security.md

July 15, 2021 · View on GitHub

Bookmarks tagged [security]

www.codever.land/bookmarks/t/security

Create ipsec tunnel between google cloud platform and mikrotik | by Hasanuddin Muhamad | Medium

https://hasanuddin-muhamad15.medium.com/create-ipsec-tunnel-between-google-cloud-platform-and-mikrot...

connect

10 best practices to containerize Node.js web applications with Docker | Snyk Blog

https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker/

The following article provides production-grade guidelines for building optimized and secure Node.js Docker images. You’ll find it helpful regardless of the Node.js application you aim to build. This ...

Threat Dragon home page

https://threatdragon.org/

Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application. The desktop app is g...

Falco home page

https://falco.org/

Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine

CyberChef home page

https://gchq.github.io/CyberChef/

The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

BeEF - The Browser Exploitation Framework Project

https://beefproject.com/

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

OWASP API Security - Top 10 | OWASP

https://owasp.org/www-project-api-security/

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).

Defending Against Query Selector Injection Attacks

https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks...

This article shows two simple ways to protect against the attacks described in Hacking NodeJS and MongoDB. One of the them is by...

CWE - Common Weakness Enumeration

https://cwe.mitre.org/index.html

CWE™ is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigat...

OWASP ZAP

https://www.zaproxy.org/

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. It can help you automatically find s...

GitHub - dropbox/zxcvbn: Low-Budget Password Strength Estimation

https://github.com/dropbox/zxcvbn

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames ...

What Is and How Does Single Sign-On Authentication Work?

https://auth0.com/blog/what-is-and-how-does-single-sign-on-work/

In this post, we will study how SSO authentication is implemented for the web.

  • :calendar: published on: 2015-09-23
  • tags: security, sso

What Is an X.509 Certificate? - SSL.com

https://www.ssl.com/faqs/what-is-an-x-509-certificate/

X.509 is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations.

Firs...

PEM, DER, CRT, and CER: X.509 Encodings and Conversions - SSL.com

https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/

This guide points out the major differences between PEM and DER files and common filename extensions associated with them. It also provides visual examples of each encoding, and illustrates some commo...

Eavesdropping - Wikipedia

https://en.wikipedia.org/wiki/Eavesdropping

Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information.

Entropy - an overview

https://www.sciencedirect.com/topics/computer-science/entropy

Entropy, in cyber security, is a measure of the randomness or diversity of a data-generating function. Data with full entropy is completely random and no meaningful patterns can be found. Low entr...

mitmproxy - an interactive HTTPS proxy

https://mitmproxy.org/

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

What's New With OAuth and OIDC? - 32min

https://www.youtube.com/watch?v=g_aVPdwBTfw

In this talk you'll learn about the latest developments with the OAuth​ and OIDC​ specs directly from the standards group. The latest additions to the specs enable richer experiences and better secu...

What do SAST, DAST, IAST and RASP mean to developers?

https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/

It’s estimated that 90 percent of security incidents result from attackers exploiting known software bugs. Needless to say, squashing those bugs in the development phase of software could reduce the i...

Cross Site Request Forgery (CSRF) | OWASP Foundation

https://owasp.org/www-community/attacks/csrf

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineeri...

What Is HSTS and How Do I Implement It?

https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it

HTTP Strict Transport Security (HSTS) is a web server directive that informs user agents and web browsers how to handle its connection through a response header sent at the very beginning and back to ...

Microsoft Security Development Lifecycle

https://www.microsoft.com/en-us/securityengineering/sdl

The Microsoft SDL introduces security and privacy considerations throughout all phases of the development process, helping developers build highly secure software, address security compliance requirem...

OWASP Dependency-Check Project | OWASP

https://owasp.org/www-project-dependency-check/

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if ther...

Same-origin policy

https://web.dev/same-origin-policy/

The same-origin policy is a browser security feature that restricts how documents and scripts on one origin can interact with resources on another origin.

Same-origin policy - Web security | MDN

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially ma...

9 Security Tips to Keep Express from Getting Pwned - NodeSource

https://nodesource.com/blog/nine-security-tips-to-keep-express-from-getting-pwned

Security is really hard to get right. There are so many different factors to consider, countless different ways to break an application.

