Welcome to the Security section of TomRed.net; below is a list articles associated with Software Security. This covers aspects like testing and code review to best practice.
Having spent several years consulting for governments and banking sectors before entering a PCI DSS (Payment Card Industry Data Security Standard) development environment I picked up some pointers along the way.
I intend to identify and tackle the OWASP Top 10 using a range of approaches and strategies such as STRIDE threat model.
Posted by Dermot Butterfield on Jan 30, 2017
If you have come this far then I will assume I don't have to engage in the discussion on whether you need antivirus on Linux or not. All I will say is from a security perspective it is just good practice, the idea of security in depth says do everything you can to secure each link in the chain. I have outlined the RedHat and Ubuntu distro approaches to installation and configuration below.
Posted by Dermot Butterfield on Mar 10, 2019
So you have you have seen the OWASP password cheat sheet and you are looking for an example of the pseudo-code method protect().
return [salt] + pbkdf2([salt], [credential], c=10000);
Now you would like to know how you should go about creating this.
Posted by Dermot Butterfield on Jul 10, 2018
As with all things coming from the outside of your zone of control you should never trust user input. When you develop a web application this is no exception. You should normalise and validate all strings entered by a user or from a client. There are a simple set of rules that when followed can reduce your exposure to hackers and general exploits.
Posted by Dermot Butterfield on Aug 16, 2015
When working with any web application security should be your top priority. Securing cookies and sessions is one of the first steps in keeping an application secure.
Posted by Dermot Butterfield on Apr 05, 2017
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. There is a wide spectrum of IDS, varying from antivirus software to network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). These are discussed further below.
Posted by Dermot Butterfield on Sep 11, 2016
I always encourage the hardening of servers and reducing the ability to access to the network resources. It is often found to be difficult to work out what is required so I have created a list of my usual suggestions when reviewing access via SSH. In cases like this I prefer to see it as Securing Authorised Access.
Posted by Dermot Butterfield on Aug 20, 2015
When you create or deploy a web application you need to ensure you set appropriate timeouts. Over the years of working in the industry I have noted one or two interesting things Customers, Clients and Hackers all love long lived sessions. Long timeouts allow customers to keep open stay logged in for longer without having to re-login.