First of all, love the new Lacework community. Thank you for building it and the invitation.
In my opinion, there is a security flaw in the current implementation of Portal SSO when it interacts with the community.
Currently, when the user login to the community page, the user been granted the whole access to the portal page https://portal.lacework.com/app/UserHome
The logout functionality appears to have a flaw as it allows users to easily log back in without entering any username or password credentials. This poses a security risk and needs to be addressed.
Moreover, an effective example of Single Sign-On implementation can be seen with Okta and Jira. In this case, users are unable to access Okta through the Jira login, ensuring a more secure authentication process.
Since the Lackwork portal and/or community page is perpetually logged in, an attacker has the potential to manipulate any settings within the system(e.g. XSS or phishing). This poses a significant security risk as unauthorized individuals could exploit this vulnerability to make unauthorized changes or access sensitive information.
It is evident that there is a business logic vulnerability that needs to be resolved.
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
N/A
