

Sentience Chapter 9 - Book 3 of Sentinel Unleashed
Hey there, fellow bookworms and adventure-seekers! Today, I've got something truly riveting to share with you. Grab your favourite reading spot and settle in because we're diving into a gripping chapter from the third book in the "Sentinel Unleashed" series, titled "Sentience." Now, if you're not familiar with this series,
Unveiling the Myths of Multi-Factor Authentication
MFA refresher Multi-Factor Authentication (MFA) is a security practice that requires users to provide two or more distinct authentication factors to verify their identity before gaining access to a system or account. These factors typically fall into three categories: something you know (e.g., a password), something you have (e.
Unlocking Your Tech Success - 5 Essential Lessons
Ever wondered what it takes to thrive in the tech world, not just as a coder but as a tech-savvy communicator, a business bridge, and a problem-solver armed with certificates and Python? Let's unravel the answers together, shall we? Are you ready to dive into the electrifying world of technology?
Show, don't tell
I hated hearing this repeated "advice". It was said to me constantly during my early days writing, and no one ever properly explained the concept in a way that actually made sense to me. Until I did a creative writing course, with an amazing teacher. She started talking about the
Forget DevSecOps and ShiftLeft
🪄Integrating Security Seamlessly In this article, we're about to spill the beans on why this approach rocks, answer some burning questions, all while keeping our magic wand at the ready. The Traditional DevSecOps Approach DevSecOps, which emphasizes integrating security into the development process, has been a buzzword in the industry
Storytelling vs Describing, when introducing a scene
When introducing a scene in writing, two main styles can be used: storytelling and describing. 📖Preview the Prologue and Chapter 1 on laterpress FREE. ‌Here are two variations, you decide which is better: 1. Described The inconspicuous building blended seamlessly with its surroundings, lacking any distinguishing markings. The nondescript façade
Unspoken Emotions in Fiction writing
There's a moment in the book, The Hackers, where a real human moment occurs during an epic about Hackers and Sentient AI. ‌Instead of explaining it to you, having no idea what I'm referring to, let's take a look at it first: Warning! spoiler Wren started, her voice determined. “I
My fiction publishing journey
In the realm of self-publishing, there lies an unbridled passion for storytelling, unencumbered by traditional gatekeepers. As an aspiring author, I embarked on a thrilling adventure to bring my fiction novel series, "Sentinel Unleashed" to life. Set in the fast-paced world of hackers and cyber warfare, Sentinel Unleashed delves deep
Hawk Authentication bug - Firefox Accounts payload bypassing integrity validation
HawkAuth protocol is widely adopted by Firefox Accounts and appears in Postman in a very short list of supported API authentication methods which indicates HawkAuth is vastly more popular than you might first expect. HawkAuth protocol history‌‌ The origins of HawkAuth appears to be with Eren Hammer then shortly sponsored
The Imperative of Persistent CSRF Tokens (Video)
A brief on Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) attacks, capable of duping a user into performing an unintended action, are a ubiquitous menace in the domain of web security. These attacks cunningly exploit the inherent trust of a site in a user's browser, compelling it to carry out
JWT: A Cryptographic Love Story with Security, Vulnerabilities, and a State of Confusion
Folks, remember to be careful with your JWTs. Use strong cryptographic algorithms, manage those secret keys like they're your firstborn child, and always, always validate those JWTs like your life depends on it. And for goodness' sake, keep your sensitive information under lock and key! Benefits Imagine you are a
Certificate Pinning is powerful, but you probably shouldn't use it
Let's be clear about Certificate Pinning. It IS extremely useful. It IS valid, if you follow 1 rule, and are operating in 2 use case scenarios. It's simple; The 1 rule is that YOU control the CA for the pin. If you don't control the CA, you've essentially circumvented the
JWT Patterns that provide real security benefits
Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that many so-called JWT experts (and everyone else) assume are "a thing" that really are just hand-waving nonsense. Starting with; verify is not validation YUK WORD verify Verify vs Validation A
Really giving a jot about JWTs
Instacart Sr Security Engineer David Gillman (or Gilman? Either OWASP or LASCON got it wrong) presented a talk in 2021 and followed up with a podcast interview released today. One thing David is excellent at describing developer benefits, and developer-centric Patterns and Anti-Patterns when using JWT. If you are an
You should have a preference for EV Certificates in 2022 - when most think they are dead
Domain Validated (DV) Certificates may be growing in popularity since the browsers ceased showing the organisation name along with a green padlock, but the visual change is not material to the security characteristic associated with Extended Validation (EV) Certificates. When the visual changes occurred the mainstream non-technical or the uneducated
5 Myths of Software Composition Analysis (SCA)
Recently someone asked me to help them with an SCA tool (you know the name, I snicker a bit when I hear their name) They had a bunch of findings in the SaaS dashboard that were confusing them, it was presented really nicely showing exploit samples, what good configuration looks
BSIMM vs OWASP SAMM | Which is better?