This is just as true with Express applications as it is with a...

Helmet Home Page

https://helmetjs.github.io/

Helmet helps you secure your Express apps by setting various HTTP headers. It’s not a silver bullet, but it can help!

GitHub - vasanthk/web-security-basics: Web security concepts

https://github.com/vasanthk/web-security-basics

Web security concepts. Contribute to vasanthk/web-security-basics development by creating an account on GitHub.

  • :calendar: published on: 2020-01-05
  • tags: web, security

The Hard Parts of JWT Security Nobody Talks About

https://www.pingidentity.com/en/company/blog/posts/2019/jwt-security-nobody-talks-about.html

In spite of the popularity of JWTs, their security properties are often misunderstood. To ensure the security of the app, you must fully consider asymmetric signatures, validation beyond signatures, c...

Anatomy of a Cross-site Request Forgery Attack

https://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx/

A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the less well known, but equally dangerous, cousin of the Cross Site Scripting (XSS) attack. Yeah, they come fr...

Security in the age of Docker & Kubernetes | Atomist Blog

https://blog.atomist.com/security-of-docker-kubernetes/

While not an exhaustive list of suggestions for hardening your Docker containers & Kubernetes clusters, it's a starting point to ensure tighten security.

Introduction to React + Tutorial How To Build Your First App

https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/

Introduction to React and its components and routers. Tutorial of how to build a simple Q&A React app - secure backend API with Node.js and Express.

WordPress Malware Redirect Hack - How To Detect & Fix It

https://secure.wphackedhelp.com/blog/wordpress-malware-redirect-hack-cleanup/

Detect and Clean Malicious Redirects Your site is redirecting due to the presence of infected codes added by hackers. To remove these spam redirects, one has to find malicious codes or malware and rem...

Kubernetes Security Guide

https://sysdig.com/blog/kubernetes-security-guide/

RBAC, TLS, Security policy, Network policy, etc.

Handling Sensitive Data In A Docker Application with Kubernetes Secrets

http://scotch.io/tutorials/google-cloud-platform-iii-handling-sensitive-data-in-a-docker-application...

Dealing with sensitive data such as tokens, API keys and passwords In A Docker Application with Kubernetes Secrets

How to Create and Use Kubernetes Secrets

http://linoxide.com/containers/create-use-kubernetes-secrets/

In this article we cover how to create, delete and use secrets in kubernetes. We have included secrets usability as in volumes and environment variables

Kubernetes Security Best Practices

https://dev.to/petermbenjamin/kubernetes-security-best-practices-hlk

Exploring security best practices around Kubernetes

Running Vault and Consul on Kubernetes

https://testdriven.io/running-vault-and-consul-on-kubernetes

In the following tutorial we’ll walk you through how to use Minikube to run Kubernetes locally and then we'll run Hashicorp's Vault and Consul on K8s.

Aquasec

http://blog.aquasec.com/topic/kubernetes

Kubernetes Security | The Container and serverless security blog: container security, Kubernetes Security, Docker Security, DevOps Tools, DevSecOps, image scanning, Continuous integration, Runtime pro...

Authenticator

https://github.com/heptio/authenticator

A tool for using AWS IAM credentials to authenticate to a Kubernetes cluster

[Calico Network Policy (from Tigera)](from Tigera)

from Tigera

Widely adopted open source implementation unifying Kubernetes Network Policy and Istio Application Policy.

Dex

https://github.com/coreos/dex

OpenID and OAuth for Kubernetes

Guard

https://github.com/appscode/guard

Authenticaton webhook server with support for Github, Gitlab, Google, Azure and LDAP (AD) as identity providers.

kiam

https://github.com/uswitch/kiam

Allows cluster users to associate AWS IAM roles to Pods.

kube-bench

https://github.com/aquasecurity/kube-bench

The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices.

kube-hunter

https://github.com/aquasecurity/kube-hunter

Hunt for security weaknesses in Kubernetes clusters.

kube-psp-advisor

https://github.com/sysdiglabs/kube-psp-advisor

Help building an adaptive and fine-grained pod security policy.

kube2iam

https://github.com/jtblin/kube2iam

Provides different AWS IAM roles for pods running on Kubernetes

Kubesec.io

http://kubesec.io/

kubesec.io

Pomerium

http://www.pomerium.io/

a zero-trust identity-aware access proxy inspired by BeyondCorp.

