Introduction It is possible in AWS to check if your environment is compliant to your minimum standards. It is also possible to automatically change the environment to make it compliant again. Maybe not in a way that was designed by the developer – but compliant anyhow. Let me give an […]
Security
Jenkins: Obtaining and displaying credentials
Jenkins is a solid CI/CD platform which has proven itself over the years. Many organizations use it to build, test and deploy their applications. In Jenkins it is possible to define credentials or to use an external credential store. You can then use these inside your pipelines and jobs. Direct […]
SonarCloud: OWASP Dependency-Check reports
SonarCloud is a hosted SonarQube SaaS solution which helps you with code quality management. It is free to use for open source projects. You cannot install 3rd party plugins in SonarCloud however. This puts some limitations on the kind of data you can put in SonarCloud. For Java this is […]
OWASP ZAP: A quick introduction to a versatile open source DAST tool
OWASP ZAP (Zed Attack Proxy) is an open source dynamic application security testing (DAST) tool. It is available here and has a website with documentation here. I recently encountered it when looking for open source security test tools to embed in a CI/CD pipeline (here). I was surprised by how versatile this tool […]
Java Security: Open Source tools for use in CI/CD pipelines
It is often expected of a DevOps team to also take security into consideration when delivering software. Often however, this does not get the attention it deserves. In this blog post I’ll describe some easy to use, CI/CD pipeline friendly, open source tools you can use to perform several checks […]
VNet peering in Azure
Introduction I looked into virtual network peering peering in Azure and I saw something that looked rather strange to me. Let me explain what it was, how VNet peering works and what you should be aware of from a security perspective. Situation I have two virtual networks: one for 10.1.0.0/16 […]
Using one-time upload URLs in AWS with S3 versioning
In this blog, I will show how you can use the SAM (Serverless Application Model) to get a presigned upload URL to AWS S3 that can be used exactly once [1]. In AWS it is possible to use a presigned URL to upload files, but the URL is valid for […]
Using one-time upload URLs in AWS with Memcached
In this blog I will show how you can use the SAM (Serverless Application Model) to get a presigned upload URL to AWS S3 that can be used exactly once [1]. In AWS it is possible to use a presigned URL to upload files, but the URL is valid for […]
Using one-time upload URLs in AWS using DynamoDB
In this blog, I will show how you can use the SAM (Serverless Application Model) to get a presigned upload URL to AWS S3 that can be used exactly once [1]. In AWS it is possible to use a presigned URL to upload files where the URL is valid for […]
Jenkins Pipeline: SonarQube and the OWASP Dependency-Check
The OWASP Foundation plays an important role in helping to improve security of software worldwide. They have created a popular and well-known awareness document called the ‘OWASP Top 10‘. This document lists the following risk: using components with known vulnerabilities. Software nowadays can be quite complex consisting of many direct and […]
Surprisingly easy: Anchore Engine for container vulnerability scanning in a Jenkins pipeline running on Kubernetes
Anchore Engine is a popular open source tool for container image inspection and vulnerability scanning. It is easily integrated in a Kubernetes environment as an admission controller or in a Jenkins build pipeline using a plugin. A while ago I took a look at Anchore Engine and created a small introductory presentation and Katacoda scenario for […]
Heeft kwetsbaarheid verholpen….
Alleen al dit jaar zijn er meer dan 70 ‘adviezen’ geformuleerd door het Nationaal Cyber Security Centrum. Ondanks deze adviezen lezen we met enige regelmaat over grote IT-hacks en of verstoringen. Ze gaan vaak gepaard met grote financiële en of maatschappelijke gevolgen.
