Nginx TLS tuning won't fix a slow application, but it does cut handshake overhead and improve connection reuse, which shaves milliseconds off every HTTPS request. Continue reading...
#security
217 posts
Yesterday
9 Jun
In our post about Project Glasswing, we made the argument that the architecture around a vulnerability matters more than the speed of the patch. Here we walk through what that architecture looks like, the threats it defends against, and how we run it ourselves as Cloudflare's customer zero.
8 Jun
Understanding software supply chain security is one thing. Putting it into practice across a real pipeline, with real deadlines and real constraints, is another. Most organizations recognize that their software supply chain is a growing attack surface, but translating that awareness into concrete, repeatable practices is where the work gets difficult. But why should your...
null How I Built a 47-Signal Website Audit Tool That Runs in 15 Seconds on SitePoint.
Cloudflare customers can now use Cloudforce One threat intelligence directly within the WAF to block high-risk traffic. By using new cf.intel fields, security teams can automate protection against specific threat actors and targeted industries in real time.
5 Jun
AI agents are moving fast. According to our State of Agentic AI report, 60% of organizations already have AI agents in production, yet 40% cite security and compliance as the number-one barrier to scaling them further. And that gap between adoption and oversight is exactly where AI governance lives. As AI takes on higher-stakes decisions...
Embarking on the quest to find the ideal home office, home lab or small business firewall device is akin to navigating a jungle, but let's narrow it down by setting the budget to under $300 USD. Continue reading...
4 Jun
When security teams scan their container environments for the first time, they often discover hundreds of known vulnerabilities, and almost none of them trace back to application code. The overwhelming majority come from packages that shipped with the base image: shells, compilers, debug utilities, and libraries the application never calls. In a software supply chain...
3 Jun
Software supply chain attacks have accelerated faster than most security teams anticipated. Sonatype's 2026 State of the Software Supply Chain report identified more than 454,000 new malicious packages published to open source repositories in 2025, bringing the cumulative total to over 1.2 million since 2019. The blast radius keeps expanding as organizations consume more open...
2 Jun
In our State of Agentic AI report, 45% of organizations said they struggle to ensure the tools their agents use are secure and enterprise-ready. That number reflects a broader reality: AI agents are moving into production faster than the security practices around them are maturing. The challenge is not that organizations lack security awareness. It’s...
29 May
The find out stage of AI is just supply chain and password protection
Stack OverflowIn this two-for-one special recorded at HumanX, Ryan is joined by Dataiku’s Florian Douetteau to chat about the governance, orchestration, and data requirements for serious agentic systems and 1Password’s Nancy Wang for a conversation on making agent swarms secure. …
28 May
Often, enterprises end up treating all their APIs roughly the same. They’re authenticated, maybe rate-limited, and hopefully behind a gateway, but ultimately, they’re lumped together as part of a collection of APIs. While that flatness makes sense from a product management perspective, it poses a problem for risk management. A payment processing API and a ...
Fail2ban watches your log files and automatically bans IPs that repeatedly fail authentication, protecting your Linux server from brute-force attacks on SSH, web servers, and more. This guide covers installation, jail configuration, testing, and practical tuning to get real protection instead of just running defaults. Continue reading...
26 May
Earlier this year I mass-migrated my blog to Astro using Claude Code. 146 posts. 6,024 images. Canonical URLs, JSON-LD markup, sitemap generation, the whole stack. I'd spent hours writing a skills file to teach the agent about my blog's architecture, how deployment worked, what not to touch. And it worked. Claude Code rewrote components, fixed...
AI agents are pieces of software that autonomously perform actions to achieve a goal or objective. They operate in loops where they analyze input, such as prompts, context, tools, and memory. They then plan, take actions, and feed the output back into the loop to decide how to proceed. In this way, agents can dynamically ...
21 May
Announcing a Public Preview .NET package that adds policy enforcement, startup tool scanning, fallback governance, and response sanitization to MCP servers with a single builder extension. The post Announcing Agent Governance Toolkit MCP Extensions for .NET appeared first on .NET Blog.
The `unsafe` keyword is being redesigned to mark caller-facing contracts rather than just syntax. Safety obligations between callers and callees become visible and reviewable. The model is motivated by the rise of AI-assisted code generation and arrives as a preview in .NET 11. The post Improving C# Memory Safety appeared first on .NET Blog.
When discussing modern API security, developers frequently conflate terms like bearer token and JSON Web Token (JWT). This semantic confusion around access tokens often masks a critical architectural distinction. A bearer token specifies the transmission mechanism, while a JWT defines a specific, structured data format. But due to the extensive adoption of JWTs, there is ...
20 May
The application and API security industries are rethinking access control for AI agents. However, the underlying foundations remain the same ones the industry has relied on for years. What’s changing is how and when those foundations are applied. Depending on the use case, a given approach may work best at runtime, with proper contextual signals, ...
19 May
Your fridge could be a threat to national security
Stack OverflowOn the floor of HumanX, Ryan is joined by Adam Meyers, Senior VP of Counter Adversary Operations at Crowdstrike, for a deep dive on their latest Global Threat Report that tracks over 281 adversaries across nation states, e-crime, and hacktivist organizations. …
18 May
Package pruning in .NET 10 removes platform-provided packages from your dependency graph. With transitive auditing enabled by default, projects with these defaults have 70% fewer transitive vulnerability reports compared to projects using the previous defaults. The post NuGet Package Pruning: Cleaner Dependencies and Actionable Vulnerability Reports appeared first on .NET Blog.
In recent weeks, we pointed Mythos and other security-focused LLMs at live code across critical parts of our infrastructure. We share what we observed, the models’ strengths and weaknesses, and what the work around them needs to look like before any of it can scale.
13 May
On April 15, NIST announced a prioritized enrichment model for the National Vulnerability Database. Most CVEs will still be published, but fewer will receive the CVSS scores, CPE mappings, and CWE classifications that container scanners and compliance programs have historically relied on. The change formalizes a drift that has been visible to anyone pulling NVD...
OpenAI details its response to the TanStack “Mini Shai-Hulud” supply chain attack, outlines protections taken to secure systems and signing certificates, and explains why macOS users must update OpenAI apps by June 12, 2026. Learn what happened, what was affected, and how OpenAI is strengthening defenses against evolving software supply chain threats.
12 May
Introducing Docker AI Governance: centralized control over how agents execute, what they can reach on the network, which credentials they can use, and which MCP tools they can call, so every developer in your company can run AI agents safely, wherever they work. Your laptop is the new prod Agents are the biggest productivity unlock...
In many existing systems, enterprise data uses only basic security protections. For example, the backend of a web application might call an API and use an API key to secure the request. The solution may seem secure enough, since the web application only calls a subset of API endpoints and the user seems constrained by ...
8 May
How OpenAI runs Codex securely with sandboxing, approvals, network policies, and agent-native telemetry to support safe and compliant coding agent adoption.
7 May
Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making […] The post Behind the…
When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflare's security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.
OpenAI expands Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber, helping verified defenders accelerate vulnerability research and protect critical infrastructure.