Rakkess

https://github.com/corneliusweig/rakkess

Kubectl plugin to show an access matrix for all available resources.

Sysdig Falco

http://www.sysdig.org/falco/

Have visibility into the behavior of your containers & applications with Falco, container native runtime security.

Sysdig Secure

http://www.sysdig.com/product/secure

Container Security that brings together image scanning, run-time protection, and deep forensics to identify vulnerabilities, block threats, enforce compliance, and audit activity across your microserv...

Tigera Secure Cloud Edition

https://www.tigera.io/tigera-secure-ce/

Tigera Secure Enterprise Edition

https://www.tigera.io/tigera-secure-ee/

Trireme

http://github.com/aporeto-inc/trireme-kubernetes

Aporeto integration with Kubernetes Network Policies - aporeto-inc/trireme-kubernetes

Twistlock

http://www.twistlock.com/

Twistlock is the first comprehensive cloud native cybersecurity platform for hosts, containers, and serverless setups across the DevSecOps lifecycle.

acmetool

https://github.com/hlandau/acme

ACME (Let's Encrypt) client tool with automatic renewal.

acra

https://github.com/cossacklabs/acra

Network encryption proxy to protect database-based applications from data leaks: strong selective encryption, SQL injections prevention, intrusion detection system.

argon2pw

https://github.com/raja/argon2pw

Argon2 password hash generation with constant-time password comparison.

autocert

https://godoc.org/golang.org/x/crypto/acme/autocert

Auto provision Let's Encrypt certificates and start a TLS server.

BadActor

https://github.com/jaredfolkins/badactor

In-memory, application-driven jailer built in the spirit of fail2ban.

Cameradar

https://github.com/Ullaakut/cameradar

Tool and library to remotely hack RTSP streams from surveillance cameras.

certificates

https://github.com/mvmaasakkers/certificates

An opinionated tool for generating tls certificates.

go-yara

https://github.com/hillu/go-yara

Go Bindings for YARA, the "pattern matching swiss knife for malware researchers (and everyone else)".

goArgonPass

https://github.com/dwin/goArgonPass

Argon2 password hash and verification designed to be compatible with existing Python and PHP implementations.

goSecretBoxPassword

https://github.com/dwin/goSecretBoxPassword

A probably paranoid package for securely hashing and encrypting passwords.

Interpol

https://bitbucket.org/vahidi/interpol

Rule-based data generator for fuzzing and penetration testing.

jwc

https://github.com/khezen/jwc

JSON Web Cryptography library.

lego

https://github.com/xenolf/lego

Pure Go ACME client library and CLI tool (for use with Let's Encrypt).

memguard

https://github.com/awnumar/memguard

A pure Go library for handling sensitive values in memory.

nacl

https://github.com/kevinburke/nacl

Go implementation of the NaCL set of API's.

passlib

https://github.com/hlandau/passlib

Futureproof password hashing library.

secure

https://github.com/unrolled/secure

HTTP middleware for Go that facilitates some quick security wins.

simple-scrypt

https://github.com/elithrar/simple-scrypt

Scrypt package with a simple, obvious API and automatic cost calibration built-in.

ssh-vault

https://github.com/ssh-vault/ssh-vault

encrypt/decrypt using ssh keys.

sslmgr

https://github.com/adrianosela/sslmgr

SSL certificates made easy with a high level wrapper around acme/autocert.

BeEF

http://beefproject.com

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

bundler-audit

https://github.com/rubysec/bundler-audit

Patch-level security verification for Bundler.

Gitrob

https://github.com/michenriksen/gitrob

Reconnaissance tool for GitHub organizations.

Metasploit

https://github.com/rapid7/metasploit-framework

World's most used penetration testing software.

Rack::Attack

https://github.com/kickstarter/rack-attack

Rack middleware for blocking & throttling abusive requests.

