Security Icon


InfoSec, DevSec, Penetration Testing, etc.
147 Stories
All Topics

Founders Talk Founders Talk #71

From acquisition to full conviction

Guy Podjarny is the Founder of Snyk, a security platform that empowers software-driven businesses to develop fast and stay secure. Prior to Snyk, Guy founded Blaze which was acquired by Akamai and became CTO. We talked through the topic of acquisition — the sale, the merge, the learnings, and why Guy might not be planning for Snyk to be acquired anytime soon. We started the conversation with Snyk’s recent raise of $150 million dollars.

Tanya Janca

Where can we learn threat modelling?

The linked post is Tanya Janca advising on where (and how) you can learn threat modelling for yourself. What’s threat modelling?

… a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.

See also: Matrin Fowler’s guide to threat modelling for developers.

Joab Jackson The New Stack

Microsoft gradually switching to Rust to build its infrastructure software

No matter how much investment software companies may put into tooling and training their developers, “C++, at its core, is not a safe language,” said Ryan Levick, Microsoft cloud developer advocate, during the AllThingsOpen virtual conference last month, explaining, in a virtual talk, why Microsoft is gradually switching to Rust to build its infrastructure software, away from C/C++. And it is encouraging other software industry giants to consider the same.

This sounds SO familiar, as heard from Josh Aas recently on The Changelog (listen here).

We certainly should not be writing any new code in C and C++. The opportunity for vulnerabilities – I mean, it absolutely will have vulnerabilities, and we need to get that type of code away from our networks to start with, and then probably away from most other things, too… So I would hope that in 10-20 years we think it’s crazy to be deploying major (or maybe even minor) pieces of software that are written in languages that are not memory-safe.

So we’re trying to remove code written in C and C++ from our infrastructure at Let’s Encrypt. I think that’s just a basic part of diligence applied to secure infrastructure. If your stack is some giant pile of C++ or C at the network edge, followed by OpenSSL written in C, followed by a Linux kernel written in C, glibc - your whole pathway has got all this code that you just know is full of security holes. It absolutely is. You just can’t claim that those are even close to secure systems. They’re absolutely not. We’re gonna look back on this and say “That was crazy. We have better options today.”

Victor Zhou

An interactive guide to XSS attacks

Definitely Secure Bank® returns, this time with a big Cross-Site Scripting (XSS) vulnerability:

To get in character, let’s have you open up your online banking portal and look around. Click here to open Definitely Secure Bank’s website and login. Use any username and any password you want (don’t worry - it’s definitely secure). Keep that tab open for the rest of this post.

Victor is killing it with this Web Security 101 series.

Victor Zhou

An interactive CSRF demo

A unique take on explaining Cross-Site Request Forgery (CSRF).

You’re a responsible, hardworking person. You’ve saved up your money over the years at Definitely Secure Bank®. You love Definitely Secure Bank - they’ve always been good to you, plus they make it easy to transfer money via their website. Sweet, right?

You can probably guess where this is headed…

Y Combinator Icon Y Combinator

How does your company manage its encryption keys?

This was a great question asked this week on Hacker News – 232 comments and counting…

We just had an interesting data loss at work, that was due to data being encrypted at rest. We somehow managed to delete the encryption keys (still figuring out how), which became an obvious problem once our main database instance was rebooted.

Luckily we were able to restore the data, but now I (we) really want to learn what a proper setup would look like.


Keybase bites the dust, joins Zoom

Welp. At least they aren’t sugar coating it.

Initially, our single top priority is helping to make Zoom even more secure. There are no specific plans for the Keybase app yet. Ultimately Keybase’s future is in Zoom’s hands, and we’ll see where that takes us. Of course, if anything changes about Keybase’s availability, our users will get plenty of notice.

Good move by Zoom. We sure know they could use the security help. For Keybase users seeking alternatives, here’s a nice thread of them on Hacker News.

Cloudflare Icon Cloudflare for families

This is pretty cool and I’m updating my DNS as I write this. They’re offering two flavors: (no malware) and (no malware or adult content).

Since launching, the number one request we have received is to provide a version of the product that automatically filters out bad sites. While can safeguard user privacy and optimize efficiency, it is designed for direct, fast DNS resolution, not for blocking or filtering content. The requests we’ve received largely come from home users who want to ensure that they have a measure of protection from security threats and can keep adult content from being accessed by their kids. Today, we’re happy to answer those requests.

