Security

I picked up some pointers over the years consulting for government and banking sectors before entering a PCI DSS development environment. This section covers aspects like coding, testing, code review and best practice.

Welcome to the Security section of TomRed.net; below is a list articles associated with Software Security. This covers aspects like testing and code review to best practice.
Having spent several years consulting for governments and banking sectors before entering a PCI DSS (Payment Card Industry Data Security Standard) development environment I picked up some pointers along the way.
I intend to identify and tackle the OWASP Top 10 using a range of approaches and strategies such as STRIDE threat model.

Server Security - Server Hardening Guide

Prevent Unauthorised Access
firewall
  • Ubuntu ufw - Uncomplicated Firewall > https://help.ubuntu.com/12.04/serverguide/firewall.html
  • Identify If Server Is Compromised
    An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious…

    Linux Antivirus

    If you have come this far then I will assume I don't have to engage in the discussion on whether you need antivirus on Linux or not. All I will say is from a security perspective it is just good practice, the idea of security in depth says do everything you can to secure each link in the chain. I have outlined the RedHat and Ubuntu distro approaches to installation and configuration below.

    Securing SSH access to a Server

    I always encourage the hardening of servers and reducing the ability to access to the network resources. It is often found to be difficult to work out what is required so I have created a list of my usual suggestions when reviewing access via SSH. In cases like this I prefer to see it as Securing Authorised Access.

    Web Application Security - User Input Validation

    As with all things coming from the outside of your zone of control you should never trust user input. When you develop a web application this is no exception. You should normalise and validate all strings entered by a user or from a client. There are a simple set of rules that when followed can reduce your exposure to hackers and general exploits.

    Web Application Security - Setting Appropriate Timeouts

    When you create or deploy a web application you need to ensure you set appropriate timeouts. Over the years of working in the industry I have noted one or two interesting things Customers, Clients and Hackers all love long lived sessions. Long timeouts allow customers to keep open stay logged in for longer without having to re-login.

    Web Application Security - Secure Cookies

    When working with any web application security should be your top priority. Securing cookies and sessions is one of the first steps in keeping an application secure.

    Articles

    Java

    This what I have spent most of my time working in over the years and these are the little bits of logic or snippets I have come across. Some of these are things I have needed to search for or I have found I needed to feedback on code reviews.

    Oracle WebCenter (FatWire)

    During my time working in consulting I was tasked many times with delivering FatWire sites. I took notes due to the lack of useful documentation at the time. These are the results of those notes made and shared.

    CSS HTML JS

    I believe the majority of time on a project is spent with the UI. Web is no exception. I have compiled a set of articles covering HTML, CSS and JS with the intention of taking the sting out of this work.

    DevOps

    A space dedicated to all those things you need to know beyond writing code. This covers Linux, Windows, Git and SVN among other hopefully useful nuggets.

    Security

    I picked up some pointers over the years consulting for government and banking sectors before entering a PCI DSS development environment. This section covers aspects like coding, testing, code review and best practice.

    Apps

    Apps is a section which offers access to bits and pieces I have put together over the last few years. This includes Random Password Generator and Base64 Encoder.