Rack::Protection

https://github.com/sinatra/rack-protection

Rack middleware for protecting against typical Web attacks.

SecureHeaders

https://github.com/twitter/secureheaders

Automatically apply several headers that are related to security, including: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options (XFO), X-XSS-Protection, X-Content-Ty...

DOMPurify

https://github.com/cure53/DOMPurify

A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

js-xss

https://github.com/leizongmin/js-xss

Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist.

xss-filters

https://github.com/yahoo/xss-filters

Secure XSS Filters by Yahoo

snyk

https://github.com/Snyk/snyk

CLI and build-time tool to find & fix vulnerable npm dependencies.

upash

https://github.com/simonepri/upash

Unified API for all password hashing algorithms.

GuardRails

https://github.com/apps/guardrails

GitHub app that provides security feedback in pull requests.

Apache Shiro

https://shiro.apache.org

Performs authentication, authorization, cryptography and session management.

Bouncy Castle

https://www.bouncycastle.org/java.html

All-purpose cryptographic library and JCA provider offering a wide range of functions, from basic helpers to PGP/SMIME operations.

Cryptomator

https://cryptomator.org

Multiplatform, transparent, client-side encryption of files in the cloud.

Hdiv

https://github.com/hdiv/hdiv

Runtime application that repels application security risks included in the OWASP Top 10, including SQL injection, cross-site scripting, cross-site request forgery, data tampering, and brute force atta...

jjwt

https://github.com/jwtk/jjwt

JSON web token for Java and Android.

Jwks RSA

https://github.com/auth0/jwks-rsa-java

JSON Web Key Set parser.

Kalium

https://github.com/abstractj/kalium

Binding for the Networking and Cryptography (NaCl) library.

Keycloak

https://keycloak.jboss.org

Integrated SSO and IDM for browser apps and RESTful web services.

Keyczar

https://github.com/google/keyczar

Easy-to-use, safe encryption framework with key versioning.

Keywhiz

https://github.com/square/keywhiz

System for distributing and managing secrets.

Nbvcxz

https://github.com/GoSimpleLLC/nbvcxz

Advanced password strength estimation.

OACC

http://oaccframework.org

Provides permission-based authorization services.

pac4j

https://github.com/pac4j/pac4j

Security engine.

http://picketlink.org

Umbrella project for security and identity management.

SecurityBuilder

https://github.com/tersesystems/securitybuilder

Fluent Builder API for JCA and JSSE classes and especially X.509 certificates.

Themis

https://github.com/cossacklabs/themis

Multi-platform high-level cryptographic library provides easy-to-use encryption for protecting sensitive data: secure messaging with forward secrecy, secure data storage (AES256GCM); suits for buildin...

Tink

http://github.com/google/tink

Provides a simple and misuse-proof API for common cryptographic tasks.

Vault

https://www.vaultproject.io

Secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets. It handles leasing, key revocation, key rolling, and auditing. Through a unified API, user...

awesome-appsec

https://github.com/paragonie/awesome-appsec#readme

A curated list of resources for learning about application security - paragonie/awesome-appsec

awesome-security

https://github.com/sbilly/awesome-security#readme

A collection of awesome software, libraries, documents, books, resources and cools stuffs about security. - sbilly/awesome-security

awesome-ctf

https://github.com/apsdehal/awesome-ctf#readme

A curated list of CTF frameworks, libraries, resources and softwares - apsdehal/awesome-ctf

awesome-malware-analysis

https://github.com/rshipp/awesome-malware-analysis#readme

A curated list of awesome malware analysis tools and resources. - rshipp/awesome-malware-analysis

android-security-awesome

https://github.com/ashishb/android-security-awesome#readme

A collection of android security related resources - ashishb/android-security-awesome

awesome-hacking

https://github.com/carpedm20/awesome-hacking#readme

A curated list of awesome Hacking tutorials, tools and resources - carpedm20/awesome-hacking

awesome-honeypots

https://github.com/paralax/awesome-honeypots#readme

an awesome list of honeypot resources. Contribute to paralax/awesome-honeypots development by creating an account on GitHub.

