Categories
DevOps Information Security & Privacy

BeyondCorp proxy possibilities on AWS, Google Cloud, Azure

It appears there’s now another tool in the arsenal for those looking at implementing BeyondCorp style security model, with the arrival of OIDC authentication support in AWS’s application load balancer. It adds to a growing list of possiblities, at least for HTTP-based services. Who needs VPN anyway?

The options I’m aware of now include:

  • Bitly’s oAuth2 proxy – a simple
Read more “BeyondCorp proxy possibilities on AWS, Google Cloud, Azure”
Categories
Information Security & Privacy Personal

Not ready to #DeleteFacebook? Here’s some baby steps…

I admit it. I still haven’t taken the plunge to #DeleteFacebook. I can’t remember the last time I posted anything on it, but friends still invite me to events and send me messages via Messenger. Likewise, I haven’t brought myself to using VPN as standard, or Tor for that matter!

That said, here’s some things you might like to try, … Read more “Not ready to #DeleteFacebook? Here’s some baby steps…”

Categories
Information Security & Privacy Software Engineering

SSL Termination and Secure Cookies/requireSSL with ASP.NET Forms Authentication

If you’re running a HTTPS-only web application, then you probably have requireSSL set to true in your web.config like so:

<httpCookies requireSSL="true" httpOnlyCookies="true"

With requireSSL set, any cookies ASP.NET sends with the HTTP response – in particular, the forms authentication cookies – will have the “secure” flag set. This ensures that they will only be sent to your website when … Read more “SSL Termination and Secure Cookies/requireSSL with ASP.NET Forms Authentication”

Categories
ASP.NET DevOps Information Security & Privacy Web Development

Get ASP.NET auth cookie using PowerShell (when using AntiForgeryToken)

At FundApps we run a regular SkipFish scan against our application as one of our tools for monitoring for security vulnerabilities. In order for it to test beyond our login page, we need to provide a valid .ASPXAUTH cookie (you’ve renamed it, right?) to the tool.

Because we want to prevent Cross-site request forgeries to our login pages, we’re using … Read more “Get ASP.NET auth cookie using PowerShell (when using AntiForgeryToken)”

Categories
ASP.NET Information Security & Privacy Web Development

Forms Authentication loginUrl ignored

I hit this issue a while back, and someone else just tripped up on it so thought it was worth posting here. If you’ve got loginUrl in your Forms Authentication configuration in web.config set, but your ASP.NET Forms or MVC app has suddenly started redirecting to ~/Account/Login for no apparent reason, then the new simpleMembership(ish) provider is getting in the … Read more “Forms Authentication loginUrl ignored”

Categories
IIS Information Security & Privacy

Achieving an A+ grading at Qualys SSL Labs (Forward Secrecy in IIS)

At FundApps we love the SSL Labs tool from Qualys for checking best practice on our SSL implementations. They recently announced a bunch of changes introducing stricter security requirements for 2014, and a new A+ grade – so I was curious what it would take to achieve the new A+ grading. There are a few things required to now achieve … Read more “Achieving an A+ grading at Qualys SSL Labs (Forward Secrecy in IIS)”

Categories
Information Security & Privacy

High-level IE 6 vulnerability found

Julien McArdle posts here about a very high level Internet Explorer vulnerability – affecting IE 6 with Windows XP SP2. I sure hope MS gets a patch out quick – this one is of the “delete all files in the windows directory” level… Nice 😐

Categories
Information Security & Privacy

Microsoft AntiSpyware Beta 1 is released

It seems the first Microsoft AntiSpyware beta has been released – you can get it here. This is the first public preview since Microsoft aquired GIANT’s anti-spyware technology. It’s looking good!

You can read more about it on the winsupersite.

Categories
Information Security & Privacy Software Engineering

Windows IE exploit found after source code leak

I must admit this happened much quicker than I thought it would :- see these articles on the Register and Security tracker – apparently an exploit for a buffer overrun problem in IE *5* has already been released – supposedly discovered by reading the leaked windows source code.

I’m curious as to whether this source code leak will be a … Read more “Windows IE exploit found after source code leak”