I often get asked about how to plan a roadmap for an AppSec or DevSecOps program, and this is where the concept of a maturity model came from and the main reason they exist. What is BSIMM and OWASP SAMM? BSIMM - Building Security In Maturity Model OWASP SAMM (formerly
Guide to Application Security tools
First, what makes a good, or great, AppSec tool? The best tools A best tool for AppSec is implemented; * in the IDE directly * as a git pre-commit hook * native to the programming language package manager * be configurable with custom rules for your business Apart from these there are some good
How to start an AppSec Program
I get asked all too often:
What do
No Bullsh*t guide to Application Security
Security is a process, not a destination. Which applies to Application Security also. Let's quickly address common AppSec mistakes; * AppSec is not scanning in the CI/CD pipelines * AppSec is not security gates in the CI/CD pipelines * AppSec is not patching your dependencies * AppSec is not Vulnerability Management <– this
MS Office macros from the internet probably won't be blocked by default
The media coverage about Microsoft blocking by default macros from running in Office files from the Internet is wildly overstating the reality of this super small and almost insignificant change. Some simple facts * Doesn’t affect Office 'on the web' at all * This only effects VBA macros * This is not
Realistic 3 principles of AppSec and DevSecOps
Before we begin DevSecOps is analogous to AppSec for this discussion as both share the same principles even if we consider them to have certain distinctions in responcibilities or niche focus. In practice they serve the same audience, and should operate with the same 3 principles. The 3 principles 1.
What are types of Cross-Site Scripting (XSS) attacks?
We typically have 3 types of Cross-Site Scripting (XSS) attacks, this is outdated knowledge still circculating today. Current Application Security and Penetration Testing knowledge has 5 distinct categories of XSS The originals Stored, DOM, and Reflected. Where Stored XSS is simply described by one user entering the malicious attack into
Vulnerability or Defect?
AppSec tooling does not find any vulnerabilities, it finds defects. But when is a defect a vulnerability?
The 5 Myths of Application Security
The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec
WebStorage vs Cookies - Secure Session Management in 2021
Session management still occurs via cookies, but do not disclose secrets or authorisation in a cookie because the security of WebStorage is best practice.
JWT and HMAC in the browser, safe?
Is using JWT and HMAC in the browser, safe? How could they be? Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug
Zero-trust doesn't exist but that's OK
Where zero-trust might exist 1. Scenarios that have no data 2. Scenarios with data that are never connected to power Why? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity? Digital identity is the
You don't know OWASP
About a year ago I was just getting involved with the CSA Working Group [https://cloudsecurityalliance.org/research/contribute/] for CCM version 4 when I came across the OWASP CSA Project [https://wiki.owasp.org/index.php/Category:OWASP_CSA_Project] and went on a little adventure to learn more
Python pip requirements.txt lock file
Overview Opinions vary on how one should make use of lock files, depending on whether the project is the main application, or the project is actually a library that is meant to be consumed by an application or another library. Lock files are unquestionably useful if you build any application.
Private AWS S3 - How hard could that be?
Applying private routing to AWS management APIs is hard. AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.
You're probably a Blue Team, not a Red Team
For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_
Everything in AWS is an API, is it secure?
EDIT: 2020-08-01 SHA-1 Windows content to be retired [https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373] in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is
TLS secures my data, right?
You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of ‌‌Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) > Data within the session
PCI DSS - Are AWS KMS and CloudHSM suitable?
A look into the suitability of AWS KMS and CloudHSM for use with workloads in-scope of PCI DSS. Who owns my encryption key in AWS? By owning we might think of ownership as who has potential to access the key to decrypt the data. I like to think of ownership
Australia - Where Compliance and Regulation Obligations are Unlawful
The Australian Government's controversial encryption bill passed the Senate [https://www.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944] last month and will undoubtedly be law soon. The bill proposes three key powers; A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about
Exploiting Orphaned Webserver Files
> Detect as a means to defend The idea of this attack is to identify old dependencies with known exploits. Even some of the most secure clients, that have excellent patching practices, are still vulnerable years after they assume they patched a vulnerability. Many of the competent website developers are now
Preparing for Independent Penetration Testing
White box Commonly used by organisations after a black box pentest to validate controls, or as an assurance to the business for audit purposes. A white box pentest is prescriptive in nature and is the only type of pentest that provides an attestation of compliance. What to provide Preparing for
Information Security strategy tips for startups
Information Security is a broad reaching area of concern for your business. In the enterprise world a large component of this is part of their GRC efforts which can be over-whelming for a smaller organisation. > Governance, Risk, and Compliance One commonality between enterprise and startups is the reliance on vendors.
