Security - AppSec Stof

Tagged

Security

The practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

#OnFireHawk | Firefox Accounts

#OnFireHawk | Firefox Accounts

HawkAuth protocol is widely adopted by Firefox Accounts and appears in Postman in a very short list of supported API authentication methods which indicates HawkAuth is vastly more popular than you might first expect. HawkAuth protocol history The origins of HawkAuth appears to be with Eren Hammer then shortly sponsored

JWT and HMAC in the browser, safe?

Is using JWT and HMAC in the browser, safe? How could they be?Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug

Zero-trust doesn't exist but that's OK

Where zero-trust might existScenarios that have no dataScenarios with data that are never connected to powerWhy? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity?Digital identity is the only identity. Digital identities can

You don't know OWASP

About a year ago I was just getting involved with the CSA Working Group for CCM version 4 when I came across the OWASP CSA Project and went on a little adventure to learn more about OWASP. Many readers probably think they're aware of OWASP, as I once thought I

Private AWS S3 - How hard could that be?

Applying private routing to AWS management APIs is hard. AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.

You're probably a Blue Team, not a Red Team

For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_

Everything in AWS is an API, is it secure?

EDIT: 2020-08-01 SHA-1 Windows content to be retired in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is so effective they are going to block all TLS

TLS secures my data, right?

You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of ‌‌Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) Data within the session

PCI DSS - Are AWS KMS and CloudHSM suitable?

PCI DSS - Are AWS KMS and CloudHSM suitable?

A look into the suitability of AWS KMS and CloudHSM for use with workloads in-scope of PCI DSS. Who owns my encryption key in AWS? By owning we might think of ownership as who has potential to access the key to decrypt the data. I like to think of ownership

Australia - Where Compliance and Regulation Obligations are Unlawful

Australia - Where Compliance and Regulation Obligations are Unlawful

The Australian Government's controversial encryption bill passed the Senate last month and will undoubtedly be law soon. The bill proposes three key powers; A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about the development of a new online service

Exploiting Orphaned Webserver Files

Exploiting Orphaned Webserver Files

Detect as a means to defend The idea of this attack is to identify old dependencies with known exploits. Even some of the most secure clients, that have excellent patching practices, are still vulnerable years after they assume they patched a vulnerability. Many of the competent website developers are now

Preparing for Independent Penetration Testing

Preparing for Independent Penetration Testing

White box Commonly used by organisations after a black box pentest to validate controls, or as an assurance to the business for audit purposes. A white box pentest is prescriptive in nature and is the only type of pentest that provides an attestation of compliance. What to provide Preparing for

Information Security strategy tips for startups

Information Security strategy tips for startups

Information Security is a broad reaching area of concern for your business. In the enterprise world a large component of this is part of their GRC efforts which can be over-whelming for a smaller organisation. Governance, Risk, and Compliance One commonality between enterprise and startups is the reliance on vendors.

Vendor attestations prove nothing about your systems

Vendor attestations prove nothing about your systems

Over the years I've been tasked to implement controls as a developer or self-assess and design controls that meet the requirements of contractual, compliance, regulatory, and legislative obligations. One of the continuing misconceptions I've seen is most business believe (and often publicly claim) a vendors security and compliance attestations will

ASD Essential Eight Mitigation Strategies to Detect Cyber Security Incidents and Respond

ASD Essential Eight Mitigation Strategies to Detect Cyber Security Incidents and Respond

The Australian Cyber Security Centre (ACSC) has developed The Essential Eight which are mitigation strategies that organisation's can use to produce a modern risk profile and response plan for todays cyber threats. My post will help you align these best practices to your solution as a baseline making it much

Responding to a troll GDPR Subject Access Request - Australian/NZ Version

Responding to a troll GDPR Subject Access Request - Australian/NZ Version

The General Data Protection Regulation (GDPR) guidance in this post is experience based and your own response should be reviewed by a law counselor. I'm no lawyer, and many who are do not have subject matter experience (yet), so a balanced approach is playing it safe in these early days.

GDPR compliance beyond Europe

GDPR compliance beyond Europe

GDPR comes into effect in May 2018 and one of the buzz phrases you might have heard is the right to be forgotten But there is much more you need to know and the effects are far reaching beyond Europe. What Assessments are needed? Data protection impact assessments (DPIAs) or

Misunderstood Business Continuity risk domain

Misunderstood Business Continuity risk domain

A look at Business Continuity Management (BCM); The process that is responsible for Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) using Business Impact Analysis (BIA) enabling Operational Resilience through HA and DR principles

Privacy Controls for your Risk Assessment

Privacy Controls for your Risk Assessment

Information to help you deal with Privacy risk, When to assess Privacy, Breach Notification, Recommended Controls, and Resources.

CISSP Study Material

CISSP Study Material

As I am currently studying to sit the CISSP exam in 2018 and because I've taken over 25,000 words in notes so far I thought I'd share what I have so that others might be able to study a bit easier. The relevant CISSP material is difficult to search

Learn everything about every internet connected device with Python

Learn everything about every internet connected device with Python

Warning: do not run these scripts unless you understand the repercussions There are 2 sections here, defensive and offensive. Why did I do this? Taking my own network security seriously I started monitoring all incoming and unknown outgoing packets using a passive tap which is a network packet capturing device

Perfecting the Dockerfile

Perfecting the Dockerfile

There are plenty of Docker best practices articles out there, this is not one, exactly.. I will instead talk to maintainability, efficiency, and security covering best practices where relevant. I've been using Docker for a couple of years now, it seems like a lifetime ago I'd jump into a new

Password disclosure redundancy

Password disclosure redundancy

Let the threat actors take your data. Data breaches are bad, they will happen to you — count on it. Education is more valuable then technology.

Removing that single-point-of-failure Password Managers pose

Removing that single-point-of-failure Password Managers pose

You’ve heard that your password has already been compromised by LinkedIn, Yahoo, Vodafone, Sony, Minecraft, and Snapchat to name a few of the more then 200 breaches I know about, but do you know that the Password Managers you put trust in for all of your passwords are just