The OWASP Foundation plays an important role in helping to improve security of software worldwide. They have created a popular and well-known awareness document called the ‘OWASP Top 10‘. This document lists the following risk:Â using components with known vulnerabilities. Software nowadays can be quite complex consisting of many direct and […]
Security
Surprisingly easy: Anchore Engine for container vulnerability scanning in a Jenkins pipeline running on Kubernetes
Anchore Engine is a popular open source tool for container image inspection and vulnerability scanning. It is easily integrated in a Kubernetes environment as an admission controller or in a Jenkins build pipeline using a plugin. A while ago I took a look at Anchore Engine and created a small introductory presentation and Katacoda scenario for […]
Heeft kwetsbaarheid verholpen….
Alleen al dit jaar zijn er meer dan 70 ‘adviezen’ geformuleerd door het Nationaal Cyber Security Centrum. Ondanks deze adviezen lezen we met enige regelmaat over grote IT-hacks en of verstoringen. Ze gaan vaak gepaard met grote financiële en of maatschappelijke gevolgen.
Anchore Engine: Container image vulnerability scanning
Applications nowadays, are usually deployed inside containers. A container consists of libraries and tools which allow the application to run inside. Since there can be exploitable vulnerabilities, it is not only important to take security into account for your application, but also for the container it runs in. There are […]
Policies in AWS (2)
Yesterday I published a blog about AWS policies. We used the IAM wizard to create a policy. When you try to use this policy with the users we created, you will get errors like these when you go to ECS, and try to create (for example) an ECS-cluster: This is […]
Secure browsing using a local SOCKS proxy server (on desktop or mobile) and an always free OCI compute instance as SSH server
Oracle provides several services as ‘always free’. In contrast to Azure and Amazon, these include compute instances which remain ‘forever’ free to use. Although there are some limitations on CPU, disk, network resources, these instances are ideal to use as a remote SSH server and with a little effort a […]
Securing Oracle Service Bus REST services with OAuth2 client credentials flow (without using additional products)
OAuth2 is a popular authentication framework. As a service provider it is thus common to provide support for OAuth2. How can you do this on a plain WebLogic Server / Service Bus without having to install additional products (and possibly have to pay for licenses)? If you just want to […]
How to securely access remote content without using a VPN: Use a proxy server accessed through an SSH tunnel
There are numerous occasions that I was limited in my work because of connectivity which could not be trusted. For example; I could not download large installers due to a proxy anti virus tool which manipulated downloads causing files to become corrupted. I needed to visit a website to find […]
OpenSSL example commands
OpenSSL “OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in internet web servers, serving a majority of all web sites. OpenSSL contains an open-source implementation of the SSL and […]
Oracle SOA Suite and WebLogic: Overview of key and keystore configuration
Keystores and the keys within can be used for security on the transport layer and application layer in Oracle SOA Suite and WebLogic Server. Keystores hold private keys (identity) but also public certificates (trust). This is important when WebLogic / SOA Suite acts as the server but also when it […]
Oracle Mobile Cloud Service (MCS) and Integration Cloud Service (ICS): How secure is your TLS connection?
In a previous blog I have explained which what cipher suites are, the role they play in establishing SSL connections and have provided some suggestions on how you can determine which cipher suite is a strong cipher suite. In this blog post I’ll apply this knowledge to look at incoming […]
Oracle Compute Cloud – Uploading My Image – Part Two – Linux 7
In this sequel of part one I will show how you can upload your own (Oracle) Linux 7 image in the IAAS Cloud of Oracle. This post will use the lessons learnt by using AWS which I described here. The tools used are: VirtualBox, Oracle Linux 7, Oracle IAAS Documentation […]
Two way ssl
How it works in a simple view Several implementations are done with 2 way ssl certificates, but still wondering how it works? Let’s try to explain. Two-way ssl means that a client and a server communicates on a verified connection with each other. The verifying is done by certificates to […]
AWS – Build your own Oracle Linux 7 AMI in the Cloud
I always like to know what is installed in the servers that I need to use for databases or Weblogic installs. Whether it is in the Oracle Cloud or in any other Cloud. One way to know is to build your own image that will be used to start your […]
SSL/TLS: How to choose your cipher suite
For SSL/TLS connections, cipher suites determine for a major part how secure the connection will be. A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings (here). But what does this mean and how do you […]
Configuring Oracle Traffic Director 12c with WebGate
At a recent customer install, I was faced with configuring Oracle Traffic Director (OTD) 12.2.1.2.0 Webgate with Oracle Access Manager. Deploying Webgate on OD 12c is very well described in the documentation. See A Configuring OAM Agent (WebGate) for Oracle Traffic Director 12.2.1.2 There is however a flaw in the […]
Single-Sign-On to Oracle ERP Cloud
More and more enterprises are using Single-Sign-On (SSO) for there on-premise applications today, but what if they want to use SSO for there cloud applications as well? This blog post is addressing this topic for Single-Sign-On to Oracle ERP Cloud in a hybrid environment. First of all lets focus on […]
Oracle 12c STIG Password Generator in PL/SQL
Creating or modifying an Oracle Database user password can be done by using any standard password generator you can find on the WEB. But I wanted a password to comply to “ora12c_strong_verify_function”, and this isn’t as easy to generate as you might expect. Though most generators provide options to include […]