5 May
The open web is a critical platform for applications that handle highly sensitive data, from private communications to financial transactions and medical records. Traditionally, servers are trusted to deliver the appropriate code and resources for their web applications to browsers, who then provide a secure and isolated environment for their execution. In some circumstances, this […] The post Trustworthy JavaScript…
28 Apr
A few years back, I created portable-color for adding color to shell scripts. Then I deprecated it in favor of a new library, dye, that fixed a number of things that bothered me about portable-color. dye eventually added its own built-in templating, which meant users could just print a string full of things like “{{red}}” […] The post How I…
In February 2026, nearly 3,000 Google API keys were accidentally exposed. Data breaches are always damaging, but a data breach due to an authenticated, active API key can be catastrophic. An active API key allows actors to access uploaded files, cached data, and charge LLM-usage to your account, as noted by cybersecurity researcher Joe Leon. ...
23 Apr
Catching the KICS push: what happened, and the case for open, fast collaboration In the past few weeks we've worked through two supply chain compromises on Docker Hub with a similar shape: first Trivy, now Checkmarx KICS. In both cases, stolen publisher credentials were used to push malicious images through legitimate publishing flows. In both...
Since the advent of the internet, software developers have used online assistants, like search engines, to improve their time to market. In the AI era, you can think of AI agents as a new type of user agent that goes beyond the capabilities of search engines to perform concrete tasks and provide further efficiency improvements. ...
22 Apr
Vaultwarden is a lightweight, self-hosted implementation of the Bitwarden server written in Rust. Vaultwarden is designed as a simpler, more ... Read More The post How to Install Vaultwarden on Ubuntu 26.04 appeared first on RoseHosting.
17 Apr
This is the second in a series of posts about anonymous credentials. You can find the first part here. In the previous post, we introduced the notion of anonymous credentials as a technique that allows users to authenticate to a website without sacrificing their privacy. As a quick reminder, an anonymous credential system consists of … Continue reading Anonymous credentials:…
16 Apr
null Logic Drift & Shadow AI: The Hidden Reasons Your Data Strategy is Failing on SitePoint.
Leading security firms and enterprises join OpenAI’s Trusted Access for Cyber, using GPT-5.4-Cyber and $10M in API grants to strengthen global cyber defense.
15 Apr
While some commentators in tech say that microservices architecture has seen its heyday, in reality, it’s still foundational to some massive distributed digital systems, from Netflix, to Amazon, SoundCloud, and beyond. But how exactly do you operationalize thousands of distributed microservices living in various environments? Successful microservices adoption tales often revolve around using service mesh, ...
14 Apr
New data underscores what many of us have known all along: APIs are now the most common doorway for attackers. But while the reigning API security risks may not look all that new, the new technology around agentic AI, like Model Context Protocol (MCP), seems to be disproportionately exacerbating classic API- and application-level security gaps. ...
OpenAI expands its Trusted Access for Cyber program, introducing GPT-5.4-Cyber to vetted defenders and strengthening safeguards as AI cybersecurity capabilities advance.
13 Apr
Excerpt In complex, long-running agentic systems, maintaining alignment and coherent reasoning between agents requires careful design. In this second article of our series, we explore these challenges and the mechanisms we built to keep teams of agents working productively over long time spans. We present a range of complementary techniques that balance the conflicting requirements…
10 Apr
OpenAI responds to the Axios supply chain attack by rotating macOS code signing certificates, updating apps, and confirming no user data was compromised.
31 Mar
APIs are the modern doorway for systems to share data, but this common pathway is often unlocked. As a result, over the past two years, we’ve witnessed a string of API security incidents, including headline-worthy API exploits at 23andMe, Avelo Airlines, Authy, Optus, Trello, Volkswagen, WhatsApp, and others. 42Crunch recently released its State of API ...
27 Mar
One of jOOQ’s most popular feature is the out-of-the-box debug logging experience. jOOQ developers find this feature very useful when developing their applications. Assuming you run a jOOQ query and configure your logger to print DEBUG log output: When this query is executed, your log output might contain something like this: Executing query : select … Continue reading Managing Sensitive…
25 Mar
When it comes to APIs, security has always been a serious concern. Developers who design and build APIs strive to mitigate vulnerabilities before attackers find them. Consumers want to be reassured that the APIs their applications integrate with won’t compromise data or application integrity. However, the rise of AI has led to new and evolving ...
23 Mar
In this blog post, we will show you how to install SSH on Ubuntu 26.04. SSH (Secure Shell) is a ... Read More The post How to install SSH on Ubuntu 26.04 appeared first on RoseHosting.
13 Mar
Agents have enormous potential to power secure, personal AI assistants that automate complex tasks and workflows. Realizing that potential, however, requires strong isolation, a codebase that teams can easily inspect and understand, and clear control boundaries they can trust. Today, NanoClaw, a lightweight agent framework, is integrating with Docker Sandboxes to deliver secure-by-design agent execution....
11 Mar
How ChatGPT defends against prompt injection and social engineering by constraining risky actions and protecting sensitive data in agent workflows.
5 Mar
Most API teams I talk to are serious about the front door. They have a documented API surface, versioning rules, code review, and a continuous integration and continuous delivery (CI/CD) pipeline that runs tests and security checks before anything ships. That’s all good hygiene. But the incidents that turn into painful postmortems often start somewhere ...
4 Mar
The evolution of the modern enterprise is often marked by a transition from streamlined simplicity to architectural fragmentation. What begins as a strategic move toward distributed systems frequently devolves into gateway sprawl, a phenomenon where decentralized business units adopt distinct API tools based on localized budgets, engineering preferences, or specific technical requirements. While this flexibility ...
3 Mar
Your Package Manager, Now with a Security Upgrade Last December, we made Docker Hardened Images (DHI) free because we believe secure, minimal, production-ready images should be the default. Every developer deserves strong security at no cost. It should not be complicated or locked behind a paywall. From the start, flexibility mattered just as much as...
25 Feb
In this blog post, we will show you how to reset the MariaDB root password. We reset the MariaDB root ... Read More The post How to Reset MariaDB Root Password appeared first on RoseHosting.
When it comes to APIs, access control is an incredibly important part of ensuring that your APIs are as secure and properly controlled as possible. In this context, one of the most effective methods that has arisen is role-based access control (RBAC), a security practice that segments access to digital systems based on roles. In ...
Our latest threat report examines how malicious actors combine AI models with websites and social platforms—and what it means for detection and defense.
24 Feb
Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We […] The post Goodbye innerHTML,…
When building agentic AI systems that interact with APIs and other services, securely managing JSON Web Tokens (JWTs) becomes a critical part of the architecture. Unlike traditional web applications, agentic AI can operate autonomously, invoking APIs, making decisions, and passing sensitive information without direct human supervision. These nuances create unique authorization challenges around how JWTs ...
17 Feb
In recent months, we’ve been writing extensively about some of the exciting possibilities offered by artificial intelligence and the agentic consumption of APIs, from new routes to monetization via AI through to more efficient workflows. But there are downsides to consider here, too. Large language models (LLMs) have a habit of disregarding the API contract, ...
10 Feb
Docker Hardened Images are now free, covering Alpine, Debian, and over 1,000 images including databases, runtimes, and message buses. For security teams, this changes the economics of container vulnerability management. DHI includes security fixes from Docker’s security team, which simplifies security response. Platform teams can pull the patched base image and redeploy quickly. But free...
5 Feb
OpenAI introduces Trusted Access for Cyber, a trust-based framework that expands access to frontier cyber capabilities while strengthening safeguards against misuse.
4 Feb
Every time execution models change, security frameworks need to change with them. Agents force the next shift. The Unattended Laptop Problem No developer would leave their laptop unattended and unlocked. The risk is obvious. A developer laptop has root-level access to production systems, repositories, databases, credentials, and APIs. If someone sat down and started using...
