RSS

Tag Archives: Security

Amazon Security Services, Part Two

Episode 78

Last week we started with AWS security by introducing Identity and Access Management in details. Today we will look at what’s else in the security services group and talk about how not to get hacked in the cloud in general.

wallhaven-204460.jpg

Remaining named services we are interested in are Inspector, Certificate Manager, Directory Service, Web Application Firewall, Shield, Key Management Service, CloudHSM and Organizations. We will also look at Shared Responsibility Model.

Inspector

AWS Inspector is an automated auditing service. It uses a low-level agent deployed on EC2 instances to monitor system state, processes, network communication, installed software and other parameters in order to benchmark, spot security vulnerabilities and deviations from best practices. First we need to define an assessment template, which governs what targets should be tested, as well as subset of rules. There is plenty of Read the rest of this entry »

 
1 Comment

Posted by on July 13, 2017 in AWS, Cloud, Technology

 

Tags: , , , , , , ,

Amazon Security Services, Part One: IAM

Episode 77

As promised in the last episode, we will start with Amazon Web Services security today. As this is large topic, I’ve decided to split it into two articles in a similar way I did with AWS networking. In the first part, we will cover the fundamental service from the security group: Identity and Access Management and all concepts related to it. In the second part, we will look into other security services and AWS security in general.

d535fd18fc4a69c71fbbdc4017569216.jpg

Identity and Access Management is a service that let us control how people and machines access and operate on AWS resources. It’s used to facilitate authentication and authorization of different types of principals, organize them in groups and assign polices that allow flexible and fine grained regulation over who can do what and when. Not surprisingly, IAM can be controlled via AWS console, CLI or SDK.

Principals

First important concept in IAM is the Principal. It’s an entity that is allowed to interact with AWS resources, that may be permanent or temporary and it might be human being or an application. Principal related concepts include: Read the rest of this entry »

 
2 Comments

Posted by on July 6, 2017 in AWS, Cloud, Technology

 

Tags: , , ,

Spring Security Basics

Episode 63

Welcome to the next installment of the series about Spring-based web applications development. So far we have covered Angular JS fronted, Spring core, webservices, database access and unit tests. Today we are going to take care of our application security – basic authentication and authorization, users, roles, custom login form and method level security.

70d42d4aaa6aede4b84bde43e3dead63

Spring Security project started as Acegi security around 2004 and initially focused on custom authorization, using standard Java Enterprise Edition container managed authentication. Version 1.0.0 became official Spring sub-project in 2006 and year later was re-branded to Spring Security. Say hello to Alice, Bob and Eve.

Foundations

We should briefly clarify some security terminology, which might sometimes by confusing:

Identification is stating a subject identity, like user name, without yet providing any proof for that (Hi, I’m Alice). Read the rest of this entry »

 
Leave a comment

Posted by on March 30, 2017 in Spring, Technology

 

Tags: , , ,

Software Talks Rzeszów Dec 2016 and banking apps security

Episode 48

Software Talks is a recurring event organized by PGS Software, consisting of tech talks, beer, pizza and a lot of fun. Some time ago I wrote about the two September editions in Wrocław and Gdańsk, in which I took part as a speaker. On December 8th there was another event, this time in Rzeszów, a city located in south-eastern Poland. I was a speaker for the third time in a row, but for the first time with my colleague Tomasz Zieliński, who recently made a lot of noise in Polish banking environment, preparing a report, which exposed several critical security issues and other major problems in their mobile banking applications. If you read my article about working for different types of companies, you might have noticed that I’m not a big fan of banks’ approach to software development, so I’m going to elaborate on Tomasz findings without mercy.

Background

Last time on Software Talks I spoke with Piotr Konieczny, Polish security expert. This time there was an idea to focus more on Java / software development topics, so I was on a mission to find a second Java speaker. I found one, but at the last moment some issues appeared and he couldn’t make it, so his place was taken by Tomasz, who is actually our Android expert.

15192729_1352447311446640_7009143606265597268_n

It was kind of a busy week for me, as I was three days in Berlin with our client, arrived in Wrocław on Wednesday evening, and an hour later I was in a car with Read the rest of this entry »

 
1 Comment

Posted by on December 15, 2016 in News, Technology

 

Tags: , , ,