Anchore Engine: Container image vulnerability scanning
Applications nowadays, are usually deployed inside containers. A container consists of libraries and tools which allow the application to run inside. Since there can be exploitable vulnerabilities, it is not only important to take security into account for your application, but also for the container it runs in. There are […]
Policies in AWS (2)
Yesterday I published a blog about AWS policies. We used the IAM wizard to create a policy. When you try to use this policy with the users we created, you will get errors like these when you go to ECS, and try to create (for example) an ECS-cluster: This is […]
Secure browsing using a local SOCKS proxy server (on desktop or mobile) and an always free OCI compute instance as SSH server
Oracle provides several services as ‘always free’. In contrast to Azure and Amazon, these include compute instances which remain ‘forever’ free to use. Although there are some limitations on CPU, disk, network resources, these instances are ideal to use as a remote SSH server and with a little effort a […]
Securing Oracle Service Bus REST services with OAuth2 client credentials flow (without using additional products)
OAuth2 is a popular authentication framework. As a service provider it is thus common to provide support for OAuth2. How can you do this on a plain WebLogic Server / Service Bus without having to install additional products (and possibly have to pay for licenses)? If you just want to […]
How to securely access remote content without using a VPN: Use a proxy server accessed through an SSH tunnel
There are numerous occasions that I was limited in my work because of connectivity which could not be trusted. For example; I could not download large installers due to a proxy anti virus tool which manipulated downloads causing files to become corrupted. I needed to visit a website to find […]
OpenSSL example commands
OpenSSL “OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in internet web servers, serving a majority of all web sites. OpenSSL contains an open-source implementation of the SSL and […]
Oracle SOA Suite and WebLogic: Overview of key and keystore configuration
Keystores and the keys within can be used for security on the transport layer and application layer in Oracle SOA Suite and WebLogic Server. Keystores hold private keys (identity) but also public certificates (trust). This is important when WebLogic / SOA Suite acts as the server but also when it […]
Oracle Mobile Cloud Service (MCS) and Integration Cloud Service (ICS): How secure is your TLS connection?
In a previous blog I have explained which what cipher suites are, the role they play in establishing SSL connections and have provided some suggestions on how you can determine which cipher suite is a strong cipher suite. In this blog post I’ll apply this knowledge to look at incoming […]
Oracle Compute Cloud – Uploading My Image – Part Two – Linux 7
In this sequel of part one I will show how you can upload your own (Oracle) Linux 7 image in the IAAS Cloud of Oracle. This post will use the lessons learnt by using AWS which I described here. The tools used are: VirtualBox, Oracle Linux 7, Oracle IAAS Documentation […]
Two way ssl
How it works in a simple view Several implementations are done with 2 way ssl certificates, but still wondering how it works? Let’s try to explain. Two-way ssl means that a client and a server communicates on a verified connection with each other. The verifying is done by certificates to […]
AWS – Build your own Oracle Linux 7 AMI in the Cloud
I always like to know what is installed in the servers that I need to use for databases or Weblogic installs. Whether it is in the Oracle Cloud or in any other Cloud. One way to know is to build your own image that will be used to start your […]
SSL/TLS: How to choose your cipher suite
For SSL/TLS connections, cipher suites determine for a major part how secure the connection will be. A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings (here). But what does this mean and how do you […]
Configuring Oracle Traffic Director 12c with WebGate
At a recent customer install, I was faced with configuring Oracle Traffic Director (OTD) 12.2.1.2.0 Webgate with Oracle Access Manager. Deploying Webgate on OD 12c is very well described in the documentation. See A Configuring OAM Agent (WebGate) for Oracle Traffic Director 12.2.1.2 There is however a flaw in the […]
Single-Sign-On to Oracle ERP Cloud
More and more enterprises are using Single-Sign-On (SSO) for there on-premise applications today, but what if they want to use SSO for there cloud applications as well? This blog post is addressing this topic for Single-Sign-On to Oracle ERP Cloud in a hybrid environment. First of all lets focus on […]
Oracle 12c STIG Password Generator in PL/SQL
Creating or modifying an Oracle Database user password can be done by using any standard password generator you can find on the WEB. But I wanted a password to comply to “ora12c_strong_verify_function”, and this isn’t as easy to generate as you might expect. Though most generators provide options to include […]