2 Feb
It’s not every day that we see mainstream media get excited about encryption apps! For that reason, the past several days have been fascinating, since we’ve been given not one but several unusual stories about the encryption used in WhatsApp. Or more accurately, if you read the story, a pretty wild allegation that the widely-used … Continue reading WhatsApp Encryption,…
29 Jan
Agentic AI is an incredibly powerful frontier technology, and it’s actively changing the tech landscape day by day. One of the most significant changes is that APIs are no longer solely called by deterministic code developed and reviewed by humans. Instead, APIs are being actively and frequently called, explored, linked, and even adapted by autonomous ...
28 Jan
In this blog post, we will show you how to reset the MySQL root Password on a Linux operating system. ... Read More The post How to Reset MySQL Root Password appeared first on RoseHosting.
21 Jan
When it comes to building tech initiatives, we often say that they should be treated as products in order for them to succeed. Treating your internal APIs as a product means that you’re not just thinking about the utilitarian nature of your systems — you’re thinking about internal users as consumers, and thereby prioritizing the ...
19 Jan
HTTPS is the secure form of the Hypertext Transfer Protocol (HTTP). It employs the SSL/TLS protocol for encryption and authentication, ... Read More The post How to Install HTTPS Protocol on Ubuntu 24.04 appeared first on RoseHosting.
15 Jan
The emergence of AI coding assistants has ushered in a new era of software creation, formalized under the concept of “vibe coding.” This concept offers tremendous productivity but also introduces significant complexities, particularly when building critical APIs. Here is a comprehensive overview of what vibe coding is and the benefits it delivers. We also cover ...
14 Jan
In the age of AI, there is a worrying trend of simply letting AI "take care of it." You have invested in an agentic system, so when you need something done, why not just let the AI agent make the API request? After all, it is just a machine making a machine request — right? ...
8 Jan
In the software field, one of the most commonly referred to and leveraged resources is the Top Ten list from OWASP. This is for good reason — OWASP stands as a platform- and vendor-agnostic voice that can highlight application security risks in a potentially more meaningful way than the litany of whitepapers and reports issued ...
5 Jan
In this blog post, we will explain how to install Let’s Encrypt on Ubuntu 24.04 OS. Let’s Encrypt is a ... Read More The post How to install Let’s Encrypt on Ubuntu 24.04 appeared first on RoseHosting.
23 Dec 2025
Authorization Exchange, or AuthZEN for short, is a new specification from the OpenID Foundation that aims to bring clarity and standardization to authorization. If OAuth 2.0 and OpenID Connect brought us standardized protocols for authentication and identity, AuthZEN aims to do something similar for fine-grained authorization. It defines a shared, interoperable way for applications to ...
22 Dec 2025
Agentic AI has been one of the hottest buzzwords of 2025, with developers and business owners racing to unlock the vast potential of AI. Agentic AI is a vital link in this technological chain, as it allows AI systems to make decisions and implement actions with little to no human input necessary. If you have ...
OpenAI is strengthening ChatGPT Atlas against prompt injection attacks using automated red teaming trained with reinforcement learning. This proactive discover-and-patch loop helps identify novel exploits early and harden the browser agent’s defenses as AI becomes more agentic.
19 Dec 2025
Earlier this week, we took a major step forward for the industry. Docker Hardened Images (DHI) is now available at no cost, bringing secure-by-default development to every team, everywhere. Anyone can now start from a secure, minimal, production-ready foundation from the first pull, without a subscription. With that decision comes a responsibility: if Docker Hardened Images become...
14 Dec 2025
Most discussions about Model Context Protocol infrastructure ask how to govern thousands of AI tools and monitor which MCP servers are running. This question is table stakes but undershoots the possibilities. A better question is how we can unleash MCP to drive developer creativity from a trusted foundation. The first question produces a phone book...
10 Dec 2025
OpenAI is investing in stronger safeguards and defensive capabilities as AI models become more powerful in cybersecurity. We explain how we assess risk, limit misuse, and work with the security community to strengthen cyber resilience.
1 Dec 2025
Slack’s Security Engineering team is responsible for protecting Slack’s core infrastructure and services. Our security event ingestion pipeline handles billions of events per day from a diverse array of data sources. Reviewing alerts produced by our security detection system is our primary responsibility during on-call shifts. We’re going to show you how we’re using AI…
27 Nov 2025
Authorization is having a bit of a moment in the tech world right now. Organizations like Apple are investing more heavily in policy-driven access control, signalling a shift towards policy as code. As this approach is solidified, it’s becoming clear that the next big revolution in the authorization space will be focused on a specific ...
26 Nov 2025
A cybersecurity system is only as secure as its weakest link. Consumers and developers likely had no reason to doubt the security of a fintech API used by most of the largest banks in the world, official financial institutions, and the majority of the most widely used financial software and services on the market. Unfortunately, ...
25 Nov 2025
Securing the software supply chain shouldn’t be hard. According to theCUBE Research, Docker makes it simple
DockerIn today’s software-driven economy, securing software supply chains is no longer optional, it’s mission-critical. Yet enterprises often struggle to balance developer speed and security. According to theCUBE Research, 95% of organizations say Docker improved their ability to identify and remediate vulnerabilities, while 79% rate it highly effective at maintaining compliance with security standards. Docker embeds...
18 Nov 2025
What we've added for PQC, and how we got there. The post Post-Quantum Cryptography in .NET appeared first on .NET Blog.
Imagine you’re running an API gateway that routes traffic to several microservices, such as authentication, payments, order management, or analytics, for example. Now imagine that everything had been running flawlessly for months, when one night a malformed request body from a mobile client triggers a 500 Internal Server Error in your monitoring system. Even the ...
13 Nov 2025
This is Part 5 of our MCP Horror Stories series, where we examine real-world security incidents that highlight the critical vulnerabilities threatening AI infrastructure and demonstrate how Docker’s comprehensive AI security platform provides protection against these threats. Model Context Protocol (MCP) promises seamless integration between AI agents and communication platforms like WhatsApp, enabling automated message...
12 Nov 2025
OpenAI is fighting the New York Times’ demand for 20 million private ChatGPT conversations and accelerating new security and privacy protections to protect your data.
7 Nov 2025
Prompt injections are a frontier security challenge for AI systems. Learn how these attacks work and how OpenAI is advancing research, training models, and building safeguards for users.
30 Oct 2025
OpenAI introduces Aardvark, an AI-powered security researcher that autonomously finds, validates, and helps fix software vulnerabilities at scale. The system is in private beta—sign up to join early testing.
28 Oct 2025
It’s not an overstatement to say that the health and fitness space has been transformed in the past couple of decades. Thanks to the introduction of wearables and trackers, keeping tabs on one’s progress no longer means manually entering weights and reps into a chalky old notebook between sets. Fitness has been streamlined, incentivized, and ...
27 Oct 2025
Vaultwarden, a password manager application, is an unofficial Bitwarden server alternative written in Rust. Vaultwarden supports connections through the Bitwarden ... Read More The post How to Install Vaultwarden Password Manager on Ubuntu 24.04 appeared first on RoseHosting.
13 Oct 2025
Real-world constraints often impact how we build digital services. This is especially true for enterprise APIs in regulated industries that transmit sensitive data across jurisdictions. Constraints around how data is managed can easily slow progress — but it doesn’t have to be that way. At Platform Summit 2025, Yinka Omole, a lead software engineer at ...
