Being An Agile Security Officer: Spread Your Knowledge

This is my fifth and last part of my blog series about Being an Agile Officer

In the previous parts I showed how Security Officers can align with the Agile process and let security become a standard considered quality attribute again. Unfortunately many teams not only need to be made aware of security requirements, but also need technical advise and guidance in designing and implementing them. As an Agile Security Officer you therefor need not only to act as a Stakeholder, but also as a Domain Expert for Security.

Read more →

Docker containers vulnerability scan with Clair

When you work with containers (Docker) you are not only packaging your application but also part of the OS. Therefore it is crucial to know what kind of libraries might be vulnerable in you container. One way to find this information is to use and look at the Docker Hub or Quay.io security scan. The problem whit these scans is that they are only showing you the information but are not part of your CI/CD that actually blocks your container when it contains vulnerabilities.
Read more →

Docker container secrets on AWS ECS

Almost every application needs some kind of a secret or secrets to do it’s work. There are all kind of ways to provide this to the containers but it all comes down to the following five:

  1. Save the secrets inside the image
  2. Provide the secrets trough ENV variables
  3. Provide the secrets trough volume mounts
  4. Use a secrets encryption file
  5. Use a secrets store

Read more →

Caveats and pitfalls of cookie domains

Not too long ago, we ran into an apparent security issue at my current assignment – people could sign in with a regular account, but get the authentication and permissions of an administrator user (a privilege escalation bug). As it turned out, the impact  of the security issue was low, as the user would need to be logged in as an admin user already, but it was a very confusing issue. In this post I’ll try and explain the situation, how browsers handle wildcard subdomain cookies, and what to keep in mind when building an authentication back-end when it comes to cookies storing session information.

Read more →

Being an Agile Security Officer: pwn the process

This is the third part of my ‘Being an Agile Security Officer series’. As mentioned in my previous blog, in the Agile world the Product Owner is the person who translates business and customer desires into work items for the teams. To do this, product owners have several techniques and means at their disposal. In this blog I will focus on the backlog and the definition of done. As a security officer it’s important to understand their purpose and to learn how they can help you achieve your goals.

Read more →

How to create your own Lint rule

When you are part of a multi-team project in Android, it becomes relatively hard to have a common understanding of how components should be used. This is where Android Lint can help you! In this blog we will show you how you can write your own Lint rules and test them. As an example, we create a sample Lint Detector, which is used to detect whether you have excluded the “secret data” in your application from the Android Authobackup introduced in Android Marshmallow.

Read more →

Being An Agile Security Officer: Security Stakeholdership mindset

This is the second part in my blog series about ‘being an agile security officer’. In this blog I will focus on the mindset of security stakeholdership in Agile and DevOps environments.

In the Agile world the Product Owner is the person who translates business and customer desires into work items (user stories) for the teams. The actual desires and requirements however are provided by stakeholders. Stakeholders are usually representatives of the business and end-users; in the new world security officers should start taking up the role of security stakeholders. The Product Owner usually has multiple stakeholders to take into consideration. As a security stakeholder you have to ‘compete’ with other stakeholders for the most valuable changes. It has become, more than ever, important to be able to translate your requirements into actual value.

Read more →