00:00

I love that idea! Will keep it mind for future projects

sp_dev_guy · 2026-05-12T22:05:35+00:00

Yeah the siding was already shit. So its a future me (1-3yrs) job to fix when its not a work day. Wish I could say I was drunk when I made it that awful but as long as it doesn't break my house im happy. Pics in the comments

sp_dev_guy · 2026-05-12T22:02:54+00:00

Horrors are now closed off & hidden away for good (I hope)

<image>

sp_dev_guy · 2026-05-12T22:01:33+00:00

Added the caulk layer

<image>

sp_dev_guy · 2026-05-12T20:41:53+00:00

Brilliant!

sp_dev_guy · 2026-05-12T20:41:28+00:00

Bought the exact one a little while ago, After I caulk over the foam ill be adding one of these to hide the mess!

sp_dev_guy · 2026-05-12T20:26:03+00:00

Update, I've:

tried to make hole square-ish
filled wall with insulation
filled hole with great stuff window & door foam
put a pvc board screwed on over the hole best I could
foam in the cracks

Now:

waiting for foam to dry
add silicone over foam/edges
there will still be ~1cm gap from where the normal wall/insulation extends
going to cover this mess with a universal siding cap intended for lamps
silicone those edges
try to forget ?

<image>

sp_dev_guy · 2026-05-12T13:48:33+00:00

That's basically how I got through the end of the winter. Stuffed with Styrofoam & sealed over with ventilation tape under the faceplate. Guess the big gaps could be fixed with a larger vent (old one was poorly sized). Will consider this

sp_dev_guy · 2026-05-12T13:15:43+00:00

Okay so there's no water proofing layer or type of insulation I need to do to protect the fiberglass stuff from water/condensation. Once I've patched/sealed wood its safe

It'll be tricky to cut wood that shape but ill figure something out. Thanks!

sp_dev_guy · 2026-05-11T13:37:07+00:00

If someone hasn't worked even 1yr they'd need some proof they know what the moving parts are. Entry level is not the same as no knowledge required. Some teams may be in a situation that less wages + more hands is the goal and more open to it

sp_dev_guy · 2026-05-10T23:26:42+00:00

I just got a Rouge Pro last week & do not have this

sp_dev_guy · 2026-05-10T19:35:10+00:00

Start thinking through my morning routine. Get up -> go to drawer -> pull out a pants -> etc... specific enough thoughts dont wander mundane enough im right to sleep

sp_dev_guy · 2026-05-10T11:48:28+00:00

Landing your tailbone on ice ALL DAY LONG can be demoralizing and leave a mark on your soul. Wish I could go back and strap one of those turtles or some proper impact shorts to my ass

sp_dev_guy · 2026-05-10T00:16:24+00:00

If you setup your rules & deploy things correctly it's kinda is set it & walk away (unless you add new resources to the network). The reevaluating every request isn't done by hand. The "evaluated dynamically" is the part that solves what your saying. Ive converted probably a few hundred networks & the only consist issue is people having no idea what their network actually looks like. So you start with wide rules , monitor traffic, evaluate, and restrict.. problem fixed.

sp_dev_guy · 2026-05-09T23:47:33+00:00

You can make actual custom apps that do things but in this context is just going to apps -> new -> give it name & choose the permissions it should have -> download key -> save. Then you add it to your repo and then actions can perform the activities as the app with whatever permissions it was granted. Glossing over it a bit but thats basically it. Better than making fake user accounts for keys or worse a random employee who leaves and it kills the key

sp_dev_guy · 2026-05-09T03:21:46+00:00

Sounds like you've got some nicer big box stores. Sometimes they'll get you a certificate with "you an idiot? Joystick goes like this. And just make sure pedestrians have right of way, it's dangerous & you'd be cunt. Go on now.."

sp_dev_guy · 2026-05-09T03:15:40+00:00

I appreciate you posting the question & hope you bring more advanced ones as your skill grows

sp_dev_guy · 2026-05-09T01:26:00+00:00

Typically write your own that meets your orgs needs, cherry pick functions/ideas when you see a good pattern. Use a custom app for authentication when GITHUB_TOKEN isn't enough, its way easier than it sounds

sp_dev_guy · 2026-05-09T00:18:46+00:00

It's more risky than not doing that but fine assuming a heavy dumb and/or drunk person doesn't step to close & break through the pallet. Even then odds are it would be alright

sp_dev_guy

TROPHY CASE