8 Oct 2025
APIs have a reputation for being the weakest link in an enterprise’s cybersecurity. This can become a self-fulfilling prophecy, as APIs’ supposed vulnerabilities make them a popular target for potential attackers and cybercriminals. This can cause all manner of security issues, as APIs can be made to divulge a wealth of sensitive information using valid ...
7 Oct 2025
You may have heard it repeatedly that “API sprawl is the new shadow IT.” But what does that actually mean? Where is this problem coming from? What does this practically mean in the age of AI? And more importantly, how pervasive is this problem across the API industry? Today, we’re going to look at the ...
3 Oct 2025
In January 2024, the Centers for Medicare and Medicaid Services updated The CMS Interoperability and Patient Access Act. The new revision outlines requirements and specifications for what information medical providers need to provide, as well as how it should be formatted to ensure API security and data compliance. This is towards the goal of improving ...
2 Oct 2025
Can AI work with open finance? If you know something about AI, and especially AI agents, you may have read the title of this post and be thinking, “yes, of course it can, stupid!”. The use case for AI and AI agents in the context of financial services generally is significant, with agents having the ...
1 Oct 2025
In this blog post, we will show you how to install Bitwarden on the latest Ubuntu 24.04 OS. Bitwarden is ... Read More The post How to install Bitwarden on Ubuntu 24.04 appeared first on RoseHosting.
Most teams do at least some sort of injection attack testing. This testing, however, is typically focused on a small subset of particular vulnerabilities. SQL injection is a popular target, as is command injection. Some teams may even do log injection if they’ve been burned before. But when it comes to APIs — and especially ...
22 Sept 2025
Announcing Trusted Publishing on NuGet.org - a safer way to publish packages using short-lived tokens instead of long-lived API keys The post New Trusted Publishing enhances security on NuGet.org appeared first on .NET Blog.
4 Sept 2025
As cyberattacks evolve to unprecedented levels of sophistication and speed, the time gap between breach detection and response has never been more critical. Traditional security approaches often operate reactively, identifying compromises only after damage has occurred. This delay grants attackers a tactical advantage, forcing security teams to focus on damage assessment and remediation rather than…
19 Aug 2025
Firefox is now the first and the only browser to deploy fast and comprehensive certificate revocation checking that does not reveal your browsing activity to anyone (not even to Mozilla). Tens of millions of TLS server certificates are issued each day to secure communications between browsers and websites. These certificates are the cornerstones of ubiquitous […] The post CRLite: Fast,…
13 Aug 2025
Bitwarden is a password management application that is increasingly popular among internet users. This application allows users to store their ... Read More The post How to Install Bitwarden on Debian 13 appeared first on RoseHosting.
31 Jul 2025
We’re providing free CI/CD security audits for BEAM projects to help open-source maintainers catch issues early and stay secure. The post Supporting the BEAM Community with Free CI/CD Security Audits appeared first on Erlang Solutions.
9 Jun 2025
Update 6/10: Based on a short conversation with an engineering lead at X, some of the devices used at X are claimed to be using HSMs. See more further below. Matthew Garrett has a nice post about Twitter (uh, X)’s new end-to-end encryption messaging protocol, which is now called XChat. The TL;DR of Matthew’s post … Continue reading A bit…
OpenAI introduces its Outbound Coordinated Disclosure Policy to guide how it responsibly reports vulnerabilities in third-party software—emphasizing integrity, collaboration, and proactive security at scale.
5 Jun 2025
How we’re responding to The New York Times’ data demands in order to protect user privacy
OpenAI EngineeringOpenAI is fighting a court order at the demands of The New York Times and plaintiffs, which involves retention of consumer ChatGPT and API user data indefinitely. Learn how we’re working to uphold user privacy, address legal requirements, and stay true to our data protection commitments.
28 May 2025
Digital wallet security is essential as mobile payments grow. Understand the risks and how to keep your business and customers safe. The post The Importance of Digital Wallet Security appeared first on Erlang Solutions.
26 Mar 2025
At OpenAI, we proactively adapt, including by building comprehensive security measures directly into our infrastructure and models.
6 Mar 2025
API security is crucial, as it directly impacts your business’s success and safety. How well you secure your APIs can make or mar your product, and it is of utmost importance to spend time thinking about security. I have seen developers work in Postman without properly securing their credentials, often leaving API keys exposed in shared environments or logging sensitive…
1 Mar 2025
This is a cryptography blog and I always feel the need to apologize for any post that isn’t “straight cryptography.” I’m actually getting a little tired of apologizing for it (though if you want some hard-core cryptography content, there’s plenty here and here.) Sometimes I have to remind my colleagues that out in the real … Continue reading Dear Apple:…
23 Feb 2025
Two weeks ago, the Washington Post reported that the U.K. government had issued a secret order to Apple demanding that the company include a “backdoor” into the company’s end-to-end encrypted iCloud Backup feature. From the article: The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance … Continue reading Three questions…
12 Feb 2025
I’m supposed to be finishing a wonky series on proof systems (here and here) and I promise I will do that this week. In the midst of this I’ve been a bit distracted by world events. Last week the Washington Post published a bombshell story announcing that the U.K. had filed “technical capability notices” demanding … Continue reading U.K. asks…
6 Feb 2025
This is the second part of a two three four-part series, which covers some recent results on “verifiable computation” and possible pitfalls that could occur there. This post won’t make much sense on its own, so I urge you to start with the first part. In the previous post we introduced a handful of concepts, … Continue reading How to…
28 Jun 2024
At Slack, we’re committed to security that goes beyond the ordinary. We continuously strive to earn and maintain user trust by safeguarding critical components integral to every user’s experience. From passwords to session cookies, and tokens to webhooks, we prioritize protecting everything essential to how users log into the platform and remain authenticated. Through proactive…
24 Jun 2024
Slack uses cookies to track session states for users on slack.com and the Slack Desktop app. The ever-present cookie banners have made cookies mainstream, but as a quick refresher, cookies are a little piece of client-side state associated with a website that is sent up to the web server on every request. Websites use this…
30 May 2024
We’ve terminated accounts linked to covert influence operations; no significant audience increase due to our services.
6 May 2024
Bazaarvoice has thousands of clients including brands and retailers. Bazaarvoice has billions of records of product catalog and User Generated Content(UGC)from Bazaarvoice clients. When a shopper visits a brand or retailer site/app powered by Bazaarvoice, our APIs are triggered. In 2023,Bazaarvoice UGC APIs recorded peak traffic of over 3+ billion calls per day with zero […]
17 Jan 2024
We all have secrets. Sometimes, these are guilty pleasures that we try to keep hidden, like watching cheesy reality TV or indulging in strange comfort food. We often worry: “How do we keep the secret safe?” “What could happen if someone finds out the secret?” “Who is keeping a secret?” “What happens if we lose […]
12 Dec 2023
We are heavy users of Amazon Compute Compute Cloud (EC2) at Slack — we run approximately 60,000 EC2 instances across 17 AWS regions while operating hundreds of AWS accounts. A multitude of teams own and manage our various instances. The Instance Metadata Service (IMDS) is an on-instance component that can be used to gain an…
20 Jul 2023
In our newest blog post, we delve into the game-changing potential of the Internet of Things (IoT) in supply chain management. The post How IoT is Revolutionising Supply Chain Management appeared first on Erlang Solutions.
