Let's be clear about Certificate Pinning. It IS extremely useful. It IS valid, if you follow 1 rule, and are operating in 2 use case scenarios. It's simple; The 1 rule is that YOU control the CA for the pin. If you don't control the CA, you've essentially circumvented the
Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that many so-called JWT experts (and everyone else) assume are "a thing" that really are just hand-waving nonsense. Starting with; verify is not validation YUK WORD verify Verify vs Validation A
Instacart Sr Security Engineer David Gillman (or Gilman? Either OWASP or LASCON got it wrong) presented a talk in 2021 and followed up with a podcast interview released today. One thing David is excellent at describing developer benefits, and developer-centric Patterns and Anti-Patterns when using JWT. If you are an
Domain Validated (DV) Certificates may be growing in popularity since the browsers ceased showing the organisation name along with a green padlock, but the visual change is not material to the security characteristic associated with Extended Validation (EV) Certificates. When the visual changes occurred the mainstream non-technical or the uneducated
Recently someone asked me to help them with an SCA tool (you know the name, I snicker a bit when I hear their name) They had a bunch of findings in the SaaS dashboard that were confusing them, it was presented really nicely showing exploit samples, what good configuration looks
I often get asked about how to plan a roadmap for an AppSec or DevSecOps program, and this is where the concept of a maturity model came from and the main reason they exist. What is BSIMM and OWASP SAMM? BSIMM - Building Security In Maturity Model OWASP SAMM (formerly
First, what makes a good, or great, AppSec tool? The best tools A best tool for AppSec is implemented; * in the IDE directly * as a git pre-commit hook * native to the programming language package manager * be configurable with custom rules for your business Apart from these there are some good
I get asked all too often:
What do
Security is a process, not a destination. Which applies to Application Security also. Let's quickly address common AppSec mistakes; * AppSec is not scanning in the CI/CD pipelines * AppSec is not security gates in the CI/CD pipelines * AppSec is not patching your dependencies * AppSec is not Vulnerability Management <– this
HawkAuth [https://github.com/mozilla/hawk/] protocol is widely adopted by Firefox Accounts and appears in Postman in a very short list of supported API authentication methods which indicates HawkAuth is vastly more popular than you might first expect. HawkAuth protocol history The origins of HawkAuth appears to be with
The media coverage about Microsoft blocking by default macros from running in Office files from the Internet is wildly overstating the reality of this super small and almost insignificant change. Some simple facts * Doesn’t affect Office 'on the web' at all * This only effects VBA macros * This is not
Before we begin DevSecOps is analogous to AppSec for this discussion as both share the same principles even if we consider them to have certain distinctions in responcibilities or niche focus. In practice they serve the same audience, and should operate with the same 3 principles. The 3 principles 1.
We typically have 3 types of Cross-Site Scripting (XSS) attacks, this is outdated knowledge still circculating today. Current Application Security and Penetration Testing knowledge has 5 distinct categories of XSS The originals Stored, DOM, and Reflected. Where Stored XSS is simply described by one user entering the malicious attack into
AppSec tooling does not find any vulnerabilities, it finds defects. But when is a defect a vulnerability?
The AppSec "high barrier to entry" is just an excuse. It won't take long for you to look foolish for avoiding your AppSec
Session management still occurs via cookies, but do not disclose secrets or authorisation in a cookie because the security of WebStorage is best practice.
Is using JWT and HMAC in the browser, safe? How could they be? Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug
Where zero-trust might exist 1. Scenarios that have no data 2. Scenarios with data that are never connected to power Why? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity? Digital identity is the
About a year ago I was just getting involved with the CSA Working Group [https://cloudsecurityalliance.org/research/contribute/] for CCM version 4 when I came across the OWASP CSA Project [https://wiki.owasp.org/index.php/Category:OWASP_CSA_Project] and went on a little adventure to learn more
Overview Opinions vary on how one should make use of lock files, depending on whether the project is the main application, or the project is actually a library that is meant to be consumed by an application or another library. Lock files are unquestionably useful if you build any application.