awesome-incident-response

https://github.com/meirwah/awesome-incident-response#readme

A curated list of tools for incident response. Contribute to meirwah/awesome-incident-response development by creating an account on GitHub.

awesome-vehicle-security

https://github.com/jaredthecoder/awesome-vehicle-security#readme

🚗 A curated list of resources for learning about vehicle security and car hacking. - jaredthecoder/awesome-vehicle-security

awesome-web-security

https://github.com/qazbnm456/awesome-web-security#readme

🐶 A curated list of Web Security materials and resources. - qazbnm456/awesome-web-security

awesome-lockpicking

https://github.com/meitar/awesome-lockpicking#readme

:unlock::sunglasses: A curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys. - meitar/awesome-lockpicking

awesome-cybersecurity-blueteam

https://github.com/meitar/awesome-cybersecurity-blueteam#readme

:computer:🛡️ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams. - meitar/awesome-cybersecurity-blueteam

Increasing Security with a Service Mesh - Christian Posta Explores the Capabilities of Istio

https://www.infoq.com/articles/istio-security-mtls-jwt

Istio attempts to solve some particularly difficult challenges when running applications in a cloud platform. This article explores the security features of Istio: mTLS and authorization.

Key Tak...

OAuth 2.0 and OpenID Connect (in plain English) - YouTube

https://www.youtube.com/watch?v=996OiexHze0

Developer Advocate Nate Barbettini breaks down OpenID and OAuth 2.0 in Plain English Find Nate's slides here: [https://speakerdeck.com/nbarbettini/oauth-and-openid-connect-in-plain-english](https://sp...

GitHub - docker/docker-bench-security

https://github.com/docker/docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. - docker/docker-bench-security

awesome-nodejs-security

https://github.com/lirantal/awesome-nodejs-security#readme

Awesome Node.js Security resources. Contribute to lirantal/awesome-nodejs-security development by creating an account on GitHub.

The Nuts and Bolts of API Security: Protecting Your Data at All Times - YouTube

https://www.youtube.com/watch?v=tj03NRM6SP8

Nice introduction (just introduction) to oauth, openid-connect, possible use for securing microservices...

API Keys ≠ Security: Why API Keys Are Not Enough

https://nordicapis.com/why-api-keys-are-not-enough/

Youtube video

API Keys are not security. By design they lack granular control, and there are many vulnerabilities at stake: applications that contain ke...

OWASP Top Ten Project - OWASP

https://owasp.org/www-project-top-ten/

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a va...

Public key fingerprint - Wikipedia

https://en.wikipedia.org/wiki/Public_key_fingerprint

In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public k...

ISC 2 CISSP Certified Information Systems Security Professional Official Study Guide and Official Practice Tests Kit

https://www.amazon.com/dp/1119523265/ref=cm_sw_r_cp_apa_EobmBbVYKBPT0

What Happens If Your JWT Is Stolen?

https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen

What happens if a JSON Web Token is stolen or compromised? What are the security considerations you need to understand? In this post, we'll look at what JWTs are, and what happens when they're stolen ...

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

https://tools.ietf.org/html/rfc5280

This specification is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet.

Cryptography and IT Security

http://www.crypto-it.net/eng/index.html

All you need to know about cryptography. Master ciphers and IT security with Crypto-IT website.

Confidentiality-Preserving Publish/Subscribe: a Survey

https://arxiv.org/pdf/1705.09404.pdf

Publish/subscribe (pub/sub) is an attractive communication paradigm for large-scale distributed applications running across multiple administrative domains. Pub/sub allows event-based information diss...

Publish-Subscribe Threat Modeling – Security Compass

https://blog.securitycompass.com/publish-subscribe-threat-modeling-11add54f1d07

The decoupled multicast nature of many-to-many communications in the Publish-Subscribe pattern introduces the system components to threats such as unwanted traffic flooding, node compromise attacks, d...