18 Apr 2023
Authored by: Rojan Rijal, Tinder Security Labs | Johnny Nipper, Sr. Director | Tanner Emek, Sr Engineering Manager Summary In 2021, GitHub released support for OpenID Connect (OIDC) for GitHub Actions (GHA), allowing developers to securely interact with their infrastructure resources in Amazon Web Services (AWS), and other major cloud service providers. The OIDC support allows GHA jobs to retrieve…
21 Feb 2023
Security resilience is all about reducing risk and thriving in uncertainty. The Cisco Security Outcome Report 2nd edition, showed that cybersecurity success was linked to five main security team behaviors, two of which are ‘Be proactive about technology refreshes’ and ‘Use well-integrated technologies’. Plus, as more organizations embrace hybrid work and continue to add SaaS […] The post Cisco Umbrella…
7 Nov 2022
Authors: Rojan Rijal , Tinder Security Labs | Johnny Nipper, Product Security Manager | Tanner Emek, Engineering Manager Recently, Tinder Security Labs gave a talk at Recon Village @ Defcon 30 called “Scanning your way into internal systems via URLScan.” We went over examples of sensitive links indexed by URLScan that could be leveraged to gain access into corporate systems.…
11 Oct 2022
Designing and engineering a messaging system that is used by 6.8 million students and half a million teachers in K-12 schools is no easy feat. While the typical threats against online systems from unauthorized and unauthenticated access to sensitive information remain, the school environment compounds privacy challenges as additional entities such as guardians, co-teachers, and […] The post Privacy and…
23 Jun 2022
As new ways of work – cloud collaboration, hybrid work models, and BYOD – have become the standard, it’s clear that new environments and approaches require new strategies and capabilities. The early era of cybersecurity protection was built by stacking solutions like firewalls, on-premises web proxies, sandboxing, SIEMs, and endpoint security. With more people connecting […] The post How to…
1 Feb 2022
A secure web gateway (SWG) is a cybersecurity solution that protects your network against unwanted software or malware users may encounter on the web. It does this by granting your IT or SecOps team granular control over what users on the company network can do while online. For example, your team can use an SWG […] The post What Is…
25 Jan 2022
On December 9, 2021, the Apache Log4j vulnerability – which affects the popular Apache Foundation Log4j library – was disclosed to the public over Twitter. In the days following the event, IT and SecOps teams scrambled to patch these vulnerabilities. But log4j is a popular piece of code, which means that patching takes time. That’s […] The post Protecting Against…
11 Jan 2022
Last year threw a lot at cybersecurity teams, from the emergence of several high-profile cyberattacks to the revelation of widespread vulnerabilities. As we all move into 2022, odds are your team is re-thinking your cybersecurity strategy to help make your organization more resilient and flexible. This should involve an evaluation of your cybersecurity solutions, as […] The post 3 Ways…
2 Nov 2021
A cloud access security broker (CASB) is a cybersecurity solution that serves as an intermediary between users and the cloud services that they rely on for day-to-day activities. It allows security or IT teams to enforce policies that govern users’ access to and use of cloud services. This can prevent data loss, ensure regulatory compliance, […] The post SASE Breakdown:…
12 Oct 2021
Secure Access Service Edge (SASE) has become the new standard for securing connections to business-critical applications and other digital assets. An effective SASE implementation depends on performance, architecture, and support (among other factors) for hybrid and multi-cloud environments. In this post, IT Central Station members who use Cisco Umbrella and Cisco SD-WAN explain the importance […] The post The Role…
21 Sept 2021
Over the course of a weekend in 2020, organizations around the world pivoted from in-person workplaces to either fully remote or hybrid remote/in-person work models. For security teams, this raised a concerning question: How do you protect the perimeter when said perimeter no longer exists? This is where cloud-native security – a term we at […] The post 3 Benefits…
14 Sept 2021
Based on the kind of high-profile cyberattacks dominating news cycles, you’d be forgiven for thinking these are large enterprise or government-scale crimes. But if you operate a small business, cybersecurity may be more important than you think. Most smaller businesses lack adequate cybersecurity systems, with many small business owners unaware that solutions as simple as […] The post How DNS-layer…
7 Sept 2021
Spend enough time in cybersecurity and you’re bound to have heard colleagues, analysts, and consultants suggest adding DNS-layer protection to your security stack. It’s easy to understand the appeal – using the internet’s infrastructure to block connections to malicious or unwanted domains can help protect any network from online hazards. But recently, with the conversation […] The post SASE breakdown:…
31 Aug 2021
The way we think about networking and cybersecurity has changed dramatically in recent years. The rise of remote workers, coupled with the growing push of company data and infrastructure into the cloud, prompted Gartner to outline a new approach to networking and security: Secure Access Service Edge (SASE). Where an organization’s networking and security solutions […] The post What is…
24 Aug 2021
Looking to improve your organization’s security posture? Don’t forget to secure DNS-layer activity! Learn how – and why – to invest in DNS-layer security here. The post Gartner™ quick answer: How can organizations use DNS to improve their security posture appeared first on Cisco Umbrella.
3 Aug 2021
In our last post on SASE security, we covered two key benefits of Secure Access Service Edge architecture — the security and simplicity that come from converging multiple services in a single solution delivered from the cloud. Today, we’re talking about scaling that cybersecurity to meet the growing needs of your business. Cybersecurity at an […] The post Scaling cybersecurity…
27 Jul 2021
What is Shadow IT? Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within an organization. It can encompass cloud services, software, and hardware. For several reasons, business and IT/security groups are more at odds than ever before over whether […] The post Secure Shadow…
20 Jul 2021
Secure access service edge (SASE) — cloud-delivered security combining networking and security functions — is on the rise, fueled in part by the need to secure work from home in countless locations. The hybrid work model is here to stay –– and SASE solutions are critical to supporting this new normal. How do you determine which one is right for…
13 Jul 2021
Managing cybersecurity for a small business has never been more challenging. Business-critical operations increasingly rely on cloud-based applications, while employees push for more remote and hybrid work opportunities. And if your small business is like most, odds are you lack the budget to update your security infrastructure so that it keeps pace with these changes. […] The post The Essential…
6 Jul 2021
SASE security solutions provide some unique advantages in helping you protect your organization. See how SASE drives simplicity and security — and see why Cisco Umbrella is an ideal SASE starting point. The post The Benefits of SASE for Driving Digital Transformation in Your Security Stack appeared first on Cisco Umbrella.
