Cybersecurity Resources

Policies

These resources are mandatory for anyone that works with DjaoDjin to read or watch.

• Regularly conduct audits of end-users, roles and associated permissions
• Enforce MFA whenver possible. Prefer OTP when available.
• Enforce strong password policies

See detailed Operational Guidelines.

Courses

For non-technical employees and contractors, Cyber Security Awareness Training for Employees is a good course.

The following are in-depth courses about specific cybersecurity topics. If you work for DjaoDjin and the materials are not freely accessible, please bring it to the attention of you manager. There is always a budget for education around cybersecurity topics.

• Clark Center - Teach Cyber Today ... Secure Tomorrow
• Data security in multi-tenant SaaS applications
• What is SAML

Application-specific

If you are an Application developper at DjaoDjin, or are responsible in general to build business logic applications, you will want to read the following security-focused articles.

• Best practices for microservices security

  1. Apply a number of different layers of security
  2. Use security scanners for your containers
  3. Use an API gateway
  4. Use OAuth for user identity and access control
  5. Don’t write your own crypto code

  More to read: 8 best practices for microservices security

• Cloud storage security: What’s new in the threat matrix
• Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
• Choosing an SSO Strategy: SAML vs OAuth2

Client-side business logic

• Broken Authentication and Session Management – part Ⅰ
• User Authentication and Access Control in a Web Application
• Understanding the CSRF(Cross-site request forgery) Vulnerability
• How to Persist JWT Tokens for Your SaaS Application
  • How about limiting the expiration of JWT tokens? Setting the expiry to 5 minutes? Well, it solves a part of the problem but still leaves you exposed.
  • How about saving the token in memory? While this does solve the security problem, it breaks usability as we cannot handle scenarios such as page refresh / new tab.
  • Maybe saving the JWT token as an HTTP-only cookie? That totally works but exposes us to CSRF attacks without any additional CSRF protection.

  Persisting Through Refresh Tokens and HTTP-Only Cookies: Using this approach we can store the JSON Web Tokens in-memory while saving the refresh tokens using http-only cookies. The refresh tokens are not vulnerable to CSRF attacks on form submits because the attacker cannot get the value of the JWT which was returned from the endpoint.

• JSON Web Token Best Current Practices
• Web Based Session Management: Best practices in managing HTTP-based client sessions
• Best practices for REST API security: Authentication and authorization

Server-side business logic

• Docker Image Insecurity
• Docker Security

• Django Web Application Security
• Django's little protections: a word on redirect dangers
• Pen testing Django and Rails

Operation-specific

If you are an Operations engineer at DjaoDjin, or are responsible in general to make sure machines are up and running, you will want to read the following security-focused articles.

• Firewall Best Practices - Egress Traffic Filtering
• SELInux Possible Causes of Silent Denials
• SSH Agent Forwarding considered harmful
• Comparison of the SSH Key Algorithms

References

A bit dry sometimes, yet great entry points for in-depth understanding of a topic.

• Computer Security Resource Center
• Security Focus
• Exploit Db
• Full Disclosure
• Security Bloggers Network
• Forums for discussing modern cryptographic practice
• Content Security Policy Reference
• Google Infrastructure Security Design Overview
• Measuring what matters in cybersecurity
• NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security
• EnGarde Linux

News site and RSS Feeds

Publication with Cybersecurity focused news

• AWS Security Bulletins
• Django Weblog
• NGINX: How are Security Announcements shared?
• PostgreSQL: Security Information
• Bleeping Computer

Timely articles

Random news and opinions around the Web worth reading.

• Passports Were a “Temporary” War Measure
• Apple’s Fingerprint ID May Mean You Can't "Take the Fifth"
• Amazon.com - Employee Access Challenge
• The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive
• TWO-FACTOR AUTHENTICATION IS A MESS
• Future of SSL in doubt?
• BlackHat USA 2011: SSL And The Future Of Authenticity
• Abusing CSS Selectors to Perform UI Redressing Attacks
• The Unpatchable Malware That Infects USBs Is Now on the Loose
• Driving Robocallers Crazy With the Jolly Roger Bot
• How to Crash Systemd in One Tweet
• The Web Authentication Arms Race – A Tale of Two Security Experts
• The Web never forgets: Persistent tracking mechanisms in the wild
• The Internet: Anonymous forever
• Why "security" keeps winning out over privacy?
• Am I Unique?
• How Private DNA Data Led Idaho Cops on a Wild Goose Chase and Linked an Innocent Man to a 20-year-old Murder Case
• How is NSA breaking so much crypto?
• NSA-proof your email in 2 hours
• a scheme to thwart government surveillance of sensitive online payments
• A children's guide to the NSA (and a fairy tale for the rest of us)
• Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance
• RSA Animate: The Truth About Dishonesty
• yURLs
• Spying on the homefront

• Awesome-ml-for-cybersecurity
• How to Leverage the Shared Responsibility Model During Your Security Audit
• Balancing frontend security and performance with HTTP Strict Transport Security
• IBM Differential Privacy Library: The single line of code that can protect your data
• About OpenPMF - Security policy management through automation.
• Container monitoring using Splunk
• Pentest lab - Metasploitable 2