RSA Signing and Encryption in Java

http://niels.nu/blog/2016/java-rsa.html

Shows with Java examples the following:

  • Generating key pairs in Java

  • Encryption / Decryption

  • Sign / Verify

  • Java KeyStore

  • :calendar: published on: 2016-12-29

  • tags: java, cryptography, security

  • :octocat: source code

Web security

https://developer.mozilla.org/en-US/docs/Web/Security

The web security oriented articles listed here provide information that may help you secure your site and its code from attacks and data theft.

Common Phishing Scams and How to Recognize and Avoid them

https://www.comparitech.com/blog/information-security/common-phishing-scams-how-to-avoid/

Phishing for data continues to be a problem, but it's no longer restricted to the internet. Here are the major attack vectors and tactics in use today.

  • :calendar: published on: 2018-04-28
  • tags: security

PKI - trust & chain of trust -why, who and how? - YouTube

https://www.youtube.com/watch?v=LPxeYtMDxl0&list=PLSNNzog5eydtwsdT__t5WtRgvpfMzpTc7&index=4

What is public key infrastructure? What is trust? Why do we need trust over the Internet? Who should be trusted?

In this video, I will talk about two trust models: Hierarchical Trust Model and dist...

  • :calendar: published on: 2018-02-03
  • tags: pki, security

SSL/TLS handshake Protocol - YouTube

https://www.youtube.com/watch?v=sEkw8ZcxtFk&list=PLSNNzog5eydtwsdT__t5WtRgvpfMzpTc7&index=5

What protocol is used between a web server and its clients to establish trust? How do they negotiate and share the secret key? During the handshake process, how public key encryption algorithm is used...

What is digital signature? - YouTube

https://www.youtube.com/watch?v=TmA2QWSLSPg&list=PLSNNzog5eydtwsdT__t5WtRgvpfMzpTc7

A digital signature is equivalent to a handwritten signature in paper, and a digital signature serves three basic purposes. Digital signature is commonly used for software distribution, financial tran...

How does a public key verify a signature? - Stack Overflow

https://stackoverflow.com/questions/18257185/how-does-a-public-key-verify-a-signature/39210591#39210...

Public key encrypts, private key decrypts (encrypting)

Private key encrypts, public key decrypts (signing)

Hashids - generate short unique ids from integers

https://hashids.org/

Generate short unique ids from integers. Use in url shortening or as unique ids.

Computer Systems Security - MIT OpenCourseWare

https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-secur...

Computer Systems Security is a class about the design and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and techniques for achieving securi...

Data Encryption Methods to Secure Your Cloud - Agile IT

https://www.agileit.com/news/data-encryption-methods-secure-cloud/

The cloud enables you to retrieve your files from anywhere with Internet access. Discover modern data encryption methods and more data security tips.

Cloud Security Alliance Blog - Cloud Security Alliance Industry Blog

https://blog.cloudsecurityalliance.org/

Cloud Security Alliance Industry Blog

Passport.js

http://www.passportjs.org/

Simple, unobtrusive authentication for Node.js

Role-based access control - Wikipedia

https://en.wikipedia.org/wiki/Role-based_access_control

In computer systems security, role-based access control (RBAC is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employee...

The Essential Guide to Machine Data

https://www.splunk.com/pdfs/ebooks/the-essential-guide-to-machine-data.pdf

Whatever you call it, machine data is one of the most underused and undervalued assets of any organization. And, unfortunately, it’s usually kept for some minimum amount of time before being tossed ou...

An Introduction To Securing a Cloud Environment

https://www.sans.org/reading-room/whitepapers/cloud/introduction-securing-cloud-environment-34052

While Cloud services offer flexibility, scalability and economies of scale, there have been commensurate concerns about security. As more data moves from centrally located server storage to the Cloud,...

AWS Security Best Practices

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

This whitepaper is intended for existing and potential customers who are designing the security infrastructure and configuration for applications running in Amazon Web Services (AWS). It provides secu...

Recovery point objective - Wikipedia

https://en.wikipedia.org/wiki/Recovery_point_objective

A recovery point objective (RPO) is defined by business continuity planning. It is the maximum targeted period in which data might be lost from an IT service due to a major incident. The RPO gives...

Recovery time objective - Wikipedia

https://en.wikipedia.org/wiki/Recovery_time_objective

The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unaccepta...