9 Jun 2021
Context At Clever, we rely on nearly two thousand infrastructure secrets like DB access keys, API tokens, and session secret keys to provide our services to students and teachers. Properly securing these secrets so we don’t expose them in our various environments requires thorough engineering efforts. In fact, securing secrets is generally a hard problem […] The post How Clever…
8 Jun 2021
Roaming users, remote offices with direct internet access, cloud and SaaS applications — today’s workplace needs have evolved beyond the capabilities of traditional perimeter-based security. As the digital perimeter expands outwards it’s important to understand the potential impact this can have on your cyber security and some of the benefits of moving to a cloud […] The post Cloud security…
18 May 2021
Like any web browser, Firefox loads code from untrusted and potentially hostile websites and runs it on your computer. To protect you against new types of attacks from malicious sites and to meet the security principles of Mozilla, we set out to redesign Firefox on desktop. The post Introducing Firefox’s new Site Isolation Security Architecture appeared first on Mozilla Hacks…
13 May 2021
Cisco Umbrella is proud to announce the addition of our most recent global cloud data center, Spain! Our DC is located in Silicon Alley, not to be confused with Silicon Valley. We chose this location because it resides in the heart of connectivity and high-tech industry in Madrid. Improved cybersecurity services for our Spanish and […] The post Cisco Umbrella…
20 Apr 2021
A new year brings a new wave of predictions for how companies will be shaping their network security architectures in 2021. Could anyone have predicted 2020 was going to be the year that changed the way companies did business, managed networks, and secured users? Much of these changes happened in a moment’s notice and held […] The post Making ESG’s…
6 Apr 2021
We successfully deployed ThreadSanitizer in the Firefox project to eliminate data races in our remaining C/C++ components. In the process, we found several impactful bugs and can safely say that data races are often underestimated in terms of their impact on program correctness. We recommend that all multithreaded C/C++ projects adopt the ThreadSanitizer tool to enhance code quality. The post…
Earlier this month, the National Security Agency (NSA) and Cybersecurity Infrastructure Security Agency (CISA) issued an advisory on the growing need to introduce a protective DNS (PDNS) solution to your organization’s security footprint. Because DNS is foundational to most online activity, it’s also the layer where many attacks — including malware, phishing, command and control, […] The post Protective DNS:…
9 Feb 2021
Mozilla has been fuzzing Firefox and its underlying components for a while. It has proven itself to be one of the most efficient ways to identify quality and security issues. In general, we apply fuzzing on different levels: there is fuzzing the browser as a whole but a significant amount of time is also spent on fuzzing isolated code (e.g.…
Can we all agree the shift has happened – the workforce isn’t just working from a coffee shop on occasion? The events of 2020 accelerated a growing trend of work from anywhere, any device, any time, while expecting a seamless experience. That’s not a tall order. That’s a grande order – with a double-shot of […] The post Expanding SASE…
2 Feb 2021
For small business owners, much has changed in the past few years – a widespread shift to remote work, a growing push for companies to use cloud apps, the general embrace of cloud data storage. In this brave new world, one thing has remained constant: For small businesses, strong cybersecurity is essential. After all, these […] The post Small Businesses…
19 Jan 2021
These days it seems like the only constant is change, and the networking and security worlds are no exception. Industry predictions around consolidation, cloud adoption, and convergence that were previously considered aggressive now seem understated. And with the unprecedented move to remote work across industries, these massive shifts continue to accelerate. The network perimeter is […] The post How to…
5 Jan 2021
Every journey starts with one step. Whether that step is the first toward climbing a mountain or launching the campaign to keep your organization safe from cyberthreats, it’s important just to take that first step forward. You might not want to hear this, but cyberthreats are becoming more advanced and attackers are using new techniques […] The post Keep these…
15 Dec 2020
Secure anywhere, protect everywhere with Cisco Umbrella and Advanced Malware Protection (AMP)
OpenDNSIt’s no secret that the world of work has changed dramatically. The “office” is now almost anywhere except the traditional campus you own and protect. Your workers and your data have scattered to bedroom alcoves, kitchen tables, outdoor coffee shops, and the park bench. Organizations have more critical infrastructure, applications, and sensitive data stored in […] The post Secure anywhere,…
1 Dec 2020
One of the main reasons that the secure access service edge (SASE) is getting so much attention these days is that it combines several networking and security capabilities and functions normally carried in multiple, siloed point solutions into a single, fully integrated cloud-native platform. This allows organizations to overcome cost and performance issues, resulting in […] The post What goes…
24 Nov 2020
Every day, the Cisco Umbrella global network processes over 250 billion recursive DNS requests. Simply processing these recursive DNS requests is a huge job, but we’re also tasked with ensuring that each of these queries is answered as quickly as possible. One of the technologies that helps us maintain our great availability and speed is […] The post Why the…
13 Oct 2020
It’s no secret – networking and security have left the building. Even before the major shift to remote working in the first half of 2020, workplaces had already made the transition to a decentralized network architecture, where computing resources are located outside the data center and most enterprise traffic is destined for public cloud services. […] The post How to…
6 Oct 2020
It might be hard to believe, but it’s already October, which means the leaves are changing, the weather is getting colder, and – you guessed it – people everywhere are taking steps to improve their cybersecurity knowledge and practices to combat cyberattacks. Now in its 17th year, National Cybersecurity Awareness Month (NCSAM) started as a […] The post Cisco Umbrella…
29 Sept 2020
Working outside the office is no longer a trend or an office perk — it’s our new reality. And make no mistake – cyberattacks have not slowed down while so many people have begun working remotely outside the protections of the corporate office network. Enabling off-network endpoint protection for users is no longer optional – […] The post Secure remote…
15 Sept 2020
84.7% of cyberattacks involve phishing. In such a scenario, it becomes very important to understand the various ways a phishing attack could occur. Phishing URLs are commonly found on cloud providers. This article will take you through why cloud providers are being used increasingly for phishing campaigns and what pattern an attack on these sites […] The post Why cloud…
8 Sept 2020
Remote work isn’t just the future – it’s here and now. With most, if not all, of your users working from home, you need to deliver the same level of protection for the sensitive, business-critical data on their laptops and mobile devices as if they were working in the office. Cybercrime hasn’t slowed down during […] The post Protect remote…
1 Sept 2020
How networking and cloud security solutions have evolved to connect and protect users everywhere
OpenDNSNo matter what market, industry, or regulatory challenges your organization has faced through the years, one thing is certain. Connecting and protecting your customers, employees, contractors, and partners wherever they work is always the goal, but the details are constantly evolving. That’s never been truer than in this remote, distributed, always-on world today. The very networking and security landscape itself…
25 Aug 2020
IT, network operations, and security operations teams are being called to do more to secure the organization while also delivering information and services to an increasingly distributed and ever-expanding edge. To keep your teams and organization protected, you need a way to simplify your cybersecurity stack while evolving it to meet today’s needs and your unique challenges. Whether you’re a…
4 Aug 2020
Browsers are changing the default value of the SameSite attribute for cookies from None to Lax. This will greatly improve security for users. However, some web sites may depend (even unknowingly) on the old default, potentially resulting in site breakage. At Mozilla, we are slowly introducing this change. And we urge web developers to test their sites with the new…
1 Jul 2020
As part of Mozilla’s ongoing commitment to improve the privacy and security of the web platform, over the next few months, we will be making some changes to the Gamepad API. Starting with Firefox 81, the Gamepad API will be restricted to what are known as “secure contexts.” The post Securing Gamepad API appeared first on Mozilla Hacks - the…
30 Apr 2020
Fuzzing, or fuzz testing, is an automated approach for testing the safety and stability of software. For the past 3 years, the Firefox fuzzing team has been developing a new fuzzer to identify security vulnerabilities in the implementation of WebAPIs in Firefox. This fuzzer leverages the WebAPIs’ own WebIDL definitions as a fuzzing grammar. The post Fuzzing Firefox with WebIDL…
3 Apr 2020
Distinguished engineer Martin Thomson explains how this problem occurred, the implications for people who might be affected, and how problems of this nature might be avoided in future. To get there, we need to dig a little into how web caching works. The post Twitter Direct Message Caching and Firefox appeared first on Mozilla Hacks - the Web developer blog.
