Stof

My fiction publishing journey

In the realm of self-publishing, there lies an unbridled passion for storytelling, unencumbered by traditional gatekeepers. As an aspiring author, I embarked on a thrilling adventure to bring my fiction novel series, "Sentinel Unleashed" to life. Set in the fast-paced world of hackers and cyber warfare, Sentinel Unleashed delves deep

The Imperative of Persistent CSRF Tokens (Video)

A brief on Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) attacks, capable of duping a user into performing an unintended action, are a ubiquitous menace in the domain of web security. These attacks cunningly exploit the inherent trust of a site in a user's browser, compelling it to carry out

JWT: A Cryptographic Love Story with Security, Vulnerabilities, and a State of Confusion

Folks, remember to be careful with your JWTs. Use strong cryptographic algorithms, manage those secret keys like they're your firstborn child, and always, always validate those JWTs like your life depends on it. And for goodness' sake, keep your sensitive information under lock and key! Benefits Imagine you are a

Certificate Pinning is powerful, but you probably shouldn't use it

Let's be clear about Certificate Pinning. It IS extremely useful. It IS valid, if you follow 1 rule, and are operating in 2 use case scenarios. It's simple; The 1 rule is that YOU control the CA for the pin. If you don't control the CA, you've essentially circumvented the

JWT Patterns that provide real security benefits

Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that many so-called JWT experts (and everyone else) assume are "a thing" that really are just hand-waving nonsense. Starting with; verify is not validation YUK WORD verify Verify vs Validation A

Really giving a jot about JWTs

Instacart Sr Security Engineer David Gillman (or Gilman? Either OWASP or LASCON got it wrong) presented a talk in 2021 and followed up with a podcast interview released today. One thing David is excellent at describing developer benefits, and developer-centric Patterns and Anti-Patterns when using JWT. If you are an

You should have a preference for EV Certificates in 2022 - when most think they are dead

Domain Validated (DV) Certificates may be growing in popularity since the browsers ceased showing the organisation name along with a green padlock, but the visual change is not material to the security characteristic associated with Extended Validation (EV) Certificates. When the visual changes occurred the mainstream non-technical or the uneducated

5 Myths of Software Composition Analysis (SCA)

Recently someone asked me to help them with an SCA tool (you know the name, I snicker a bit when I hear their name) They had a bunch of findings in the SaaS dashboard that were confusing them, it was presented really nicely showing exploit samples, what good configuration looks

BSIMM vs OWASP SAMM | Which is better?

I often get asked about how to plan a roadmap for an AppSec or DevSecOps program, and this is where the concept of a maturity model came from and the main reason they exist. What is BSIMM and OWASP SAMM? BSIMM - Building Security In Maturity Model OWASP SAMM (formerly

Guide to Application Security tools

First, what makes a good, or great, AppSec tool? The best tools A best tool for AppSec is implemented; * in the IDE directly * as a git pre-commit hook * native to the programming language package manager * be configurable with custom rules for your business Apart from these there are some good

How to start an AppSec Program

I get asked all too often: What do do for AppSec? Many organizations with mature AppSec programs recommend implementing a security champions program for security training. A consistent AppSec program commonality is DevSecOps all-the-things, resulting in a lot (if not all) of AppSec engineer time and attention given to the

No Bullsh*t guide to Application Security

Security is a process, not a destination. Which applies to Application Security also. Let's quickly address common AppSec mistakes; * AppSec is not scanning in the CI/CD pipelines * AppSec is not security gates in the CI/CD pipelines * AppSec is not patching your dependencies * AppSec is not Vulnerability Management <– this

MS Office macros from the internet probably won't be blocked by default

The media coverage about Microsoft blocking by default macros from running in Office files from the Internet is wildly overstating the reality of this super small and almost insignificant change. Some simple facts * Doesn’t affect Office 'on the web' at all * This only effects VBA macros * This is not

Realistic 3 principles of AppSec and DevSecOps

Before we begin DevSecOps is analogous to AppSec for this discussion as both share the same principles even if we consider them to have certain distinctions in responcibilities or niche focus. In practice they serve the same audience, and should operate with the same 3 principles. The 3 principles 1.

What are types of Cross-Site Scripting (XSS) attacks?

We typically have 3 types of Cross-Site Scripting (XSS) attacks, this is outdated knowledge still circculating today. Current Application Security and Penetration Testing knowledge has 5 distinct categories of XSS The originals Stored, DOM, and Reflected. Where Stored XSS is simply described by one user entering the malicious attack into

Vulnerability or Defect?

AppSec tooling does not find any vulnerabilities, it finds defects. But when is a defect a vulnerability?

The 5 Myths of Application Security

The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec

WebStorage vs Cookies - Secure Session Management in 2021

Session management still occurs via cookies, but do not disclose secrets or authorisation in a cookie because the security of WebStorage is best practice.

JWT and HMAC in the browser, safe?

Is using JWT and HMAC in the browser, safe? How could they be? Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug

Zero-trust doesn't exist but that's OK

Where zero-trust might exist 1. Scenarios that have no data 2. Scenarios with data that are never connected to power Why? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity? Digital identity is the

You don't know OWASP

About a year ago I was just getting involved with the CSA Working Group [https://cloudsecurityalliance.org/research/contribute/] for CCM version 4 when I came across the OWASP CSA Project [https://wiki.owasp.org/index.php/Category:OWASP_CSA_Project] and went on a little adventure to learn more

Python pip requirements.txt lock file

Overview Opinions vary on how one should make use of lock files, depending on whether the project is the main application, or the project is actually a library that is meant to be consumed by an application or another library. Lock files are unquestionably useful if you build any application.

