Defence In Depth: What We Practice

Browsers update faster than servers, being consumer technology. TLS 1.0 and 1.1 are dead, update your servers.

Email Strict-Transport-Security. Complex to setup, but provides encryption on the transportation of your email like HTTP Strict Transport.

Zero-Trust. Make your team more efficient, increase your security, reduce your cost? What’s not to love. The line for the bandwagon starts over there.

CORS. The method by which we secure web applications that are de-monolithed to directly use API’s

Cross-Origin-Request-Sharing (CORS) is challenging to implement. Learn how to make it work with multiple applications in the same browser.

You and your browser run inside a nice safe firewall. A firewall which doesn’t do what you think. Explore how the browser is the accomplice to the crime.

NTT Comm discloses a breach. Firewalls lead to false assurances, allowing wide open internal access.

We often think in Boolean terms: Outside Bad, Inside Good Instead, assume each layer will be breached

Make it simple and safe to be secure for your developers. Allow any internal devops site to have single-sign-on and authorisation.

Encryption. Its good, if its working,. You should test your encryption, on the desktop, on the server, once in a while. Curveball recently came out, test it!.

A firewall is not an absolute defense. Weak things inside it can be attacked through JavaScript or other vectors. Defense in Depth is important.

Establishing mutual identity trust is complex. I must know who you are, you must know who I am. People fall for phone scams with caller ID. Let’s fix for online.

Asssessing web security, The basics are faster and easier than you think. A few simple free tools, a minute or so of our time. Let’s try some sites now.

Information exposure. Many servers send a helpful banner out with the specific name and version of the software. This can in turn attract low-level attacks that use tools like Shodan.io to find vulnerable hosts. CWE-200 suggests we need to remove the information exposure. Let’s discuss. Some hold that hiding these banners increases security. For example, CWE-200 has this position. Others (myself included) are of the opinion that security through obscurity gives a false sense. Regardless of your opinion, you will…

Email security. A complex patchwork. Enable MTA-STS to get strict transport security on your STARTTLS.

Github ransomware. It might be a misdirection to hide more surreptitious changes to the codebase for you to import into your cloud.

Your virtual-private-cloud private IP setup still has access to key API’s such as storage and messaging. Have you considered exfiltration through these?

Your shiny new cloud instances might be tarnished by the reputation of the last tenant. Use Shodan to check, and Greynoise to see if its above the norm. And above all, don’t panic!

Docker hub loses account info, deploy tokens for github + bitbucket. Supply chain security chaos should ensue. Or are we now too blase? Its not me, right?

Software is eating the world. The software supply chain is very complex to understand and manage. One slip up upstream, and that code is in your image very rapidly. Continuous!