I am puzzling on the security aspect with Camunda 8 which has to be with (accidental) override of process variables. This in the context of threat modelling from a persona that has evil intentions and works as an employee in the organization.
Suppose I can retrieve a credential from a client API that has access to zeebe and suppose I know a service task type name. The latter should not be so hard for an insider attack, since it probably documented on confluence or something similar. Or I can make some attempts based on the naming strategy of the company.
When I connect to the cluster I will be invoked as well (just like the original job worker with that type name). At that moment I will also know all process variables, so I know what information I can steal and also which ones I can overwrite. Which will be even worse.
The effect can be rather dramatic; specifically now we cannot even tell because we have no audit logging in the platform yet. But even if we would, it will provide insight in hindsight.
First I thought I need a feature to configure which job worker is allowed to update which process variable by whitelisting. But that will not help, since both share the same type name.
A mitigating rule I can think of is to rotate all API clients very often (say every 10 seconds), but I wonder if that is a common approach.
What is the usual way to mitigate this type of risk?