22 Mar 2020
I really like Secure by Design. The key idea is that there is a big overlap between secure code and good software design. Code that is strict, clear and focused will be easier to reason about, and will have fewer … Continue reading →
10 Mar 2020
The release of Firefox 74 is focused on security enhancements: Feature Policy, the Cross-Origin-Resource-Policy header, and removal of TLS 1.0/1.1 support. We’ve also got some new CSS text property features, the JS optional chaining operator, and additional 2D canvas text metric features, along with the usual wealth of DevTools enhancements and bug fixes. The post Security means more with Firefox…
25 Feb 2020
Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission. While we continue to make extensive use of both sandboxing and Rust in Firefox to address security challenges in the browser, each has its limitations. Today we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of…
6 Feb 2020
The Transport Layer Security (TLS) protocol is the de facto means for establishing security on the Web. The newest version, TLS 1.3, improves efficiency and remedies the flaws and weaknesses present in earlier versions. In October 2018, we announced our plans regarding TLS 1.0 and TLS 1.1 deprecation. Now's the time for us to make this change together and move…
24 Jul 2019
At Clever, we lock down code access to customer data using AWS IAM roles with session policies. In Clever’s microservice AWS architecture, each service has a unique IAM role with access to the AWS resources it needs: S3 buckets, DynamoDB tables, and so on. Our services are multi-tenant and customer data is separated via logical […] The post Using IAM…
15 May 2019
As you may have read last year, Safari, Firefox, Edge and Chrome browsers are removing support for TLS 1.0 and 1.1 in March of 2020. That means there’s less than a year to enable TLS 1.2 (and, ideally, 1.3) on your servers, otherwise all major browsers will display error pages, rather than the content your users came to see. The…
24 Jul 2018
Clever Goals is a new product that tracks students’ educational software usage. It creates progress data, a new type of data for Clever. This sensitive data needs to be protected from unauthorized access, and users should feel in control over how it’s used. How does the Clever security team make sure that new products like […] The post Securing New…
28 Feb 2018
Over the past month, Clever worked with CERT to address a vulnerability in our open-source SAML2 library. Clever maintains an open source library implementing the SAML protocol in Node.js known as saml2-js. We use this library internally in our SAML service provider functionality for schools using Clever SSO and the Clever Portal. It is used […] The post saml2-js and…
27 Feb 2018
Internet security is a topic that receives more attention every day. If you’re reading this article in early 2018, issues like Meltdown, Specter and the Equifax breach are no doubt fresh in your mind. Cybersecurity is a massive concern and can seem overwhelming. Where do you start? Where do you go? What do you do […]
5 Nov 2017
Like most security professionals I am spending a large amount of time helping my company move securely to AWS. Certificate management in AWS is done with AWS Certificate Manager and while they do offer *free* certificates, ACM generated certs are outside your direct control. You don’t get the keys which, at least for some things, should probably be a non-starter…
10 Oct 2017
When you navigate to your project in CircleCI's UI, Javascript from eight different analytics companies gets loaded and executed in your browser. Pusher Intercom Launch Darkly Amplitude Appcues Quora (??) elev.io Optimizely You can see this in my Network tab here: This is a problem because the CircleCI browser context has full access to the […]
19 Jun 2017
Using Let’s Encrypt and Certbot to automate the creation of certificates for OpenVPN
Luciano MamminoThis post explains how to use Let's Encrypt and Certbot to automatically generate and renew SSL certificates for OpenVPN. It provides a complete Terraform setup as a practical example.
29 Apr 2017
Recently I started looking at the Umbrella DNS Popularity List and did a blog post about it here. The data seemed valuable and lacking at the same time so I spent my *limited* free time this week learning about R and RStudio. Protip: If you want to play along at home there is an RStudio docker container so all you…
3 Apr 2017
I am a big fan of DigiCert for TLS Certificates and CA/WebPKI services. While they have amazing customer support and are an amazing company to work with, there are not a lot of automation scripts to interact with their API available. So over the weekend and with a lot of help from Clint Wilson I built a shell script that:…
20 Mar 2017
A few weeks ago I was asked by a friend, “why should I care about Go”? They knew that I was passionate about Go, but wanted to know why I thought other people should care. This article contains three salient reasons why I think Go is an important programming language. Safety As individuals, you and I may be […]
19 Jan 2017
I was at dinner on Tuesday with 6 security professionals and I proposed this hypothetical situation and I thought it was worth writing up and sharing. Background: Six identical safes with $1,000,000 inside are being built into the side of a public building and are being randomly assigned to everyone at the dinner. At the end of 90 days any…
10 Jan 2017
The password is both a ubiquitous and brittle security mechanism. With the emergence of new security trends like post-quantum cryptography and IoT-botnet attacks, it’s easy to overlook attacks that exploit guessable, reused, or coerced passwords. But the wherewithal among users to use strong passwords and keep them safe is rare. Despite decades of practice, managing […] The post Securing Saved-password…
6 Jan 2017
Scanning a host with Nmap is a fairly routine act for some in security to do but you from time to time you want to either get a different view of a host or try to conceal your public IP. In this case I use this simple “trick” to run an nmap scan through TOR. To do so you need…
30 Dec 2016
Yesterday US-Cert released information on GRIZZLY STEPPE the malware used in the DNC hack. The IP and hash information provided by the US-Cert was really lacking so I decided to dig through it and see if I could make more of it. The first thing I did was to run the IPs through an ipinfo2sheets spreadsheet I put together earlier…
29 Dec 2016
In November I saw this youtube video on turning a USB Air Purifier into a $75 USB Killer: My soldering skills are basically nonexistent so while I had some time off around the holidays I decided this would be a decent project to help improve them. So in early December I ordered 3 of these from Amazon: USB ionic Oxygen…
22 Dec 2016
I had a coach whose favorite quote was “Pain is the best teacher.” and that was the first thing that popped into my head this morning when I realized that I had left an $80 a month Digital Ocean Droplet running for an extra 3 weeks after I got done using it. To be honest $60 isn’t *that* painful but…
20 Dec 2016
What will 2017 hold for the security industry? I sat down and looked into my crystal ball and came up with these 8 security predictions for 2017. A Fortune 500 Will Use “DDOS as a Service” To Attack A Competitor. A bored VP of Marketing with a paypal account, a six pack and a nephew who can get him on…
5 Dec 2016
As long as we allow ourselves to write string-based dynamic SQL embedded in other programming languages like Java, we will have a certain risk of being vulnerable to SQL injection. That’s a fact. Don’t believe it? Check out this website exposing all vulnerabilities on Stack Overflow for PHP questions: https://laurent22.github.io/so-injections In a previous blog post, … Continue reading Prevent SQL…
4 Dec 2016
I have been playing with my stack of pizero a bunch lately and tonight I decided to put together a piZero OTG Ethernet gadget that runs Kali (Really KaToolin), XRDP and Mate in a computer on a stick configuration. This way I have a full (as I want it to be) Kali installation with me as long as I have…
30 Nov 2016
I have been playing with my stack of piZero’s recently and started to read about the kernel OTG gadgets and was intrigued by the OTG_HID gadget. So after doing some reading I found that someone had ported the USB Rubber Ducky platform to the piZero and called it rspiducky. Building it is fairly straight forward but if you if you…
28 Nov 2016
I have been reading a lot about Beacon Frames on my vacation this week (stop laughing) and I came across a tool in Kali called MDK3 that will allow you to send fake beacon frames. I couldnt pass up a chance to test this so I pulled out my trusty TL-WN722N and made a list of the 5,0000 most common…
