Welcome to Labs
Terraform security best practices (2022)
The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When Terraform environments are created and...
Application Security 101 – HTTP headers
1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…
How effective is secure code review for discovering vulnerabilities?
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle…
Articles
Application Security 101 – HTTP Headers Information Disclosure
Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead to information disclosure about the...
SPF, DKIM, DMARC and BIMI for Email Security
Sender Policy Framework Sender Policy Framework (SPF) is a DNS TXT record that is added to a domain that tells email recipients which IP addresses or mail servers are authorised...
Terraform security best practices (2022)
The following sections discuss our most important Terraform security best practices: The importance of Terraform State Terraform must keep track of the resources created. When Terraform environments are created and...
Preventing exploitation of the Follina vulnerability in MSDT
The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word. This vulnerability exists when the...
Application Security 101 – HTTP headers
1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which secures users from Man in...
New Exchange RCE vulnerability actively exploited
Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell. A new high severity Remote Code Execution (RCE) exploit for on-premise Exchange Servers has been published and is being actively exploited in the wild.
How effective is secure code review for discovering vulnerabilities?
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle (SDLC). In our blog post exploring the impact of adopting application security, we described a common scenario involving assessing an application that was ready for release. Through the assessment, critical…
There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from the beginning. You may have heard buzzwords like “AppSec”, “DevSecOps” and “Shift Left”, but what do they actually mean? What does it take to “Shift Left” when developing a secure…
Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies
The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC). Traditional waterfall models performed testing to the right of, or following, development. The benefits of testing earlier and more often cannot be underestimated. However, where does this leave security and…