Applying private routing to AWS management APIs is hard. AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.
For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_
EDIT: 2020-08-01 SHA-1 Windows content to be retired [https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373] in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is
You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) > Data within the session
A look into the suitability of AWS KMS and CloudHSM for use with workloads in-scope of PCI DSS. Who owns my encryption key in AWS? By owning we might think of ownership as who has potential to access the key to decrypt the data. I like to think of ownership
The Australian Government's controversial encryption bill passed the Senate [https://www.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944] last month and will undoubtedly be law soon. The bill proposes three key powers; A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about
> Detect as a means to defend The idea of this attack is to identify old dependencies with known exploits. Even some of the most secure clients, that have excellent patching practices, are still vulnerable years after they assume they patched a vulnerability. Many of the competent website developers are now
White box Commonly used by organisations after a black box pentest to validate controls, or as an assurance to the business for audit purposes. A white box pentest is prescriptive in nature and is the only type of pentest that provides an attestation of compliance. What to provide Preparing for
Information Security is a broad reaching area of concern for your business. In the enterprise world a large component of this is part of their GRC efforts which can be over-whelming for a smaller organisation. > Governance, Risk, and Compliance One commonality between enterprise and startups is the reliance on vendors.
Over the years I've been tasked to implement controls as a developer or self-assess and design controls that meet the requirements of contractual, compliance, regulatory, and legislative obligations. One of the continuing misconceptions I've seen is most business believe (and often publicly claim) a vendors security and compliance attestations will
The Australian Cyber Security Centre (ACSC) has developed The Essential Eight which are mitigation strategies that organisation's can use to produce a modern risk profile and response plan for todays cyber threats. My post will help you align these best practices to your solution as a baseline making it much
The General Data Protection Regulation (GDPR) guidance in this post is experience based and your own response should be reviewed by a law counselor. I'm no lawyer, and many who are do not have subject matter experience (yet), so a balanced approach is playing it safe in these early days.
Tether has become the defacto reserve currency as the hundreds of different cryptocurrencies are actually created and exchanged on it. I'll touch on Tether and go into Ransomware briefly, as these are the reason for the post. The I'll deep dive on Cryptocurrency because there is actually three totally separate
Do you train new models using new data, or do you re-train existing models with new samples? Retraining a model For the past few years I've been capturing network traffic and building various machine learning models around the data, not always security related but always design for a long lasting
So you're a developer or operations engineer (or both, DevOps) and work in a small team that either has no access to a Solution Architect. > or you do but expected to re-architect solutions for security and reliabilty Get to know the AWS Well-Architected Framework [https://d1.awsstatic.com/whitepapers/architecture/
Let me share with you a technique taught to me that I've used and refined, it's always had an impact that can help convince even the most remiss, ignorant, or doubtful opposition to a well argued and rationalised new process. More than 10yrs ago when I was in my 20s
So I recently took up the challenge of turning my PC with only Ubuntu KDE installed into a dual-boot Windows 10 PC. I've been on Ubuntu since 2008 and after a decade free of Windows at home I decided to take up the challenge of using WSL (Windows subsystem for
GDPR comes into effect in May 2018 and one of the buzz phrases you might have heard is > the right to be forgotten But there is much more you need to know and the effects are far reaching beyond Europe. What Assessments are needed? Data protection impact assessments (DPIAs) or
A look at Business Continuity Management (BCM); The process that is responsible for Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) using Business Impact Analysis (BIA) enabling Operational Resilience through HA and DR principles
Information to help you deal with Privacy risk, When to assess Privacy, Breach Notification, Recommended Controls, and Resources.
