Nat’s 2022 Technical Link Pile: Security
December 30, 2022 – 7:11 pmSee the Intro for context.
[20221223] PEACH Framework for Cloud Security — risks associated with customer-facing interfaces and determines: the complexity of the interface as a predictor of vulnerability;
whether the interface is shared or duplicated per tenant; what type of security boundaries are in place (e.g. hardware virtualization); how strongly these boundaries have been implemented. In order to gauge how strongly the security boundaries have been implemented (4), we propose using the following five parameters (P.E.A.C.H.): Privilege hardening, Encryption hardening, Authentication hardening, Connectivity hardening, Hygiene.
[20221223] The Decoupling Principle — to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they need to perform their relevant function. Architectural decoupling entails splitting functionality for different fundamental actions in a system, such as decoupling authentication (proving who is allowed to use the network) from connectivity (establishing session state for communicating). Institutional decoupling entails splitting what information remains between non-colluding entities, such as distinct companies or network operators, or between a user and network peers. This decoupling makes service providers individually breach-proof, as they each have little or no sensitive data that can be lost to hackers. Put simply, the Decoupling Principle suggests always separating who you are from what you do.
[20221126] C64 MFA — The terminal window is showing a generated time-based one-time password for a full key, and the emulated 64 is showing the correct key, at the correct time, which was known and tested to be valid. Yes, you really can use your Commodore 64 for multi-factor authentication to generate TOTP codes!
[20221107] Ballerine — an open-source infrastructure for user identity and risk management.
[20220504] Serverless Security – you can use IAM to limit access to individual functions. Huh.
[20220421] Early Security for Startups – focus on the common source of breaches: Ransomware; Cloud misconfiguration/leak; Credential compromise via phishing, password reuse, etc.
[20220321] Anatomy of a JWT Token – There are a few types of JWTs, but I’ll focus on signed JWTs as they are the most common. A signed JWT may also be called a JWS.
[20220225] Creative Usernames – Spotify’s canonicalisation problem with Unicode.
[20220201] Security Engineering Course
[20220201] A Primer for Testing the Security of GraphQL APIs
[20220201] GraphQL Security
[20220201] Zero Trust Time – explanation of what zero trust is
- Start by inventorying users and their needs, and authenticating them on every request
- Then devices and apps.
- ZT relies on tokens
- ZT systems have IAM engines that validate users & assign tokens, and know what activities are permitted for which users.
You must be logged in to post a comment.