Online RSA Key Generator

http://travistidwell.com/jsencrypt/demo/

Online RSA key generation utility

Generate a SHA-256 encrypted hash

https://hash.online-convert.com/sha256-generator

Calculate a SHA-256 hash with this free online converter. Additionally create a checksum of your file.

How Digital Signatures Work

https://www.docusign.com/how-it-works/electronic-signature/digital-signature/digital-signature-faq

Digital signatures, a type of eSignature based on PKI standards, allow users to sign documents in compliance with country/industry-specific regulations.

What is Phishing and Phishing Scams

https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx

Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of you...

The STRIDE Threat Model

https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

Nice explanation of the STRIDE model.

What Is a Firewall? - Cisco

https://www.cisco.com/c/en/us/products/security/firewalls/what-is-a-firewall.html

A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.

STRIDE (security) - Wikipedia

https://en.wikipedia.org/wiki/STRIDE_(security)

STRIDE is a threat classification model developed by Microsoft for thinking about computer security threats.[1] It provides a mnemonic for security threats in six categories.

The threat categories ar...

Ransomware - Wikipedia

https://en.wikipedia.org/wiki/Ransomware

Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may l...

Spoofing attack - Wikipedia

https://en.wikipedia.org/wiki/Spoofing_attack

In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.

Public Key Cryptography: RSA Encryption Algorithm - YouTube

https://www.youtube.com/watch?v=wXB-V_Keiu8

RSA Public Key Encryption Algorithm (cryptography). How & why it works. Introduces Euler's Theorem, Euler's Phi function, prime factorization, modular exponentiation and time complexity.

Virtual LAN - Wikipedia

https://en.wikipedia.org/wiki/Virtual_LAN

A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). VLANs work by applying tags to network packets and handling th...

Asymmetric encryption - Simply explained - YouTube

https://www.youtube.com/watch?v=AQDCe585Lnc

How does public-key cryptography work? What is a private key and a public key? Why is asymmetric encryption different from symmetric encryption? I'll explain this in plain English... Nice explanation

JSON Hijacking | You’ve Been Haacked

https://haacked.com/archive/2009/06/25/json-hijacking.aspx/

A while back I wrote about a subtle JSON vulnerability which could result in the disclosure of sensitive information. That particular exploit involved overriding the JavaScript Array constructor to di...

git-crypt - transparent file encryption in git

https://www.agwa.name/projects/git-crypt/

git-crypt enables transparent encryption and decryption of files in a git repository. Files which you choose to protect are encrypted when committed, and decrypted when checked out. git-crypt lets...

Building Secure JavaScript Applications

https://nemethgergely.com/building-secure-javascript-applications/

Tips and best practices on how to build secure JavaScript applications

awesome-security

https://github.com/sbilly/awesome-security

A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.

Cross-site Scripting (XSS) - OWASP

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web applicati...

git-secret - A bash-tool to store your private data inside a git repository.

http://git-secret.io/

A bash-tool to store your private data inside a git repository.

XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of...

Node.js Security Overview

https://nemethgergely.com/nodejs-security-overview/

A look at where we are with Node.js security, and what you can do to keep your customer's data safe

Angular Authentication: Using the Http Client and Http Interceptors

https://medium.com/@ryanchenkie_40935/angular-authentication-using-the-http-client-and-http-intercep...

Let’s take a look at how to use Angular’s HttpInterceptor interface to make authenticated HTTP requests. It also suggest how to react in case the token expired.

5 Steps to Add Modern Authentication to Legacy Apps Using JWTs

https://auth0.com/blog/5-steps-to-add-modern-authentication-to-legacy-apps-using-jwts/

Conventional authentication is challenging for today's web applications. Learn about the reasons and how to use JSON Web Tokens (JWT) for modern authentication.

  • :calendar: published on: 2015-09-28
  • tags: jwt, security

JWT: The Complete Guide to JSON Web Tokens

https://blog.angular-university.io/angular-jwt/

A Step-by-Step Guide for learning JSON Web Tokens, including signatures, single page web application User Authentication and Session Management.

Crypto | Node.js Documentation

https://nodejs.org/api/crypto.html

The crypto module provides cryptographic functionality that includes a set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign and verify functions.