So I posted a response to an article on Medium titled Making Money Trustworthy - Bitcoin Explained [https://medium.com/@tessr/making-money-trustworthy-6c552a1cfc25] which wasn't a particularly outrageous article and had a lot of good content in it, but it was lacking an understanding of what trust even is and it
As I am currently studying to sit the CISSP exam in 2018 and because I've taken over 25,000 words in notes so far I thought I'd share what I have so that others might be able to study a bit easier. The relevant CISSP material is difficult to search
> Warning: do not run these scripts unless you understand the repercussions There are 2 sections here, defensive and offensive. Why did I do this? Taking my own network security seriously I started monitoring all incoming and unknown outgoing packets using a passive tap which is a network packet capturing device
API Gateway is a service offered by AWS and was established originally as a code fork of thier CloudFront service and has evolved separately ever since. Although an interesting fact there has been little evidence to show any sort of relationship between the 2 services since API Gateway was released.
There are plenty of Docker best practices articles out there, this is not one, exactly.. I will instead talk to maintainability, efficiency, and security covering best practices where relevant. I've been using Docker for a couple of years now, it seems like a lifetime ago I'd jump into a new
> Standards, who needs them? Google Chrome certainly doesn't.. It is blatently obvious Google's disdain of w3c, web developers, and just simple web users expecting sites they visist to continue to work while they upgrade browsers to stay secure. Yes, disdane, Google proves their superiority complex knows no bound when they
Let the threat actors take your data. Data breaches are bad, they will happen to you — count on it. Education is more valuable then technology.
You’ve heard that your password has already been compromised by LinkedIn, Yahoo, Vodafone, Sony, Minecraft, and Snapchat to name a few of the more then 200 [https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches] breaches I know about, but do you know that the Password Managers you put trust in for all
When Math isn't accurate in code Precise vs Accurate So here's a simple example to get you started, punch a simple calculation 0.1 + 0.2 into any calculator, scientific, google, whatever. What result do you get? You should see 0.3 right? The code issues with arithmetic Now go
A language agnostic look at this common programming pattern. My hope is that once you've read my post you'll never write an infinite loop again. > My favourite number: 8 What are infinite loops I've chosen Python as the language to demonstrate due to its readability. 1. Loops The simplest loop
Search as a Service is a type of SaaS for search, externally-provided search services enable you to have a full featured search engine available within your own software offerings so you can focus on your data and search UI rather than having to create and maintain all of the nuances
This will be more of a play-by-play of highlights on things like Community, Research, and talking about basics of data science from example of what I did, not how or academically why 👨🎓. It all started with a casual conversation that led me to the Data Science Melbourne [http://meetu.ps/
Here are some things I wish someone told me before I needed to manage over 5 million connections a day, 35k concurrently on average (Melbourne Cup). If that sounds like a lot to you, it is, the Commonwealth Bank had less than 1 million hits a day this month [https:
Fibonacci. This sequence of numbers occurs in nature, and has many uses. > In a Fibonacci sequence, each number is equal to the previous two numbers added together. Fibonacci numbers are easily computed in modern programming languages. This computational task helps us learn about how a channel works in go and
One of the major challenges we face as modern developers in our infrastructure is how do we cache effectively so that we don't have to perform heavy I/O to serve identical requests. > The application is only as fast as its slowest component, usually that is relational databases If we
For years we've complained and asked for a way to bind to touch and mouse events that do not require and should not change the built in scrolling actions. > Available on Chrome 51, Chrome Mobile 51, Safari Mobile 51, and Android WebView release 51 Finally it has landed on our
Welcome to Auto Scaling in the Amazon Cloud If the fundamental premise of the "cloud" is > use only the resources you need for as long as you need them So for a website you save money when traffic is low; dynamic scaling based on traffic. Enterprise SaaS is great for
The latest version of Chrome 51 (as of writing) supports the Credential Management API. It’s a proposal at the W3C that gives developers programmatic access to a browser’s credential manager and helps users sign in more easily. > Available on Chrome 51, Chrome Mobile 51, Safari Mobile 51, and
Many developers like to talk about functional programming, but most have never written a working implementation, nor understand the concepts practically without putting in the practice itself. The reason is quite simple: we are taught to think in an imperative manner when we first start learning to program and any
Yeah, php can be evil.
