Software Supply Chain Redux: npmjs shells your hosts
The software supply chain might be the biggest cyber threat out there. Easily accessible open-source, developers under pressure to deliver, complex dependencies. Trouble ensues in npm ecosystem.
Defense-In-Depth
Defense In Depth
Simplify Security: Split Identity and Authorisation with Zero Trust
Zero Trust. The key principle is, we split identity and authorisation apart. We move from a perimeter-based trust (e.g. VPN + firewall) to a user + asset-based model.
Web Application Security 101: Get the basics right
Do what I say. The central tennet of security. In web application security, this translates to a set of headers. Learn how to use Content Security Policy, XSS, CORS, etc.
Don’t let the browser pass you by: keep your server up to date
Browsers update faster than servers, being consumer technology. TLS 1.0 and 1.1 are dead, update your servers.
Zero Trust: Connecting The Digitally Disconnected
Digitally Disconnected. The 2nd class citizens of the 21st Century. Unable to access data due to identity or VPN. NO MORE! Zero Trust.
Email Strict Transport Security: Our First Report
Email Strict-Transport-Security. Complex to setup, but provides encryption on the transportation of your email like HTTP Strict Transport.
Zero Trust Architecture: Published by NIST
Zero-Trust. Make your team more efficient, increase your security, reduce your cost? What’s not to love. The line for the bandwagon starts over there.
Cross-Origin-Request-Sharing and You
CORS. The method by which we secure web applications that are de-monolithed to directly use API’s
CORS’ing the complexity: idempotent and caching meets Vary: Origin for CORS
Cross-Origin-Request-Sharing (CORS) is challenging to implement. Learn how to make it work with multiple applications in the same browser.
The False Choice of Risk Versus Reach
Risk versus Reach. A false choice. We should not materially compromise security to reach more users.
Secure the Cookie!
The humble cookie. So controversial. So complex to secure. If your web app must have them, you must secure them.
The browser was the accomplice
You and your browser run inside a nice safe firewall. A firewall which doesn’t do what you think. Explore how the browser is the accomplice to the crime.
Zero Trust and the NTT Hack
NTT Comm discloses a breach. Firewalls lead to false assurances, allowing wide open internal access.
Fixing the case of the Implicit Flow modification
Meet Hank. Hank is a web application with a dark secret. It trusts you the user to not change things in the browser. Bad Hank. Learn how to fix it!
Why should I use Content-Security-Policy?
The Content-Security-Policy headers exists to protect the users of your web site from the content they themselves might create.
The Web Application Firewall and You: Who Should Use, and When.
Should I use a Web Application Firewall? What is it ? What benefit will it give me? When would I use it? Read on to learn!
Agilicus Story: Cloud Native Computing Foundation Stories
Agilicus presents its architecture, philosophy, strategy at CNCF Eastern Canada Stories Meetup
DEFENSE IN DEPTH: CLOUD NATIVE DAY 2019 TALK
We often think in Boolean terms: Outside Bad, Inside Good
Instead, assume each layer will be breached
How phishing negates your firewall
Your corporate firewall. That invulnerable bastion that lets you fearlessly run less-than-secure internal tools like a CRM, a Finance portal. But, is it really invulnerable? Or is it a paper wall at best? We look at how Cross-Site-Scripting vulnerabilities, known session ID cookies or access tokens can allow content from the world to pierce it as if it were not there. We do this using the weakest link: you.
Angular Content-Security-Policy with a Nonce: Google Tag Manager
Content-Security-Policy protects our application, but challenging with external scripts like Google Tag Manager. We show in Angular Single Page Application.
Using Istio & OpenID Connect / OAUTH2 To Authorise
We have a large number of management only services (kibana, grafana, prometheus, alertmanager, etc.). I want to make it very easy for developers to light up new ones, but also very secure. More specifically, I want to make it easier to be… Read More »Using Istio & OpenID Connect / OAUTH2 To Authorise
Don’t trust the firewall: why defense in depth is important
A firewall is not an absolute defense. Weak things inside it can be attacked through JavaScript or other vectors. Defense in Depth is important.
Mutual Identity: Phone Scams And Workload Security
Establishing mutual identity trust is complex. I must know who you are, you must know who I am. People fall for phone scams with caller ID. Let’s fix for online.
Assess Web Security Simply. You. Yes You.
Asssessing web security, The basics are faster and easier than you think. A few simple free tools, a minute or so of our time. Let’s try some sites now.
Zero-Trust Principles
The principles of zero trust make for improved security. Each component must prove itself to its neighbours. No trust is based on affinity or path. Explore.
Secure Exposed Access: Zero-Trust Legacy Online With High Security and No Work
Somewhere in your basement lurks a challenge. A web application that people need, but you don’t trust. Maybe its your timesheet or vacation planner. Maybe its your HR policies portal. But you know if it meets the Internet that you’ll be in… Read More »Secure Exposed Access: Zero-Trust Legacy Online With High Security and No Work
Remove information exposure: nginx banner
Information exposure. Many servers send a helpful banner out with the specific name and version of the software. This can in turn attract low-level attacks that use tools like Shodan.io to find vulnerable hosts. CWE-200 suggests we need to remove the information… Read More »Remove information exposure: nginx banner
Email Strict Transport Security with MTA-STS
Email security. A complex patchwork. Enable MTA-STS to get strict transport security on your STARTTLS.
Defense in Depth: Securing your new Kubernetes cluster from the challenges that lurk within
In the greater Montreal area? Come see me speak tomorrow at Cloud Native Day. The abstraction layers of ‘container’ and ‘helm’ etc often make people not think about the security issues. I run ‘helm install X’ or ‘docker build’. That in turn… Read More »Defense in Depth: Securing your new Kubernetes cluster from the challenges that lurk within
The supply chain security risk in action: ESLint
Software is eating the world. The software supply chain is very complex to understand and manage. One slip up upstream, and that code is in your image very rapidly. Continuous!