Guidance
-
SPF, DKIM, DMARC and BIMI for Email Security
Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses or mail servers are authorised to send emails for the domain. Defined in RFC7208, it is designed to prevent mail spoofing as mail servers check that incoming mail really did…
Read more
-
Terraform security best practices (2022)
The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When Terraform environments are created and deployed, Terraform tracks the resources that it created, and stores this mapping in a Terraform State File. When deploying changes to the configuration, Terraform consults…
Read more
-
Preventing exploitation of the Follina vulnerability in MSDT
The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word. This vulnerability exists when the application calls MSDT using the URL protocol and allows remote attackers to execute PowerShell code on the victim’s device, under the context of the application…
Read more
-
Application Security 101 – HTTP headers
Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which secures users from Man in the Middle (MitM) attacks by protecting against protocol downgrade attacks. This header has been specified in RFC-6797. You should ensure that your site is accessible over HTTPS before this header…
Read more
-
How effective is secure code review for discovering vulnerabilities?
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle (SDLC). In our blog post exploring the impact of adopting application security, we described a common scenario involving assessing an application that was ready for release. Through the assessment, critical vulnerabilities were identified, such as an SQL injection, close to the go-live deadline. This time, we’re covering how a secure code review early on in the SDLC can identify this vulnerability. This would give developers time to make changes without delaying the project, and understand the importance of security best practices when coding secure applications. In this similar scenario, the company contacted us during the early stages of development - the adoption of “Shift-Left”.
Read more
-
Application Security (AppSec)
There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from the beginning. You may have heard buzzwords like “AppSec”, “DevSecOps” and “Shift Left”, but what do they actually mean? What does it take to “Shift Left” when developing a secure application? You can read about dealing with dependencies in our blog post.
Read more
-
Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies
The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC). Traditional waterfall models performed testing to the right of, or following, development. The benefits of testing earlier and more often cannot be underestimated. However, where does this leave security and security testing?
Read more