In many of my previous posts I've discussed the importance of mobile, and the company where I am employed as the lead software engineer; the users have shown us over the past couple of years that they prefer to visit our site on their mobile over their desktop. It's clear
While maintaining some code recently I found myself writing out of pure habit Object.hasOwnProperty.call(obj, 'prop') as is expected in almost all OSS I've contributed to, and quickly editing that to just !!obj.prop which I chose because it worked more succinctly in my use case but I
As my click-bait title suggests, I'm going to explore when the idea of writing consistent code can be harmful. I've been reading a lot on blogs of the most renown tech leaders, and also in the tech mailing lists such as HTML5 Weekly, many occasions where the idea of consistency
We know the Node.js engine runs our code asynchronously, and we know it does that using an event loop. When Node.js is used to handle web requests it is capable of managing them over each CPU available via its cluster functionality achieving incredible performance over rival server-side languages.
The problem I've experience using many solutions for MySQL like Amazon RDS, Google Cloud SQL, Rackspace, Azure, and Openshift. Not all offered the same configuration flexibility but the one bottleneck that all shared was IOPS. In a startup or a company designing an architecture for a new product with MySQL,
Image Slider Gist Pushable Buttons Gist Animated Progress Bars Gist Tooltips Gist Visibility Toggle Gist Drop Down Menu Gist
The story Your carefully crafted web app has gone offline and now the code kicks in to manage the data in the browser while the user is offline waiting for them to get back in range. Time goes on and the user had already noticed a performance hit initially when
This new release of node aims to improve performance, reliability, usability and security. Node 6.0 supports 93% of ES6 features. > Only 6 months after Node Foundation announced version 5.0 Announcement can be found here; https://nodejs.org/en/blog/release/v6.0.0/ Support for older versions LTS
Before I get into the observation that Facebook engineers are hurting the software development space unintentionally let me share with you a bit about me. This site is my 4th blog website, and I've gone beyond 50 personal websites years ago. I'm a speaker at many tech meetups around Sydney
So you've been building an offline web app using Application Cache and when you test your functionality while offline you encounter this; Application Cache Error event: Manifest fetch failed (6) https://domain.tld/manifest.appcache You're code may look a bit like the following; window.addEventListener('load', function(e) { window.
Back in July 2014 I had the privilege to talk at the first MelbCSS meetup at 99Designs in front of a respectable crowd of front-end developers from beginners to the very experienced in the community. At the end of my talk there was a common theme in the questions, almost
Recently I had the unique pleasure of presenting at General Assembly Melbourne, I was asked to share what I knew about Prototypal Inheritance and would like to now share that with you and dive a bit deeper into some examples. What is Prototypal Inheritance Prototypal Inheritance can be succinctly described
DevOps is a movement, a state of mind, way of thinking. It will solve some problems and it can even save you money, but DevOps will not be the one change that fixes everything. What is DevOps Before we can understand some of the DevOps concepts and implementations we should
Let's take a look at the PHP based software that may be important to you before to get ready for your products PHP7 support migration. So what has support for PHP7 at this early stage? IDEs * Netbeans Official * Jetbrains PHPStorm 10 Official * Cloud9 - Unofficial via custom workspace template * Eclipse
This is a quick post to list the methods of initializing your JavaScript the right way in terms of Page Load Speed and in turn SEO rankings improvements and faster mobile UX. using a jQuery helper What it looks like; $(document).ready(function(){ console.log("DOM loaded but not fully
Callback Functions Double Executing? A quick example function doSomething(err, result, final){ if(err){ final(err); } final(null,result); } Take the above as a simple way to express how you would have your final execute twice. It may not be immediately apparent why the callback executes twice, consider the scenario
The WRONG Way There is always a exceptionally bad way of doing something in NodeJS (or any language) so I figured covering this will put perspective on the alternatives. Listening for uncaughtException Listening for events on the global process variable is easy, and this is likely why we see this
Purpose and use case Generally your functions are executed asynchronously with some exceptions, and the challenge for some is when you have a piece of code that can not be executed until previous functions are complete or data is returned. > So then why exactly would you want to process functions