Vendor attestations prove nothing about your systems
Over the years I've been tasked to implement controls as a developer or self-assess and design controls that meet the requirements of contractual, compliance, regulatory, and legislative obligations. One of the continuing misconceptions I've seen is most business believe (and often publicly claim) a vendors security and compliance attestations will
ASD Essential Eight Mitigation Strategies to Detect Cyber Security Incidents and Respond
The Australian Cyber Security Centre (ACSC) has developed The Essential Eight which are mitigation strategies that organisation's can use to produce a modern risk profile and response plan for todays cyber threats. My post will help you align these best practices to your solution as a baseline making it much
Responding to a troll GDPR Subject Access Request - Australian/NZ Version
The General Data Protection Regulation (GDPR) guidance in this post is experience based and your own response should be reviewed by a law counselor. I'm no lawyer, and many who are do not have subject matter experience (yet), so a balanced approach is playing it safe in these early days.
On Tether Cryptocurrency and Ransomware
Tether has become the defacto reserve currency as the hundreds of different cryptocurrencies are actually created and exchanged on it. I'll touch on Tether and go into Ransomware briefly, as these are the reason for the post. The I'll deep dive on Cryptocurrency because there is actually three totally separate
Machine Learning model training over time
Do you train new models using new data, or do you re-train existing models with new samples? Retraining a model For the past few years I've been capturing network traffic and building various machine learning models around the data, not always security related but always design for a long lasting
Software Engineers guide to AWS Solution Architecture
So you're a developer or operations engineer (or both, DevOps) and work in a small team that either has no access to a Solution Architect. > or you do but expected to re-architect solutions for security and reliabilty Get to know the AWS Well-Architected Framework [https://d1.awsstatic.com/whitepapers/architecture/
How-to convince colleagues to accept new processes
Let me share with you a technique taught to me that I've used and refined, it's always had an impact that can help convince even the most remiss, ignorant, or doubtful opposition to a well argued and rationalised new process. More than 10yrs ago when I was in my 20s
How to fix sudo must be owned by uid 0 and have the setuid bit set in WSL
So I recently took up the challenge of turning my PC with only Ubuntu KDE installed into a dual-boot Windows 10 PC. I've been on Ubuntu since 2008 and after a decade free of Windows at home I decided to take up the challenge of using WSL (Windows subsystem for
GDPR compliance beyond Europe
GDPR comes into effect in May 2018 and one of the buzz phrases you might have heard is > the right to be forgotten But there is much more you need to know and the effects are far reaching beyond Europe. What Assessments are needed? Data protection impact assessments (DPIAs) or
Misunderstood Business Continuity risk domain
A look at Business Continuity Management (BCM); The process that is responsible for Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) using Business Impact Analysis (BIA) enabling Operational Resilience through HA and DR principles
Privacy Controls for your Risk Assessment
Information to help you deal with Privacy risk, When to assess Privacy, Breach Notification, Recommended Controls, and Resources.
Cryptocurrency cannot be trusted (yet)
So I posted a response to an article on Medium titled Making Money Trustworthy - Bitcoin Explained [https://medium.com/@tessr/making-money-trustworthy-6c552a1cfc25] which wasn't a particularly outrageous article and had a lot of good content in it, but it was lacking an understanding of what trust even is and it
CISSP Study Material
As I am currently studying to sit the CISSP exam in 2018 and because I've taken over 25,000 words in notes so far I thought I'd share what I have so that others might be able to study a bit easier. The relevant CISSP material is difficult to search
Learn everything about every internet connected device with Python
> Warning: do not run these scripts unless you understand the repercussions There are 2 sections here, defensive and offensive. Why did I do this? Taking my own network security seriously I started monitoring all incoming and unknown outgoing packets using a passive tap which is a network packet capturing device
Problems with AWS API Gateway stemmed from CloudFront
API Gateway is a service offered by AWS and was established originally as a code fork of thier CloudFront service and has evolved separately ever since. Although an interesting fact there has been little evidence to show any sort of relationship between the 2 services since API Gateway was released.