You're probably a Blue Team, not a Red Team

For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_

Everything in AWS is an API, is it secure?

EDIT: 2020-08-01 SHA-1 Windows content to be retired [https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373] in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is

TLS secures my data, right?

You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of ‌‌Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) > Data within the session

Functional Programing with PHP7

Many developers like to talk about functional programming, but most have never written a working implementation, nor understand the concepts practically without putting in the practice itself. The reason is quite simple: we are taught to think in an imperative manner when we first start learning to program and any

Unicode source code in PHP

Mobile Web: Cost of JavaScript Frameworks

In many of my previous posts I've discussed the importance of mobile, and the company where I am employed as the lead software engineer; the users have shown us over the past couple of years that they prefer to visit our site on their mobile over their desktop. It's clear

Correctly checking property exists in JavaScript

While maintaining some code recently I found myself writing out of pure habit Object.hasOwnProperty.call(obj, 'prop') as is expected in almost all OSS I've contributed to, and quickly editing that to just !!obj.prop which I chose because it worked more succinctly in my use case but I

When is consistent an anti-pattern

As my click-bait title suggests, I'm going to explore when the idea of writing consistent code can be harmful. I've been reading a lot on blogs of the most renown tech leaders, and also in the tech mailing lists such as HTML5 Weekly, many occasions where the idea of consistency

Misconception on CPU: Node.js vs PHP blocking web requests

We know the Node.js engine runs our code asynchronously, and we know it does that using an event loop. When Node.js is used to handle web requests it is capable of managing them over each CPU available via its cluster functionality achieving incredible performance over rival server-side languages.

Concurrency safe IOPS efficient MySQL with PHP PDO

The problem I've experience using many solutions for MySQL like Amazon RDS, Google Cloud SQL, Rackspace, Azure, and Openshift. Not all offered the same configuration flexibility but the one bottleneck that all shared was IOPS. In a startup or a company designing an architecture for a new product with MySQL,

You dont need JavaScript for that

Image Slider Gist Pushable Buttons Gist Animated Progress Bars Gist Tooltips Gist Visibility Toggle Gist Drop Down Menu Gist

Preventing offline data loss with Web Workers

The story Your carefully crafted web app has gone offline and now the code kicks in to manage the data in the browser while the user is offline waiting for them to get back in range. Time goes on and the user had already noticed a performance hit initially when

What's new in Node.js 6.0

This new release of node aims to improve performance, reliability, usability and security. Node 6.0 supports 93% of ES6 features. > Only 6 months after Node Foundation announced version 5.0 Announcement can be found here; https://nodejs.org/en/blog/release/v6.0.0/ Support for older versions LTS

Facebook engineers are the problem with software

Before I get into the observation that Facebook engineers are hurting the software development space unintentionally let me share with you a bit about me. This site is my 4th blog website, and I've gone beyond 50 personal websites years ago. I'm a speaker at many tech meetups around Sydney

What is Application Cache Error event Manifest fetch failed

So you've been building an offline web app using Application Cache and when you test your functionality while offline you encounter this; Application Cache Error event: Manifest fetch failed (6) https://domain.tld/manifest.appcache You're code may look a bit like the following; window.addEventListener('load', function(e) { window.

CSS Selector Performance

Back in July 2014 I had the privilege to talk at the first MelbCSS meetup at 99Designs in front of a respectable crowd of front-end developers from beginners to the very experienced in the community. At the end of my talk there was a common theme in the questions, almost

Prototypes and Inheritance

Recently I had the unique pleasure of presenting at General Assembly Melbourne, I was asked to share what I knew about Prototypal Inheritance and would like to now share that with you and dive a bit deeper into some examples. What is Prototypal Inheritance Prototypal Inheritance can be succinctly described

DevOps Explained

DevOps is a movement, a state of mind, way of thinking. It will solve some problems and it can even save you money, but DevOps will not be the one change that fixes everything. What is DevOps Before we can understand some of the DevOps concepts and implementations we should

What has been made PHP7 ready?

Let's take a look at the PHP based software that may be important to you before to get ready for your products PHP7 support migration. So what has support for PHP7 at this early stage? IDEs * Netbeans Official * Jetbrains PHPStorm 10 Official * Cloud9 - Unofficial via custom workspace template * Eclipse

Page Loads in JavaScript and Performance

This is a quick post to list the methods of initializing your JavaScript the right way in terms of Page Load Speed and in turn SEO rankings improvements and faster mobile UX. using a jQuery helper What it looks like; $(document).ready(function(){ console.log("DOM loaded but not fully

Callback Functions Double Executing? Dont Forget To return

Callback Functions Double Executing? A quick example function doSomething(err, result, final){ if(err){ final(err); } final(null,result); } Take the above as a simple way to express how you would have your final execute twice. It may not be immediately apparent why the callback executes twice, consider the scenario

Node.js Error Handling Patterns

The WRONG Way There is always a exceptionally bad way of doing something in NodeJS (or any language) so I figured covering this will put perspective on the alternatives. Listening for uncaughtException Listening for events on the global process variable is easy, and this is likely why we see this

Process Functions Asynchronously with a Final Callback

Purpose and use case Generally your functions are executed asynchronously with some exceptions, and the challenge for some is when you have a piece of code that can not be executed until previous functions are complete or data is returned. > So then why exactly would you want to process functions