HTTP Authentication and Security with Apache Shiro
Authenticating users is an important part of an application. Limiting the access to resources with authorization too. Spring Security is a reference in web environment. However, it is tied to the...
View ArticleSome cloudy predictions
Spring just started, so in time for an attempt at predicting the future (it has just started to use a cliché). Together with a few colleagues we brainstormed about what we think is important. After...
View ArticleSecurity is dead, long live security
Last week the 7th edition of BruCON was held. For those unfamiliar with it, BruCON is a security conference where everybody with an interest in security can share their views and findings. As always it...
View ArticleSecurity is maturing in the Docker ecosystem
Security is probably one of the biggest subjects when it comes to containers. Developers love containers, some ops do as well. But it most of the time boils down to the security aspects of containers....
View ArticleConfigure SSL for SonarQube on Windows
The documentation for SonarQube explains how to configure SSL when you’re running on Linux and how to use the native Tomcat functionality for a simple test environment, yet they recommend not to use...
View ArticleBeing An Agile Security Officer
Whenever I give a presentation, training, or just talk to security teams, it becomes clear that over the years a gap has been created between application security and development. A gap we created...
View ArticleBeing An Agile Security Officer: Security Stakeholdership mindset
This is the second part in my blog series about ‘being an agile security officer’. In this blog I will focus on the mindset of security stakeholdership in Agile and DevOps environments. In the Agile...
View ArticleHow to create your own Lint rule
When you are part of a multi-team project in Android, it becomes relatively hard to have a common understanding of how components should be used. This is where Android Lint can help you! In this blog...
View ArticleBeing an Agile Security Officer: pwn the process
This is the third part of my ‘Being an Agile Security Officer series’. As mentioned in my previous blog, in the Agile world the Product Owner is the person who translates business and customer desires...
View ArticleCaveats and pitfalls of cookie domains
Not too long ago, we ran into an apparent security issue at my current assignment – people could sign in with a regular account, but get the authentication and permissions of an administrator user (a...
View ArticleCheating and building secure iOS games
You probably have one of the million games where you earn achievements and unlock specials on your iPad or iPhone. If you develop games, you’ve probably wondered about people cheating your games? In...
View ArticleBeing an Agile Security Officer: user stories
This is the fourth part of my ‘Being an Agile Security Officer series’. In this blog post I will go deeper into the details of how user stories are created and what role security stakeholders should...
View ArticleBeing An Agile Security Officer: Spread Your Knowledge
This is my fifth and last part of my blog series about Being an Agile Officer In the previous parts I showed how Security Officers can align with the Agile process and let security become a standard...
View ArticleCertShout: All your domains are public
TLS should be mandatory for every website. But, when you set it up, make sure you configure the certificate correctly. This includes not having any sensitive data in any of the fields of the...
View ArticleIncident management: what we can learn from a crisis
In information security we have a saying: ‘never waste a good crisis’. As grim as this may sound, there are valuable lessons to be learned from situations like the recent corona outbreak. As seen in...
View ArticleSecurity by design? Don’t create a YAPWAV!
Security is about making risks visible and mitigating the impact of possible incidents to an acceptable level. The ‘security by design’ philosophy aims for every application or system to be at an...
View ArticleThreat Modeling – Start using evil personas
Agile teams often use the concept of personas to create more tailored user stories, so could you use evil personas to describe malicious behavior? Personas are “synthetic biographies of fictitious...
View ArticleThreat modeling without a diagram
Most threat model approaches (like e.g. STRIDE) assume you have a technical overview like a Data Flow Diagram. An interesting question therefore is; can you threat model when there is no such thing...
View ArticleImproving Security by influencing Human Behavior
We all know that the hardening of a system does not magically improve the security of an organisation. For a successful implementation a holistic approach is needed. Implementing and improving security...
View ArticleSecure Deployment: 10 Pointers on Secrets Management
In a previous blog we talked about secure deployment. Secrets management is an important part of that. So what does that mean? In this blog we’ll give some pointers on how to do secrets management well...
View Article