The setup is easy, and only requires changing two numbers in your primary and secondary DNS. for families

The Changelog The Changelog #389

Securing the web with Let's Encrypt

We’re talking with Josh Aas, the Executive Director of the Internet Security Research Group, which is the legal entity behind the Let’s Encrypt certificate authority. In June of 2017, Let’s Encrypt celebrated 100 Million certificates issued. Now, just about 2.5 years later, that number has grown to 1 Billion and 200 Million websites served. We talk with Josh about his journey and what it’s taken to build and grow Let’s Encrypt to enable a secure by default internet for everyone.

Gus Luxton

How to SSH properly

There are many ways to SSH. Some have more security “risks” than others. Yet, we SSH everyday…but could you improve the security of your SSH infrastructure? Maybe. Let’s find out.

Most people can agree that using public key authentication for SSH is generally better than using passwords. Nobody ever types in a private key, so it can’t be keylogged or observed over your shoulder. SSH keys have their own issues, however, some of which we’ve covered in a previous post about SSH key management.

The next level up from SSH keys is SSH certificates. … With SSH certificates, you generate a certificate authority (CA) and then use this to issue and cryptographically sign certificates which can authenticate users to hosts, or hosts to users….

José Valim

An upcoming authentication solution for Phoenix

José Valim, writing on the Dashbit blog:

I have thought about launching “Devise for Phoenix” probably hundreds of times. I had long conversations with Chris McCord (creator of Phoenix) and co-workers about this. Helping Phoenix users get past the burden of setting up authentication can be a great boost to adoption. At the same time, I never found a proper way to approach the problem.

You can probably guess what’s coming next…

About 2 months ago I decided to handwrite a simple and secure authentication solution on top of a Phoenix application.

Cool stuff. Click through to learn the details of what he came up with (and what’s happening next).

Feross Aboukhadijeh

Stanford CS253: Web Security

Hey folks! Feross from JS Party here. I taught a course on web security last quarter at Stanford. All the course materials, slides, and videos are freely available online and I wanted to share with the broader community, in case anyone is interested in learning more about secure web programming.

The course goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers improve their understanding of web security issues. We’ll be covering the fundamentals as well as the state-of-the-art in web security.

Josh Aas Let's Encrypt

Let's Encrypt has issued 1 billion certificates

In June of 2017, Let’s Encrypt celebrated 100 Million certificates issued. Now, just about 2.5 years later, that number has grown to 1 billion. What’s changed since 2017?

In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody.

In June of 2017 we were serving approximately 46M websites, and we did so with 11 full time staff and an annual budget of $2.61M. Today we serve nearly 192M websites with 13 full time staff and an annual budget of approximately $3.35M.

What’s driving this adoption?

Nothing drives adoption like ease of use, and the foundation for ease of use in the certificate space is our ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. … Since 2017 browsers have started requiring HTTPS for more features, and they’ve greatly improved the ways in which they communicate to their users about the risks of not using HTTPS.


Securing Firefox with WebAssembly

Firefox is mostly written in C and C++. These languages are notoriously difficult to use safely, since any mistake can lead to complete compromise of the program.

The team has thus far had 2 strategies for securing the codebase, breaking code into multiple sandboxed processes with reduced privileges and rewriting code in a safe language like Rust.

today, we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of California, San Diego, the University of Texas, Austin, and Stanford University, allows us to quickly and efficiently convert existing Firefox components to run inside a WebAssembly sandbox.

This strikes me as a bonkers idea and kinda brilliant.

The core implementation idea behind wasm sandboxing is that you can compile C/C++ into wasm code, and then you can compile that wasm code into native code for the machine your program actually runs on.

Click through to read more about how they’re pulling this off.

YouTube Icon YouTube

Let's set up a free, personal VPN in the cloud with Algo VPN

Following up on our awesome episode of The Changelog with Algo creator Dan Guido, I thought I’d kick the tires on this Ansible-based, self-hosted VPN solution to see what it’s like to actually set it up and configure my phone to use it. This is my first video of this kind. I’d love to know what you think! How can I do this better? Do you want moar like this? Keep my day job? What?!

0:00 / 0:00