I thought I would share some of the hands-on how-to and learning of hardening some web sites and applications. I posted a bit about this here (and in vid @ bottom).

If you are interested in sharing learning on assessing a web app/api/site for security. How to harden it, showing some of the tools, come on out.

I will then show some of the complex things you can do w/ a Web Application Firewall (WAF) using resty-lua-waf (https://github.com/p0pr0ck5/lua-resty-waf) as an example, if you are stuck with a weak app and no way to fix its code.

Topics:

  • Content-Security-Policy
  • XSS-*
  • Cross Origin Request Sharing
  • HTTP Strict Transport Security
  • TLS setup
  • DNS CAA

 

Feel free to open https://observatory.mozilla.org/analyze/www.rbcroyalbank.com and be amazed @ the score of 0/100 (F).

Link below for where/when etc.

Waterloo Technology Chautauqua

Kitchener, ON
583 Members

[Chautauqua](https://en.wikipedia.org/wiki/Chautauqua) is a principle of continuous adult education.The seed of this group is a set of people who have worked together on a va...

Next Meetup

Securing a web (site/app/api): hands on!

Tuesday, Jan 28, 2020, 7:00 PM
7 Attending

Check out this Meetup Group →

 

Over on my company blog I've posted a video and some info on how you can very simply assess the security of a website you might use. I encourage you to give it a try, pick your bank, get the score, post below, convince a friend to do the same.

I've posted my bank (RBC Royal Bank of Canada) below to get the conversation started.

 

 

Over on my company YouTube channel i've done a few videos now, trying out the settings and so on. The topics are all going to be Cloud Native, Kubernetes, Cyber Security, Zero-Trust, etc.

Now that I kind of have the hang of it, I'm soliciting topics that you think would be interesting to explore. Feel free to add them in the comments here, and/or on the YouTube Channel. (and feel free to subscribe to the YouTube channel!)

Want to know more about Istio? Cloud Native? Costing of public cloud? Workload-based firewalls using things like SPIFFE and SPIRE? OpenID, 2-Factor, authentication?

How about some of the more mundane, like moving a legacy .NET application to a container, Linux, cloud?

Anyway, let me know the topics of interest. Subscribers to the channel help, comments help, here, there, on my Corporate blog, on the LinkedIn feed, etc.

Following the LinkedIn helps the most cuz then your contacts also see some percentage.

On the latest one, you can see my Blender attempt at the intro.

Another topic I started to cover was our reslience strategy and how we deal with single failures and embrace them.

Know a not-for-profit, charity, or academic who has an idea to build a resilient, trusted and secure internet for all Canadians? Do they need a bit of money to make that idea sing? Perhaps they want to consider applying for a CIRA community investment program grant.

How you ask? Head on over to https://cira.ca/improving-canadas-internet/grants and it will explain eligibility and criteria, but generally ideas relating to Infrastructure, Digital Literacy, Cybersecurity, Community Leadership.

You get a +1 if the idea is supporting students or northern, rural, indigenous communities.

 

My new office is in the heart of downtown Kitchener. An odd thing I have noticed more than a few times... nice bikes not secured. The city has these bike-shaped bike racks directly on the street, but, instead, people just lean their bike up against the shop and go in. This image below is from my office window (we have a great view don't you think!). Note 3 nice looking bikes, ready to run off with, and no concern. The folks came out of the payday loan/cheque-cashing/pawn shop later and rode off. No theft.

Its not isolated. The other day I walked past the Dollarama and there was a full-suspension bike leaned there, the owner came out a few minutes later and rode off.

Contrast this to my experience with bike theft at my previous office. It was locked, they cut and run. Huh.

PS, the Shawarma cheeseburger is amazing.