Perfecting the Dockerfile
There are plenty of Docker best practices articles out there, this is not one, exactly.. I will instead talk to maintainability, efficiency, and security covering best practices where relevant. I've been using Docker for a couple of years now, it seems like a lifetime ago I'd jump into a new
Chrome out of control breaking the web
> Standards, who needs them? Google Chrome certainly doesn't.. It is blatently obvious Google's disdain of w3c, web developers, and just simple web users expecting sites they visist to continue to work while they upgrade browsers to stay secure. Yes, disdane, Google proves their superiority complex knows no bound when they
Password disclosure redundancy
Let the threat actors take your data. Data breaches are bad, they will happen to you — count on it. Education is more valuable then technology.
Removing that single-point-of-failure Password Managers pose
You’ve heard that your password has already been compromised by LinkedIn, Yahoo, Vodafone, Sony, Minecraft, and Snapchat to name a few of the more then 200 [https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches] breaches I know about, but do you know that the Password Managers you put trust in for all
Precise vs Accurate on Arbitrary-precision Arithmetic
When Math isn't accurate in code Precise vs Accurate So here's a simple example to get you started, punch a simple calculation 0.1 + 0.2 into any calculator, scientific, google, whatever. What result do you get? You should see 0.3 right? The code issues with arithmetic Now go
Only inexperienced developers use infinite loops
A language agnostic look at this common programming pattern. My hope is that once you've read my post you'll never write an infinite loop again. > My favourite number: 8 What are infinite loops I've chosen Python as the language to demonstrate due to its readability. 1. Loops The simplest loop
Search as a Service landscape mid 2017
Search as a Service is a type of SaaS for search, externally-provided search services enable you to have a full featured search engine available within your own software offerings so you can focus on your data and search UI rather than having to create and maintain all of the nuances
Kaggle Competition #melbdarathon2017
This will be more of a play-by-play of highlights on things like Community, Research, and talking about basics of data science from example of what I did, not how or academically why 👨‍🎓. It all started with a casual conversation that led me to the Data Science Melbourne [http://meetu.ps/
AWS EC2 Scaling gotchas no one told you
Here are some things I wish someone told me before I needed to manage over 5 million connections a day, 35k concurrently on average (Melbourne Cup). If that sounds like a lot to you, it is, the Commonwealth Bank had less than 1 million hits a day this month [https:
range over channels in go - Fibonacci example
Fibonacci. This sequence of numbers occurs in nature, and has many uses. > In a Fibonacci sequence, each number is equal to the previous two numbers added together. Fibonacci numbers are easily computed in modern programming languages. This computational task helps us learn about how a channel works in go and
Strategy To Manage Cache At Scale
One of the major challenges we face as modern developers in our infrastructure is how do we cache effectively so that we don't have to perform heavy I/O to serve identical requests. > The application is only as fast as its slowest component, usually that is relational databases If we
Use Passive Event Listeners to prevent scroll interruptions
For years we've complained and asked for a way to bind to touch and mouse events that do not require and should not change the built in scrolling actions. > Available on Chrome 51, Chrome Mobile 51, Safari Mobile 51, and Android WebView release 51 Finally it has landed on our
AWS Autoscaling Best Practices
Welcome to Auto Scaling in the Amazon Cloud If the fundamental premise of the "cloud" is > use only the resources you need for as long as you need them So for a website you save money when traffic is low; dynamic scaling based on traffic. Enterprise SaaS is great for
Access browser stored passwords via Credentials API
The latest version of Chrome 51 (as of writing) supports the Credential Management API. It’s a proposal at the W3C that gives developers programmatic access to a browser’s credential manager and helps users sign in more easily. > Available on Chrome 51, Chrome Mobile 51, Safari Mobile 51, and
Functional Programing with PHP7
Many developers like to talk about functional programming, but most have never written a working implementation, nor understand the concepts practically without putting in the practice itself. The reason is quite simple: we are taught to think in an imperative manner when we first start learning to program and any
Unicode source code in PHP
Yeah, php can be evil.