26 Nov 2016
Thanks to PoisonTap I have finally had a reason to pull my PiZero out of the ever growing “Stuff to Hack” pile and start working on it. I have a couple of neat ideas that are coming down the pipeline but this weekend I built a VPN sidecar using a USB OTG Gadget. I wanted to be able to use…
13 Nov 2016
In the last two years Burp Suite Proxy has become my go to web application security scanner. As with everything recently if I can automate it, I do. So this weekend I built a simple script to scan a website with Burp, create a PDF report and post it to Slack: Here is how I set it up: Create a…
9 Nov 2016
I have recently been automating a lot of my technical security tasks and building slack bots around them and it was w3af‘s turn. W3af is an amazing open source web application security scanner that my friend Andres Riancho writes and maintains. The goal of this project was to build scheduled and automated scans of my web properties with pdf reporting…
5 Nov 2016
As I have talked about before “You can’t defend what you dont know exists” so today while sitting around and trying to recover from walking pneumonia I wrote slackmap to continually nmap a network and post the differences to slack: Configuration is amazingly easy. I run a copy of this on a $5 a month Digitalocean Droplet for an external…
30 Sept 2016
The recent total war bombardment of Brian Krebs’ site, and the subsequent allegation that the traffic emanated from compromised home routers, cameras, baby monitors, doorbells, thermostats, and whatnot, got me thinking. Prolexic said the 665 Gbps attack that hit my site tonight is almost twice the size of the largest attack they've seen previously. — […]
25 Aug 2016
One of the first things I like to do when I start looking at a PCAP during an investigation is run it through snort to see if it finds anything suspicious. You can easily do this at the command line with snort -dv -r test.pcap but the output is not great. I have been using a tool called websnort for…
17 Aug 2016
My friends at DigitalOcean were nice enough to give me a generous amount of credit on their cloud platform to do some security research with so I decided to do the most reckless thing I could think of and run a full ssh honeypot on the internet. The build out is pretty simple, it is the SSHoneypot Docker Container I…
25 Jul 2016
I took some time tonight and read through the Security Summer Camp (BSidesLV, Blackhat and Defcon) schedules and picked the talks from this year that I think will be the best and that I do not want to miss. I ended up with these 16 talks I am going to make a special point to see next week: BSidesLV Managing…
15 Jul 2016
We are two weeks away from Security Summer Camp (which is BSidesLV, Blackhat and Defcon)! So it is time for everyone to write their annual blog posts about what you must do before you head out. I want to be one of the cool kids so here is my list of 6 things to do before you pack: Delete All…
13 Jul 2016
While doing security research it is not uncommon for me to build and destroy between 20 and 25 cloud servers a week on Digital Ocean. While there are great guides like: My First 10 Minutes On a Server – Primer for Securing Ubuntu My First 5 Minutes On A Server; Or, Essential Security for Linux Servers I do not have…
10 Jul 2016
There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one. I am a huge fan of the Streisand privacy stack because it includes and L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package. The problem with Streisand…
9 Jul 2016
I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information. Tom Steele has done an amazing job with the project but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance…
12 May 2016
Clever Badges makes it easy for K-2 students to log into applications. As with any new feature, we wanted to understand and address any potential security risks before we launched Clever Badges to our users. If we built Clever Badges without thinking deeply about security, it would have been easy to introduce a vulnerability and […] The post Clever Badges…
27 Dec 2015
I recently finished reading Ghost in the Wires by Kevin Mitnick. It is the story of Mitnick’s hacking career, from the start in his teens, through becoming the FBI’s most wanted hacker, to spending years in jail before finally being … Continue reading →
20 Oct 2015
I just finished taking the course Software Security from the University of Maryland via Coursera. It was a relatively easy course (at least if you know C) that gave an overview of the following areas: buffer overflows and other memory attacks, … Continue reading →
26 May 2015
Keybase.io is a new service that combines asymmetric cryptography with a social network. It allows users to easily share public keys and authenticate messages by linking keys to profiles on Twitter, GitHub, Reddit, etc. The service provides encrypted messaging and bitcoin wallet pairing to make adopting cryptography seamless.
29 Sept 2014
CVE-2014-6271 and CVE-2014-7169, also known as “Shellshock”, are high impact vulnerabilities affecting the Born Again Shell (BASH). The vulnerability allows an attacker to trick Bash into running arbitrary commands which could result in unauthorized disclosure of information, unauthorized modification and disruption of service. Because this is such a big threat, and because at Clever we take security […] The post…
30 Jul 2014
You should sign up for a VPN service! Yes you, the casual Internet browser. Here is why. Any time you connect from your laptop/phone to a wireless network (SFO Wifi, Starbucks, etc), anyone else on that network can read all of your traffic over HTTP, to sites like Wikipedia, Netflix, YouTube, WebMD and more. This […]
30 Mar 2014
Learn how to reset a lost MySQL root password by restarting the server with disabled security checks. This allows resetting the password directly in the database. Useful when locked out but reduces security temporarily.
14 Feb 2014
This post collects resources and provides a graph to understand how Symfony authentication works behind the scenes, from the initial request to the final authenticated token. It clarifies the relationships between key classes like firewall, authentication provider and authentication listener.
30 Aug 2012
WSUS: Moving from Windows Internal Database to external Microsoft SQL Server 2008 and receiving “Token-based server access validation failed with an infrastructure error”
SchakkoToday I had to move the WSUS internal database to one of our backend database servers. Microsoft has a good instruction how to do this, nevertheless I ran into a problem. Microsoft SQL Server 2008 did not allow me to add the machine account of our WSUS frontend server (let […] The post WSUS: Moving from Windows Internal Database to…
11 Dec 2011
Last year Zone-H reported a record number of 1.5 million websites defacements. 1 million of those websites where running Apache. When it comes to configuring a web server, some people tend to turn everything on by default. Developers are happy because the functionality that they wanted is available without any extra configuration, and there is […]
4 Jul 2010
Hin und wieder kann es vorkommen, dass der pop3proxy der Sophos UTM (ehemals Astaro) die eingehenden E-Mails “verschluckt”. Grund dafür ist der Spamassassin, der im Hintergrund läuft und bei bestimmten E-Mails eine extrem hohe Prozessorlast verursacht. Das Verhalten habe ich jetzt einige Male bei E-Mails beobachtet, die über die Bugtraq-Mailingliste […] The post How-To: Mail-Queue in Sophos UTM pop3proxy flushen/löschen…
22 Jun 2009
Yesterday an interesting HTTP DoS tool has been released. The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests […]
4 Jul 2008
Google announced the release of ratproxy, a passive web application security assessment tool that they’ve been using internally at Google. This utility, developed by their information security engineering team, is designed to transparently analyse legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern. The […]
24 Apr 2008
I’m a big fan of PHP_CodeSniffer and I think it’s a great development tool, it ensures that you write code that is easy to read and maintain. But, what about making sure that the code you write is secure and doesn’t have any vulnerabilities? Right, there’s another tool for that… PHP Security Scanner is a […]
Web security is possibly today’s most overlooked aspect of securing the enterprise and should be a priority in any organization. Recent research shows that 75% of internet attacks are done at web application level. Web application security scanners ensure website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. There are […]