The software supply chain might be the biggest cyber threat out there. Easily accessible open-source, developers under pressure to deliver, complex dependencies. Trouble ensues in npm ecosystem.
Defense In Depth
Zero Trust. The key principle is, we split identity and authorisation apart. We move from a perimeter-based trust (e.g. VPN + firewall) to a user + asset-based model.
Do what I say. The central tennet of security. In web application security, this translates to a set of headers. Learn how to use Content Security Policy, XSS, CORS, etc.
Cross-Origin-Request-Sharing (CORS) is challenging to implement. Learn how to make it work with multiple applications in the same browser.
Your corporate firewall. That invulnerable bastion that lets you fearlessly run less-than-secure internal tools like a CRM, a Finance portal. But, is it really invulnerable? Or is it a paper wall at best? We look at how Cross-Site-Scripting vulnerabilities, known session ID cookies or access tokens can allow content from the world to pierce it as if it were not there. We do this using the weakest link: you.
Content-Security-Policy protects our application, but challenging with external scripts like Google Tag Manager. We show in Angular Single Page Application.
We have a large number of management only services (kibana, grafana, prometheus, alertmanager, etc.). I want to make it very easy for developers to light up new ones, but also very secure. More specifically, I want to make it easier to be… Read More »Using Istio & OpenID Connect / OAUTH2 To Authorise
Establishing mutual identity trust is complex. I must know who you are, you must know who I am. People fall for phone scams with caller ID. Let’s fix for online.
Somewhere in your basement lurks a challenge. A web application that people need, but you don’t trust. Maybe its your timesheet or vacation planner. Maybe its your HR policies portal. But you know if it meets the Internet that you’ll be in… Read More »Secure Exposed Access: Zero-Trust Legacy Online With High Security and No Work
Information exposure. Many servers send a helpful banner out with the specific name and version of the software. This can in turn attract low-level attacks that use tools like Shodan.io to find vulnerable hosts. CWE-200 suggests we need to remove the information… Read More »Remove information exposure: nginx banner
In the greater Montreal area? Come see me speak tomorrow at Cloud Native Day. The abstraction layers of ‘container’ and ‘helm’ etc often make people not think about the security issues. I run ‘helm install X’ or ‘docker build’. That in turn… Read More »Defense in Depth: Securing your new Kubernetes cluster from the challenges that lurk within
Software is eating the world. The software supply chain is very complex to understand and manage. One slip up upstream, and that code is in your image very rapidly. Continuous!