Over a decade ago, my employer issued me an RSA SecurID token to protect their VPN. This little device had a six-digit LCD display that would roll over to a new random-looking number every minute. I had to add whatever it showed at the moment to my password in order to successfully authenticate. Today, a […]
There have been increased reports of cyber threats and scams since the start of the COVID-19 pandemic. With so many of us working from home lately, I wanted to share a handful of guidelines. This list is by no means comprehensive. And you should always look first to your employer’s IT security guidelines — especially […]
As software makers, we face a unique threat model. The computers or accounts we use to develop and deliver software are of more value to an attacker than what ordinary computer users have—cloud service keys can be stolen and used for profit, and the software we ship can be loaded with malware without our knowledge. […]
Binding unescaped HTML or CSS content on a web page is a scary proposition for most web developers. The idea conjures up black-hat hackers attacking your company’s infrastructure and high-visibility hacks. In fact, cross-site scripting vulnerabilities may exist on as many as 70% of all web sites. In this post, I’ll explain what cross-site scripting […]
Security is an important concern for companies that are launching a new web or mobile application. You want to be certain that the integrity of your system and your data are protected against both intentional and casual misuse.
In an era where security breaches seem to be regularly making the news, encryption is a very important topic to understand. It helps protect your data, your interactions, and your access even when attackers make end-runs around software defenses.
First announced almost a month ago, Shellshock continues to endanger un-patched web servers and Linux devices. So what is it? How can you tell if you’re vulnerable? And how can it be addressed? What Is Shellshock? Shellshock is a vulnerability in the bash software program. Bash is a shell, installed to Linux and other operating […]
Security patches for libraries and tools come out quite frequently. Just subscribe to any Linux distribution security list, and you’ll find that security updates are released with astounding frequency, sometimes even daily. Even kernel security updates are fairly common, with two security patches being released for the kernel used by Ubuntu 12.04 LTS in June. […]
As much as I’d like to see a world where PKI is used to secure digital resources, the status quo is a world often secured by passwords. Passwords are hard to remember, and easy to lose. We should use complex, hard-to-guess passwords. We should use separate passwords for every site. We should keep passwords to […]
With the recent Heartbleed fiasco, I found myself frequently generating new SSL keys and certificates for Atomic and our customers. Even though the OpenSSL implementation of the TLS heartbeat protocol was broken, the openssl utility itself is still extremely useful for working with SSL certificates. The number of sub-commands and options for the openssl command […]