While most people have moved to sites like Medium, I have finally decided it is time to blog and that too on my own website. The only concession is that I will be using a static site generator Hugo and deploying using CI/CD offered by Netlify.
Web development is hard. Secure web development is harder. Running applications on the internet without security incidents is almost impossible. A non-exhaustive list of infrastructure services that you rely on for running any website. The following are references for the talk given at Microsoft Ventures Accellerator on 28th April 2015 References General An illustrated guide to computer security Security News Hackers temporarily take control of Tesla’s website and twitter Fundamentals DNS Resource Records Tools DNS Recon DNS Recon Using DNS Recon tool DirBuster DirBuster Using DirBuster Video Using DirBuster like a pro wfuzz wfuzz wfuzz basics Bruteforcing web applications webslayer a similar tool fuzzdb fuzzdb Using fuzzdb for testing website security Web app URLs default list web app urls pwnwiki cewl cewl - Wordlist generator Concepts Ocean’s 11 Movie Plot Trust OWASP OWASP OWASP Top 10 OWASP Top 10 OWASP Mobile Top 10 OWASP A1 Injection Injection Exploits of a Mom Bobby Tables SQL Injection Command Injection XXE OWASP A3 Cross Site Scripting XSS Apache.
Security is always a concern. Microservices make some things easier to secure and somethings need to be paid attention to. List of security issues to think about Network Layer of each service needs protection for exposed ports DNS, NTP are critical infrastructure resources when everything hinges on service discovery Each service requires transport layer security, request authentiaction and based on requirement additional authorization information Logs etc. required for audit trails need to be captured, stored and observed If services are geographically distributed, enabling TLS on them exposes the services to OSINT due to certification transparency logs Network, Transport and Ports Typically all services listen on TCP ports providing high level functionality wrapped in HTTP or RPC
Step 1 SSH to the kali box ssh root@kali Now we create a weird tunnel thing ssh -L 8001:localhost:8002 firstname.lastname@example.org -t ssh -D 8002 email@example.com Now in Burp Suite in Kali give the following for SOCKS proxy. `Socks Proxy Host` 127.0.0.1 `Socks Proxy Port` 8001 Note: You can also use socat in TCP forwarder mode and forward the local 8001 port to other interfaces so that you can proxy directly using your host computer.
Consider this as a very basic step by step guide to getting started with application security practice for your organisation. We begin by looking at an overall framework and pick the Microsoft SDL which is the gold standard for building applications in enterprises. Once we have the overall framework defined we can look at web and mobile application specific resources for guidance and benchmarking against. STEP 1 - Get introduced to Microsoft Security Development Lifecycle Read the Microsoft SDL getting started documents Download the Microsoft SDL Optimization Model Start by reading the SDL Optimization Model - Introduction.