21 private links
Introduction In the latest OWASP top 10 (OWASP Top 10:2021) list with, the well known standard awareness document for developers and web application
Threat modelling is a risk based approach to cyber security requirements analysis.
1981 - RFC 788 - Simple Mail Transfer Protocol (SMTP) is published, the standard for email is born.
This is were everything starts, we now have an open peer-to-peer protocol that everyone on the internet can use to communicate.
1991
The US government introduces the 1991 Senate Bill 266, which attempts to allow "the Government to obtain the plain text contents of voice, data, and other communi ...
For my current project I will have a REST API set up with Spring Boot. To be able to use the API endpoint the application will check that the incoming request has a valid JWT token.
Top 40 Linux hardening/security tutorial and tips to secure the default installation of RHEL / CentOS / Fedora / Debian / Ubuntu Linux servers.
Blog von Huggenknubbel
This month’s cheat sheet is about how you can secure your Spring Boot application. Spring Boot has dramatically simplified the development of Spring applications. Its autoconfiguration and starter dependencies reduce the amount of code and configuration you need to begin an app. If you were used to Spring and lots of XML in back in the day, Spring Boot is a breath of fresh air.
In this talk, I give some love to Angular and explain how I’ve solved authenticationissues in that framework.
This tool helps you check what data-protecting measures a site has taken to help you exercise control over your privacy.
Wir hatten bei einem Kunden die Notwendigkeit eine Webanwendung per Single-Sign-On, im weiteren Verlauf als SSO bezeichnet, abzusichern. Dabei werden die Daten für die Authentifizierung und Autorisierung benutzt, die der Benutzer schon bei der Anmeldung in der Windows Domäne eingegeben hat. Hierbei kommuniziert der Webbrowser über einen speziellen Mechanismus (Kerberos) mit der Webanwendung und dem... Weiterlesen
In other words, any authentication your application requires can be bypassed by a user with local privileges to the machine on which the data is stored. Therefore, it’s recommended not to store any sensitive information in local storage.
Although a lot has been written about Meltdown and Spectre since their announcement, I have not seen a good mid-level introduction to the vulnerabilities and mitigations. In this post I’m going to attempt to correct that by providing a gentle introduction to the hardware and software background required to understand the vulnerabilities, a discussion of the vulnerabilities themselves, as well as a discussion of the current mitigations.
A deeper look at Spectre/Meltdown characteristics and potential attacks, why it's necessary to patch cloud VMs even though the cloud service providers have already applied patches, the nature of the performance impact and how it’s affecting real world applications, the need for threat modelling, the role of anti virus, how hardware is affected, and what’s likely to change in the long term.
Some thoughts on security after ten years of qmail 1.0 Bernstein, 2007 I find security much more important than speed. We need invulnerable software systems, and we need them today, even if they ar…
So in that sense, I am already advocating for not really using the specs as-is, at least not without significant work to understand them and how they fit with your requirements
When used carefully and with plenty of planning, JWTs can form the basis of highly scalable and reliable systems. By following the best practice in this article, you should be able to put appropriate protections in place to ensure that your data stays secure.
Here's the bigger picture of what all this guidance from governments and tech companies alike is recognising: security is increasingly about a composition of controls which when combined, improve the overall security posture of a service. What you'll see across this post is a collection of recommendations which all help contribute to a more robust solution by virtue of complementing one another. That may mean that individual recommendations such as dropping complexity requirements look odd, but when you consider the way humans tended to deal with that (they'd just choose bad passwords with a combination of character types) alongside guidance such as blocking previously breached passwords, things start to make a lot more sense.