Categories
Resources Software Development Web Development Web Security

SSL links, videos and other resources.

SSL is a very important subject. All websites/apps should be using it. However the docs will leave you scratching your head saying WTF? So I am creating this long list of resources for anyone else who ever has to learn how to use it.

Articles

First here is a link to the docs – this will cause confusion as nothing tells you how to use the pieces together.  So it is like looking into a box of legos and knowing it builds something but you don’t even have a picture as a hint. The best you can do is use the pieces to build something that doesn’t even resemble the original creation.

OpenSSL quick reference by digicert – a very brief introduction to SSL and how it works

SSL Certificate Security Glossary – list of terms and definitions

How to create a CSR with openssl – shows some of the syntax for the -config file option.

Docs explaining the config file found in the article above bout how to create a csr with openssl

SSL Basics: What is a Certificate Signing Request (CSR)? – Exactly WTF is a CSR

Openssl config file example – openssl docs are pure 100% utter shit. I had to dig and dig and google and dig for days to find this.


Videos

Categories
Software Development Web Security

Forced password changes are not good security policy

For so long I have read and heard that a GREAT security feature is to force your users to change passwords every so many days/months. Linux even has a built in feature for this.

This is a really stupid idea for many, many reasons. #1 a password is a password is a password. If a hacker can guess one they can guess another. Simply forcing users to change passwords is a false feeling of security.

Another reason it is a piss poor idea is, users usually use another form of their password so they can remember it, which again solves nothing whatsoever.

Another reason this is a stupid idea is people will often forget their password.

Another reason this is a bad idea is because users usually either write their password down or store it in a regular note type program on their phone, more are using password saving software. I once used a password saver, it worked great it saved all my passwords… except for the password to unlock it. I quit using them after that. LOL

You can read more about the treacheries of forced password cycling here.

You will notice others say the same things and more here.

Even Microsoft realizes this is bad idea that should be left in the past.

Categories
Resources Software Development Web Security

AWS autoscaling links and resources

AWS autoscaling lets you set up groups of EC2 instances which are controlled by a load balancer. The load balancer in turn makes sure your app has the correct number of EC2 instances running at all times. If your traffic is high it adds the maximum that you set. If traffic goes down it adjust to have the minimum EC2 instances that you set.

This system is great for startups who have no idea if their app will go viral or just flop. Often they just flop. But if you are lucky and it takes off you want to be able to handle the traffic so you don’t lose users.

Documentation link to AWS autoscaling

Running EC2 instances at Scale with autoscaling groups – small Ebook that walks through the whole process including using CodeDeploy.

Categories
Resources Web Security

CORS cross origin resource sharing links and resources for developers

CORS Cross origin resource sharing allows you to decide if a script from a domain other than your website/app can access data aka make AJAX calls etc. to your server. For your frontend API you probably want to limit the origin to just your domain. For a developer API you probably want to allow all origins.

CORS for Developers by W3C – explains CORS for developers in clear wording

Configuring play framework 2.8 CORS filter

 

Categories
Resources Web Security

Server and cloud security resources and links

CSP Cheat Sheet – CSP content security policy is for setting server security policies for accessing your systems content/files etc.

Configuring Play Framework Content Security Policy Headers

Categories
Resources Web Security

Web App security resources

Practical HTTP Host header attacks – Must read to understand how hackers use HTTP headers to hack websites.

Link to OWASP cheatsheet  – a good cheat sheet

Website security by MDN – covers some very basic information about website security such as SQL injection