Sunday 26 June 2022

Microsoft Sentinel - Introduction

Overview: Microsoft Sentinel is Microsoft's cloud hosted SIEM solution.  It can take data from Azure, on-prem., and other cloud infrastructure such as AWS.  Sentinel gathers data from various sources, and evaluates to generate alerts.  

SIEM allows software products and services to bring security information/events into a management tool to provide real-time analysis of security from all applications and networks across the enterprise.  SIEM stands for security, information, and event management and is commonly used by the COS (Security Operations Teams of a business), the SOC is often outsourced or partially outsourced to Service companies e.g. Avanade are good at this.  Other SIEM products are: SolarWinds security and monitoring (great product), McAfee ESM, Rapid7, Splunk, and Datadog.  There on installable and SaaS solutions but I prefer SaaS solution like Microsoft Sentinel.  AWS and Google also provide SIEM services.

Microsoft Sentinel (previously called Azure Sentinel) is cloud-native and collects SIEM data from systems, applications and networking to provide an overview of the organizations security alerts, and allows identification for remediation.  It accepts several common formats for capturing events and offers a REST - API.  Sentinel also has a ton of native connectors.

"Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution." Microsoft Docs

Posted by Paul Beck at 12:59 0 comments
Labels: , ,

Monday 13 June 2022

Simple Password protection got GTM - Starting Page

Overview:  I am use the AuthPro service to check a user has a code to access the website.  This is useful for Go to Market (GTM) where you only want a subset of customers to work on your software.  Think of a beta where a user can sign up, you give people with an NDA a code to be able to go thru the sign-up process.

Simple solution:  

To get to the sign-up/register page, use an external service e.g. AuthPro to manage a passcode.  AuthPro injects JS and allows the admin to configure the behavior.  It was pretty simple to setup so only specified users could go thru our sign up process.

Demo:  This page allows the user to login, if, successful the user can proceed and use the website.

Type in the username "password" and the password "password" for access to the hidden page.  

Another Option: Imperva has a lot of features including "Login protection" that can easily achieve the same outcome.



Posted by Paul Beck at 15:02 0 comments
Labels: , ,

Sunday 5 June 2022

NIST/RMF - Cyber risk control

Overview: NIST National Institute of Standards and Technology - Provides Risk Management Framework (RMF) - Is a framework to reduces security risk to systems and data.


Goals of NIST RMF:
  • Consistent and cost effective set of security controls
  • Repeatable assessment approach
  • Technology neutral
  • Implement an efficient risk-based security and privacy program.

Notes:

  • Each of these six steps have Special Publications (SP) that are applicable to the area.
  • The core document to for RMF is NIST SP 800-37 Revision 2. 
  • Used to identify security/pricacy risks at both the operation and system level 