Mobile Web: Cost of JavaScript Frameworks
In many of my previous posts I've discussed the importance of mobile, and the company where I am employed as the lead software engineer; the users have shown us over the past couple of years that they prefer to visit our site on their mobile over their desktop. It's clear
Correctly checking property exists in JavaScript
While maintaining some code recently I found myself writing out of pure habit Object.hasOwnProperty.call(obj, 'prop') as is expected in almost all OSS I've contributed to, and quickly editing that to just !!obj.prop which I chose because it worked more succinctly in my use case but I
When is consistent an anti-pattern
As my click-bait title suggests, I'm going to explore when the idea of writing consistent code can be harmful. I've been reading a lot on blogs of the most renown tech leaders, and also in the tech mailing lists such as HTML5 Weekly, many occasions where the idea of consistency
Misconception on CPU: Node.js vs PHP blocking web requests
We know the Node.js engine runs our code asynchronously, and we know it does that using an event loop. When Node.js is used to handle web requests it is capable of managing them over each CPU available via its cluster functionality achieving incredible performance over rival server-side languages.
Concurrency safe IOPS efficient MySQL with PHP PDO
The problem I've experience using many solutions for MySQL like Amazon RDS, Google Cloud SQL, Rackspace, Azure, and Openshift. Not all offered the same configuration flexibility but the one bottleneck that all shared was IOPS. In a startup or a company designing an architecture for a new product with MySQL,
You dont need JavaScript for that
Image Slider Gist Pushable Buttons Gist Animated Progress Bars Gist Tooltips Gist Visibility Toggle Gist Drop Down Menu Gist
Preventing offline data loss with Web Workers
The story Your carefully crafted web app has gone offline and now the code kicks in to manage the data in the browser while the user is offline waiting for them to get back in range. Time goes on and the user had already noticed a performance hit initially when
What's new in Node.js 6.0
This new release of node aims to improve performance, reliability, usability and security. Node 6.0 supports 93% of ES6 features. > Only 6 months after Node Foundation announced version 5.0 Announcement can be found here; https://nodejs.org/en/blog/release/v6.0.0/ Support for older versions LTS
Facebook engineers are the problem with software
Before I get into the observation that Facebook engineers are hurting the software development space unintentionally let me share with you a bit about me. This site is my 4th blog website, and I've gone beyond 50 personal websites years ago. I'm a speaker at many tech meetups around Sydney
What is Application Cache Error event Manifest fetch failed
So you've been building an offline web app using Application Cache and when you test your functionality while offline you encounter this; Application Cache Error event: Manifest fetch failed (6) https://domain.tld/manifest.appcache You're code may look a bit like the following; window.addEventListener('load', function(e) { window.
CSS Selector Performance
Back in July 2014 I had the privilege to talk at the first MelbCSS meetup at 99Designs in front of a respectable crowd of front-end developers from beginners to the very experienced in the community. At the end of my talk there was a common theme in the questions, almost
Prototypes and Inheritance
Recently I had the unique pleasure of presenting at General Assembly Melbourne, I was asked to share what I knew about Prototypal Inheritance and would like to now share that with you and dive a bit deeper into some examples. What is Prototypal Inheritance Prototypal Inheritance can be succinctly described
DevOps Explained
DevOps is a movement, a state of mind, way of thinking. It will solve some problems and it can even save you money, but DevOps will not be the one change that fixes everything. What is DevOps Before we can understand some of the DevOps concepts and implementations we should
What has been made PHP7 ready?
Let's take a look at the PHP based software that may be important to you before to get ready for your products PHP7 support migration. So what has support for PHP7 at this early stage? IDEs * Netbeans Official * Jetbrains PHPStorm 10 Official * Cloud9 - Unofficial via custom workspace template * Eclipse
Page Loads in JavaScript and Performance
This is a quick post to list the methods of initializing your JavaScript the right way in terms of Page Load Speed and in turn SEO rankings improvements and faster mobile UX. using a jQuery helper What it looks like; $(document).ready(function(){ console.log("DOM loaded but not fully
Callback Functions Double Executing? Dont Forget To return
Callback Functions Double Executing? A quick example function doSomething(err, result, final){ if(err){ final(err); } final(null,result); } Take the above as a simple way to express how you would have your final execute twice. It may not be immediately apparent why the callback executes twice, consider the scenario
Node.js Error Handling Patterns
The WRONG Way There is always a exceptionally bad way of doing something in NodeJS (or any language) so I figured covering this will put perspective on the alternatives. Listening for uncaughtException Listening for events on the global process variable is easy, and this is likely why we see this
Process Functions Asynchronously with a Final Callback
Purpose and use case Generally your functions are executed asynchronously with some exceptions, and the challenge for some is when you have a piece of code that can not be executed until previous functions are complete or data is returned. > So then why exactly would you want to process functions