I Fixed My Malware Injection Issue With Content-Security-Protection
My personal site had a permissive content-security-policy. This allowed malicious adware injectors to grafitti it up. I fixed mine, fix yours today.
Securing a web (site/app/api)
Ever wondered how to check how secure a site is (yours, another?). In this presentation I show how to do a simple assessment of security.
Assess Web Security Simply. You. Yes You.
Asssessing web security, The basics are faster and easier than you think. A few simple free tools, a minute or so of our time. Let’s try some sites now.
The Philosophy Behind The Name
Agilicus. Its a compass on a shield, reminding us of the need to protect from the east-west traffic. But what about the name? The icus part invokes Spartacus (from which the Spartan shield of the Logo derived). But the Agil part? That… Read More »The Philosophy Behind The Name
Zero-Trust Principles
The principles of zero trust make for improved security. Each component must prove itself to its neighbours. No trust is based on affinity or path. Explore.
Secure Exposed Access: Zero-Trust Legacy Online With High Security and No Work
Somewhere in your basement lurks a challenge. A web application that people need, but you don’t trust. Maybe its your timesheet or vacation planner. Maybe its your HR policies portal. But you know if it meets the Internet that you’ll be in… Read More »Secure Exposed Access: Zero-Trust Legacy Online With High Security and No Work
Free Your Applications: Ditch the IIS, Move Your .NET Apps To the Cloud. Safely. Securely. Simply
Your basement is full of servers running Microsoft IIS with .NET applications, chatting with local databases. You’ve read casually online about Cloud Native, Kubernetes, Containers, Docker. But this doesn’t apply to you, right? I mean, maybe in the future for new things,… Read More »Free Your Applications: Ditch the IIS, Move Your .NET Apps To the Cloud. Safely. Securely. Simply
Strong Identity and Authentication: Avoid Named User License Costs With Federation
Implement a srong, simple, secure authentication system, including support for 2-factor authentication, without triggering named-user license costs.
Tame the legacy beast with API’s
Large legacy systems hold our data hostage. Tame their grip with REST-ful API’s and microservices. Fear no more on upgrades or even replacements.
Two-Factor Herd Immunity: Mozilla 2-factor authentication
Mozilla makes multi-factor authentication mandatory for authors. Herd Immunity suggests if we get a few more, we are all protected.
Remove information exposure: nginx banner
Information exposure. Many servers send a helpful banner out with the specific name and version of the software. This can in turn attract low-level attacks that use tools like Shodan.io to find vulnerable hosts. CWE-200 suggests we need to remove the information… Read More »Remove information exposure: nginx banner
Auth and API: OpenID Connect for user + service, and enforcement along route
Idenity: Authentication a user in a simple, secure way, with two-factor authentication, and allowing the user to interact with API are the key to success.
Remove SMS from your 2-factor authentication
SMS (text) has no place in your 2-factor authentication world. Remove it now and rely on a physical device (e.g. YubiKey) or TOTP (e.g. Authenticator app).
Creating the reliable cloud with unreliable components
Secure. Reliable. Economical. All three. We have embraced failures to create a reliable municipal hybrid cloud with unreliable components, economically.
Email Strict Transport Security with MTA-STS
Email security. A complex patchwork. Enable MTA-STS to get strict transport security on your STARTTLS.
What does your internal enterprise application login look like?
Whether your app is municipal, industrial, financial, or just vacation-booking-HR, it needs a strong, 2-factor auth system. Else you teach bad habits.
Hear Agilicus Talk Secure Municipal Cloud At MISA INFOSEC 2019
Take internal applications usable only by City staff with Active Directory, and make them Internet, Web, OpenID Connect, Secure, Simple, Fast. Easy!
Team Agilicus gets new office, Okterbest-adjacent
Team Agilicus moves to new permanent offices, assembles some desks, attends Oktoberfest. Progress!
Kustomizing Kustomize: Releasing Our Tools
Declarative. It becomes a way of life. We have chosen kustomize to safely build our inventory of YAML, including Istio and Cert-Manager. But, it has proven incredibly non-DRY. After some refactoring etc, I made a few Generators and Transformers to cover some… Read More »Kustomizing Kustomize: Releasing Our Tools
Declarative GitFlow: restrict kustomize to master branch
Prevent accidents from happening on un-merged feature branches with GitFlow and kustomize.
Defense in Depth: Securing your new Kubernetes cluster from the challenges that lurk within
Cloud Native Day Presentation.
The dangers that lurk inside your Kubernetes Cluster, what to watch out for.
Cloud Security Blasphemy: Secrets in git
Ever wondered why so many breaches happen due to secrets being checked in to source control?
Want to make it easy to commit them to git, and be secure at the same time?
Read On!
Keep your certificates young and fresh
TLS certificates, unlike wine, do not get better with age. Refresh them before they hit the end of their lifecycle.
We are all-in on the TLS: the HSTS preload
TLS, HTTPS. These are an important step in defence in depth. Get your entire domain on the https-only list at hstspreload.org, thank me later.
Git ransomware: beware the misdirection
Github ransomware. It might be a misdirection to hide more surreptitious changes to the codebase for you to import into your cloud.
Covert Exfiltration, Cloud Native
Your virtual-private-cloud private IP setup still has access to key API’s such as storage and messaging. Have you considered exfiltration through these?
Moving into a new (cloud) neighbourhood? Check its reputation!
Your shiny new cloud instances might be tarnished by the reputation of the last tenant.
Use Shodan to check, and Greynoise to see if its above the norm.
And above all, don’t panic!
Docker Hub Hack: Secure Your Supply Chain
Docker hub loses account info, deploy tokens for github + bitbucket. Supply chain security chaos should ensue. Or are we now too blase? Its not me, right?
That’s the kind of password an idiot uses on luggage: cloud security
Passwords. bits of plain text that end up everywhere in automated systems. etcd. A `secure` way to share secrets. The Internet. A place that everything is guaranteed to end up. This is a toxic brew, read on!
The naked cloud: elasticsearch is stretch but doesn’t cover security
Wide open elasticsearch on the Internet. Its common. The user usually believes since they use private IP (NAT) they are protected. Wrong.