SHA-256 hash calculator. Online SHA-256 hash generator. Mining Bitcoin

http://www.xorbin.com/tools/sha256-hash-calculator

Easily calculate SHA-256 hash online with free Xorbin.com online SHA-256 generator! SHA-256 is used used for mining Bitcoin.

OWASP Secure Coding Practices - Quick Reference Guide - OWASP

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the devel...

[Journey into cryptography | Computer science | Computing |

Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt) https://www.khanacademy.org/computing/computer-science/cryptography#modern-crypt

Modern cryptography

A new problem emerges in the 20th century. What happens if Alice and Bob can never meet to share a key in the first place?

OWASP Secure Headers Project - OWASP

https://www.owasp.org/index.php/OWASP_Secure_Headers_Project

OWASP Secure Headers Project involves setting headers from the server is easy and often doesn't require any code changes. Once set, they can restrict modern browsers from running into easily preventab...

عُدَّة الأمان الرقمي

http://librebooks.org/security-in-a-box/

تقنيات الاختراق المادي

http://librebooks.org/physical-hacking-techniques/

تأمين الشبكات اللاسلكية للمستخدم المنزلي

http://librebooks.org/secure-wireless-networks-for-home-users/

暗号化アルゴリズム

http://fussy.web.fc2.com/algo/algo9-1.htm

Fussy (2), (3), (4)

安全なウェブサイトの作り方

http://www.ipa.go.jp/files/000017316.pdf

独立行政法人 情報処理推進機構(IPA) (PDF)

安全なSQLの呼び出し方

http://www.ipa.go.jp/files/000017320.pdf

独立行政法人 情報処理推進機構(IPA) (PDF)

はやわかり RSA

http://www.mew.org/~kazu/doc/rsa.html

山本和彦

ネットワークプログラミングの基礎知識

http://x68000.q-e-d.net/~68user/net/

68user

セキュア・プログラミング講座

http://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html

独立行政法人情報処理推進機構(IPA)

RSA暗号体験入門

http://www.cybersyndrome.net/rsa/

CyberSyndrome

ウェブ健康診断仕様

http://www.ipa.go.jp/files/000017319.pdf

独立行政法人 情報処理推進機構(IPA) (PDF)

OWASP Top 10 for .NET Developers

http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

OpenSSL Cookbook

https://www.feistyduck.com/library/openssl-cookbook/

Intrusion Detection Systems with Snort

http://ptgmedia.pearsoncmg.com/images/0131407333/downloads/0131407333.pdf

(PDF)

How to deal with Passwords

https://github.com/MHM5000/pass

Handbook of Applied Cryptography

http://cacr.uwaterloo.ca/hac/index.html

CryptoParty Handbook

https://unglue.it/work/141611/

Crypto 101 - Crypto for everyone

https://www.crypto101.io

A Graduate Course in Applied Cryptography

http://toc.cryptobook.us

UncomplicatedFirewall - Ubuntu Wiki

https://wiki.ubuntu.com/UncomplicatedFirewall

The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line...

HTTP Strict Transport Security - Wikipedia

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare t...

Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd

https://cipherli.st/

These examples are meant for sysadmins who have done this before (and sysadmins are forced to support Windows XP with IE < 9, therefore des3cbc), as an easily copy-pastable example, not for newbies wh...

How to Configure a Firewall with UFW

https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw

UFW, or uncomplicated firewall, is a frontend for managing firewall rules Arch Linux, Debian or Ubuntu. UFW is used through the command line (although it has GUIs available), and aims to make firewall...

Security Checklist — MongoDB Manual

https://docs.mongodb.com/manual/administration/security-checklist/

This documents provides a list of security measures that you should implement to protect your MongoDB installation.

How To Change SSH Port in Ubuntu - idroot

http://idroot.net/tutorials/how-to-change-ssh-port-in-ubuntu/

The Secure Shell (SSH) Protocol by default uses port 22. Accepting this value does not make your system insecure, nor will changing the port provide a significant variance in security. However, changi...

SSL Certificate Explained - YouTube

https://youtu.be/SJJmoDZ3il8