Angular Content-Security-Policy with a Nonce: Google Tag Manager
Content-Security-Policy protects our application, but challenging with external scripts like Google Tag Manager. We show in Angular Single Page Application.
Defense-In-Depth
Defense In Depth. Don’t spend all your effort on a single moat around the castle, assume each layer of defense will be breached, and have a fallback defensive position.
Doppelganger Domain Detection
Doppelganger domains are used to spear-phish you. They look similar to ones you use normally. See this new warning in Chrome.
Securely Updating Software: The Update Framework
Secure automatic software delivery without the risk of tampering. The Update Framework in action.
Security.txt: how to document receiving security vulnerabilities
Document how you receive and treat security vulnerability reports with the security.txt standard
Fail to ban. Simple. Strong. Defense in Depth
Fail to ban. Simple. Strong. Make the attackers wait, increase their cost while decreasing your cost of defending. Defense in Depth.
Button down your 2-factor-auth and dnssec lest ye be hijacked
DNSSEC. It helps prevent someone from poisoning a DNS cache or creating a lying recursive. Its simple to enable.
The Agilicus Philosophy: Continuous Learn. Do. Teach.
The Agilicus Philosophy: The world we work in changes. Our requirements change. By continuously learning and adapting, we survive and thrive.
Stupid Simple Security Trick: Add a DNS CAA Record
Want to improve your security for zero cost before you leave for the day? Add a DNS CAA Record. Watch the video to learn more!
The Firewall Emperor Has No Clothes
The Firewall Emperor, long the king of security, has no clothes. Micro segmentation is just more firewalls. You want Zero Trust Network Access.
Software Supply Chain Redux: npmjs shells your hosts
The software supply chain might be the biggest cyber threat out there. Easily accessible open-source, developers under pressure to deliver, complex dependencies. Trouble ensues in npm ecosystem.
Simplify Security: Split Identity and Authorisation with Zero Trust
Zero Trust. The key principle is, we split identity and authorisation apart. We move from a perimeter-based trust (e.g. VPN + firewall) to a user + asset-based model.
Web Application Security 101: Get the basics right
Do what I say. The central tennet of security. In web application security, this translates to a set of headers. Learn how to use Content Security Policy, XSS, CORS, etc.
Don’t let the browser pass you by: keep your server up to date
Browsers update faster than servers, being consumer technology. TLS 1.0 and 1.1 are dead, update your servers.
Zero Trust: Connecting The Digitally Disconnected
Digitally Disconnected. The 2nd class citizens of the 21st Century. Unable to access data due to identity or VPN. NO MORE! Zero Trust.
Email Strict Transport Security: Our First Report
Email Strict-Transport-Security. Complex to setup, but provides encryption on the transportation of your email like HTTP Strict Transport.
Zero Trust Architecture: Published by NIST
Zero-Trust. Make your team more efficient, increase your security, reduce your cost? What’s not to love. The line for the bandwagon starts over there.
Cross-Origin-Request-Sharing and You
CORS. The method by which we secure web applications that are de-monolithed to directly use API’s
CORS’ing the complexity: idempotent and caching meets Vary: Origin for CORS
Cross-Origin-Request-Sharing (CORS) is challenging to implement. Learn how to make it work with multiple applications in the same browser.
Secure the Cookie!
The humble cookie. So controversial. So complex to secure. If your web app must have them, you must secure them.
The browser was the accomplice
You and your browser run inside a nice safe firewall. A firewall which doesn’t do what you think. Explore how the browser is the accomplice to the crime.
Zero Trust and the NTT Hack
NTT Comm discloses a breach. Firewalls lead to false assurances, allowing wide open internal access.
Fixing the case of the Implicit Flow modification
Meet Hank. Hank is a web application with a dark secret. It trusts you the user to not change things in the browser. Bad Hank. Learn how to fix it!
Why should I use Content-Security-Policy?
The Content-Security-Policy headers exists to protect the users of your web site from the content they themselves might create.
The Web Application Firewall and You: Who Should Use, and When.
Should I use a Web Application Firewall? What is it ? What benefit will it give me? When would I use it? Read on to learn!
DEFENSE IN DEPTH: CLOUD NATIVE DAY 2019 TALK
We often think in Boolean terms: Outside Bad, Inside Good
Instead, assume each layer will be breached
How phishing negates your firewall
Your corporate firewall. That invulnerable bastion that lets you fearlessly run less-than-secure internal tools like a CRM, a Finance portal. But, is it really invulnerable? Or is it a paper wall at best? We look at how Cross-Site-Scripting vulnerabilities, known session ID cookies or access tokens can allow content from the world to pierce it as if it were not there. We do this using the weakest link: you.
Logging real remote address with Nginx and Lua
For audit, security, tracing, we want the origin IP logged. Load-balancers can mask this. Learn how to log the true client IP from nginx with lua, when that nginx is behind a load-balancer (reverse proxy)
Using Istio & OpenID Connect / OAUTH2 To Authorise
Make it simple and safe to be secure for your developers. Allow any internal devops site to have single-sign-on and authorisation.
The desktop crypto curveball: test your encryption
Encryption. Its good, if its working,. You should test your encryption, on the desktop, on the server, once in a while. Curveball recently came out, test it!.
Don’t trust the firewall: why defense in depth is important
A firewall is not an absolute defense. Weak things inside it can be attacked through JavaScript or other vectors. Defense in Depth is important.