Sunday, 22 May 2022

OWASP top 10 - 2021

 Always verify your system's have reviewed the OWASP top 10 vulnerabilities 2021

  1. Broken Access control (ensure users only see what they should have access too), 
  2. Cryptographic failure (data in transit and at rest must be securely encrypted, more sensitive data must be more encrypted.  by default everything should be encrypted but add extra encryption/controls to sensitive information like passwords.  For payment processing use a specialist provide like Stripe.), 
  3. Injection (data input results in unintended processing) examples are SQL injections and Cross side scripting (XSS),
  4. Insecure Design (new addition in 2021, don't include sensitive information in error messages, ensure architecture can scale, passwords stored in plain text or are not rotatable, deal with DDoS, if 1 part of an app brings the whole solution down),
  5. Security misconfiguration (default setup that is not very secure e.g. default password is not changed on installed software, ensure security hardening happens.  I.e. short passwords, changing passwords, updating software,...)
  6. Vulnerable outdated components (we use components in code, if they have security weaknesses it's likely you also have it Log4J was an example.  You need to know all you supply chain dependencies so you need to ensure they are not vulnerable.  SAST scanning tools help identify vulnerabilities.  Know your component dependencies!), 
  7. Identification & authorisation failures (You are who you say you are, check claims, use OAuth, OIDC example is session hijacking or stealing someone else's identification, public pc, next user logs in as you previous user),
  8. Software and Data integrity failures (insured CI/CD pipeline, closely linked to item 6. example, could automatically update a nugget package to the latest automatically which has a security flaw in it),
  9. Security Logging and Monitoring failures (check logs to detect security issues, incidents will happen and can often see people scanning for vulnerabilities),
  10. Server-side Request Forgery (SSRF) (servers ask for endpoint info, use only-allow in headers or only allow the specific IP of the partner, ensure only relevant info is returned).

Monday, 2 May 2022

Useful Generic Resources from Microsoft - Miscellaneous

1. Microsoft Style Guide

Microsoft have an extremely useful Microsoft Style Guide for websites and apps to ensure the communication is clear and consistent.  It is simple to follow and makes understanding for customers easier.  The key takeaway for me is be consistent and "Be warm and relaxed, crisp and clear, and ready to lend a hand as appropriate for the context." Developer content - Microsoft Style Guide | Microsoft Docs 

For Ux Developers, the finalised messages is generally not available (or known) so it is good if they provide messages that they believe are correct that are "warm and relaxed, clear, and contextual", this allows for updates to be much easier for the final content reviewer.  

https://docs.microsoft.com/en-gb/style-guide

2. Fluent UI

Fluent UI Fluent UI - Get started - Fluent UI (microsoft.com) is useful to provide a consistent framework for Ux.

3. Frontend Bootcamp

Microsoft Days in the Web - Welcome

4. Kiota