The strong password, the breach, and the multi-factor save
A strong password breached. Multi-factor authentication saved the day. So many passwords to check. Why can each site not use OpenID Connect single identity?
A strong password breached. Multi-factor authentication saved the day. So many passwords to check. Why can each site not use OpenID Connect single identity?
Empowered people make pragmatic decisions to improve productivity. This can create Shadow IT, and, Identity sprawl. Fix via Identity Aware WAF
Summary: deploy OpenWRT on a Mikrotik to achieve SpaceX Starlink + bonded DSL backup, with Zero-Trust Network Access inbound from any user, any network, any device.
Core Web Vitals Wordpress performance is important for user experience, for search optimisation. Learn how to improve wordpress and recaptcha CWV.
Speedup wordpress by dequeing unused scripts and css. The Events Calendar is used as an example. Faster load, less parse, better core web vitals.
An email security threat scanner, looking for phishiing links, itself becomes the attack vector, from within. Unsubscribed from pardot the beginning.
Embracing Zero Trust: Assume that a breach has (or will occur), use defense in depth, fine grained authorisation and audit, everywhere, always.
Latency, specifically DNS Latency, is a big factor in web page load time. Don’t over-focus on bandwidth, examine prefetch and latency to improve.
Web site performance. Search engines favour sped. Milliseconds matter. Performance is as important as the content, as important as the appearance.
Your web site uses new technology. Shake it down by using your Sitemap for Latency and load testing with locust and istio.
Time and Encryption. Certificates have a not-before and not-after. If your time is wrong, you can be tricked. Learn how the certificate transparency helps you.
A water treatment plant was breached, looking to poison people. How did the hacker get in, and how would zero-trust secure scada?
Content-Security-Policy protects our application, but challenging with external scripts like Google Tag Manager. We show in Angular Single Page Application.
Doppelganger domains are used to spear-phish you. They look similar to ones you use normally. See this new warning in Chrome.
OAuth 2.0 is deceptively simple: create client id, client secret, set a few environment variables, and watch the black magic take effect. Learn about the best current security practices.
Secure automatic software delivery without the risk of tampering. The Update Framework in action.
Cloud Native: embracing failures. Assume Strength in Numbers. Don’t spend large time on a single infinitely reliable thing, assume each component will fail.
CNAME. Invented in 1987, used in today’s SaaS. See how your domain can be shared with your partners.
Certificate Transparency Logs in SSL can be a useful diagnostic tool as well as a security forensic.
Document how you receive and treat security vulnerability reports with the security.txt standard
The OAuth 2.0 protected resource. It takes the access token and uses it to grant access. Watch out for it becoming compromised.
OAuth 2.0 refresh tokens are used to obtain new access tokens on the user’s behalf. If lost, they can allow an attacker to masquerade.
The OAuth 2.0 Token Endpoint. Its were authorisation becomes real. Secure it to prevent guessing
Your password policy is wrong. So says this NIST standard. By trying to be too strong, you end up being weak. The users write it down!
OAuth 2.0 Authorisation Endpoints are the front-door skeleton-key creator of all your front-doors. So protect them carefully.
OAuth 2.0 and the client. Use Defense In Depth. Secure the client, and then assume it can still be compromised. Zero Trust.
Fail to ban. Simple. Strong. Make the attackers wait, increase their cost while decreasing your cost of defending. Defense in Depth.
OAuth 2.0 has simplified authentication and authorisation for many applications, shifting from custom code to simple library import. However, as more applications come to rely on it, this makes its weaknesses more interesting. An attacker can gain access to a broader set of data via a smaller set of tactics and techniques. First lets understand the threat areas, and then, the best current practices for addressing them.
Merger Acquisition Zero Trust. Two competitive or orthogonal companies become one. Achieve quick and secure with Federated Identity, Zero Trust.
Joint Ventures: Good Business strategy, complex access strategy. Does one VPN to the other? Dual accounts? Zero Trust Federated Identity FTW!