Earnest Engineer

Cybersecurity It's for the web? Yes . It's for applications? Yes . It's for mobile? Yes . It's all code, anywhere, all the time.   But how do I understand how to secure such different codebases and platforms? I've said it before and I'll say it again: OWASP . They have a compendium of cheat sheets to help you on your path. These are goldmines of direct actions you can take for better security when coding across platforms, toolsets, languages. I had forgotten how many morsels of immediately accessible techniques the cheat sheet series  each contains. For instance, Session Stealing is one of the vectors through which the Solar Winds hack was accomplished. Reduce the time period a session can be stolen in by reducing session timeout and removing sliding expiration. But how? Here's one .Net example, which makes it concrete: ExpireTimeSpan = TimeSpan.FromMinutes(60), SlidingExpiration = false OWASP is not just Top-10 lists and the place to find out about the l

Note to self:  Don't write your own encryption. Just. Don't.  There are already capable, tested and even tried an true encryption algorithms. Implemented across platforms and languages and built into libraries and services. And did I mention " Tested "? With mathematical validations of how hard they should be to crack?  If you actually need to encrypt things, then use existing algorithms and software to actually encrypt things. You'll have enough to worry about with key management, library verifications and making sure the rest of the team gets up to speed that, no, it's not just Easier | Faster | Better to do it yourself. Unless of course your sole job is creating, writing, testing, proving and implementing encryption algorithms, because you have all the maths...