Input validation of free-form Unicode text in Python
Input validation is one of the most important application security controls and still, there’s a huge gap as it comes to implementation of one of the most popular types of user input — free-form text with Unicode characters. This article demonstrates a simple way of dealing with Unicode text using Python.
Checking for critical infrastructure failures with Wazuh
One of my favourite features of Wazuh is command monitoring which, combined with rules, allows creating sophisticated sanity checks on critical infrastructure services.
Making sense of the SAST, DAST, IAST, RASP soup #2
In the last article I have written about SAST and DAST, here I’m sharing some experiences with IAST and RASP technologies, which are still considered quite new to the application security market.
Making sense of the SAST, DAST, IAST, RASP soup #1
Software security scanner market today is now mature enough to have its own jargon, built largely by vendor marketing teams. As such, it’s primarily designed to help you get rid of your infosec budget rather than help you design a reasonable security assurance architecture. This is first part of series that looks at SAST and DAST advantages and limitations.
Choosing security scanners for your project
With literally dozens of code security scanners available on the market there’s a risk of throwing your money and resources at tool that will eventually prove to be of little use. How do you select the right tool for the job?
Reducing your attack surface with systemd
Running Linux services through systemd has huge positive impact on reducing their attack surface — and its authors are
adding a lot of new functionality with each new version. What can you achieve in terms of security using systemd?
Upgrading and backing up your LUKS header
All mainstream Linux distributions now ship with full-disk encryption available and for portable devices like laptops or smartphones it’s certainly a must. This article is a few quick recipes for upgrading your LUKS header for improved performance and security (if your device has been installed a while ago) and for backing up your LUKS header to ensure access in case of hardware failure.
IPFS website cheat-sheet
This website is generated using Nikola and hosted on IPFS with web server on krvtz.net domain
operating merely as a proxy to IPFS node. After some struggle, I decided to share a few hints on how to actually implement such setup in a way
that will not result in cryptic error messages being displayed to your clients.
Dealing with legacy systems
In an ideal DevSecOps world all infrastructure servers and auxiliary applications are running an up-to-date LTS versions and are subject to an actual lifecycle maintenance policy. In the real world, we have to deal with end-of-life applications installed on unpatched end-of-life operating systems… and still make this secure.
Overview of PGP replacements
OpenPGP became a de facto standard for encryption and digital signature, used to secure email and XMPP communications but also by as a dedicated file encryption and signing provider by popular backup tools. Each of these use scenarios suffers from dated OpenPGP design and confusing user interface.
A number of notable projects were developed with the intent to replace OpenPGP, some with ambitions to replace the whole cryptosystem, others with a very limited scope following the “do one thing well” philosophy.