Posted by Paul Beck at 14:59 0 comments
Labels: , ,

Sunday 22 May 2022

OWASP top 10 - 2021

 Always verify your system's have reviewed the OWASP top 10 vulnerabilities 2021

  1. Broken Access Control (ensure users only see what they should have access too).  Permission need to be correctly specified and enforced.  i.e. don't allow customers to have Admin account privileges or access to another customers details.  Security needs to allow enough right/privileges so people and clients can do what they need to but must not over allow privileges.  Prevention techniques must include least privilege (no access by default and give the minimum needed permissions), audit access and changes (think tomb tables/temporal changes) but can also include access auditing and logging access control changes.  Lastly, QA must verify permissions work as expected, so often it is just assume it works as the QA thinks and not to actual policy/specification), 
  2. Cryptographic failure (data in transit and at rest must be securely encrypted, more sensitive data must be more encrypted/scrambled.  By default everything should be encrypted but add extra encryption/controls to sensitive information like passwords.  For payment processing use a specialist provide like Stripe.  Encryption can be symmetric or asymmetric.  Ensure you use algorithms that are considered weak such as Triple DES also known as 3DES rather use AES, or hashing Algorithms such as SHA1 and RIPEMD160 are weak, rather use a SHA2 algorithm.  Manage your keys properly such as Azure Key Vault and rotate the keys regularly.  Salt hash key data to have encryption and hashing on sensitive data), 
  3. Injection (data input results in unintended processing) examples are SQL injections and Cross side scripting (XSS),
  4. Insecure Design (new addition in 2021, don't include sensitive information in error messages, ensure architecture can scale, passwords stored in plain text or are not rotatable, deal with DDoS, if 1 part of an app brings the whole solution down),
  5. Security misconfiguration (default setup that is not very secure e.g. default password is not changed on installed software, ensure security hardening happens.  I.e. short passwords, changing passwords, updating software,...)
  6. Vulnerable outdated components (we use components in code, if they have security weaknesses it's likely you also have it Log4J was an example.  You need to know all you supply chain dependencies so you need to ensure they are not vulnerable.  SAST scanning tools help identify vulnerabilities.  Know your component dependencies!), 
  7. Identification & authorisation failures (You are who you say you are, check claims, use OAuth, OIDC example is session hijacking or stealing someone else's identification, public pc, next user logs in as you previous user),
  8. Software and Data integrity failures (insured CI/CD pipeline, closely linked to item 6. example, could automatically update a nugget package to the latest automatically which has a security flaw in it),
  9. Security Logging and Monitoring failures (check logs to detect security issues, incidents will happen and can often see people scanning for vulnerabilities),
  10. Server-side Request Forgery (SSRF) (servers ask for endpoint info, use only-allow in headers or only allow the specific IP of the partner, ensure only relevant info is returned).
Posted by Paul Beck at 13:59 0 comments
Labels: , , ,

Monday 2 May 2022

Useful Generic Resources from Microsoft - Miscellaneous

1. Microsoft Style Guide

Microsoft have an extremely useful Microsoft Style Guide for websites and apps to ensure the communication is clear and consistent.  It is simple to follow and makes understanding for customers easier.  The key takeaway for me is be consistent and "Be warm and relaxed, crisp and clear, and ready to lend a hand as appropriate for the context." Developer content - Microsoft Style Guide | Microsoft Docs 

For Ux Developers, the finalised messages is generally not available (or known) so it is good if they provide messages that they believe are correct that are "warm and relaxed, clear, and contextual", this allows for updates to be much easier for the final content reviewer.  

https://docs.microsoft.com/en-gb/style-guide

2. Fluent UI

Fluent UI Fluent UI - Get started - Fluent UI (microsoft.com) is useful to provide a consistent framework for Ux.

3. Frontend Bootcamp

Microsoft Days in the Web - Welcome

4. Kiota

Posted by Paul Beck at 06:54 0 comments
Labels: , , ,

Saturday 19 March 2022

Integrating Software & Data Thoughts

Problem: Systems need to communicate, the simplest is a one-way communication (Mono directional) done on a scheduled basis, the hardest is 2-way comms, in real time. 

Hypothesis: Figure out you requirement, this sounds odd but 2 way with both being the primary causes headaches.  Adding multiple systems and security at a user level makes integration more complex. 
Keep it simple figure out: 
  • Apps to connects - Can be an N-to-M set of relationships 
  • Direction/Parent - One way, 2 way. 
  • Re-occurrence - scheduled, events, real-time. 
Your application will generally be the spoke and not the hub.  So if you are the hub the generally accepted way for SaaS is for the hub to offer an Open API and the hub controls the schedule/event to get or push the data to the hub.

Possible resolutions
  • Central Sw that has connectors can be a good option for complex multisystem communication: https://www.codat.io
  • Always understand the API's hopefully you don't need to use exports to get data but sometimes you need to fall back to this level.
  • Also ensuring transactions are completed over 2 systems need to validate data is committed, use Saga or 2PC pattern.
Posted by Paul Beck at 09:59 0 comments
Labels: , , ,

Sunday 13 March 2022

Generating a pdf from a word binary - Power Platform

Overview: Move a word document into a pdf stream in a Power Automate flow.

Solution: I am triggering a flow when a word document is created in Dataverse.  I get the word document in a stream and use OneDrive for Business (OD4B) to persist the docx to OneDrive.  I use the Power Automate Word for Business connector to convert the docx in OD4B into a pdf binary stream in my flow.  


Tip: The Location (OneDrive site collection) gets converted to a guid, so if you need a separate site collection for OneDrive or SharePoint, you can use the MS Graph and I believe this URL also works: 
https://radimaging.sharepoint.com/personal/paulbeck/_api/v2.0/drives.
Posted by Paul Beck at 10:59 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)