Andreas Happe: Everything
AppSec includes all tasks that (hopefully) introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance. To contrast AppSec with a traditional penetration-test: the latter tries to find vulnerabilities within an already existing application while AppSec focuses upon preventing vulnerabilities from entering the application code in the first place.
Recently I had a couple of customers that needed some guidance about secure software development. I assume that this happens because I am a developer gone pen-tester so I’ve seen both side of the “problem”. Of course, suggestions differ between software stacks and the overall customer professionalism level, but there is a common starting ground that should be suitable for any professional software project. Without those, anything more advanced would be built upon shaky grounds.
During a recent presentation on HTTP Header Security I was asked for a “simple” flow chart with directions which headers can be used without too many problems. The result was this: What was the reasoning? Initially, basic headers that unify browser behavior are set. They control behavior that is already set when using modern browsers (e.g., Referrer-Policy) or unify non-standard behavior (e.g, X-Content-Type-Options: nosniff). The basic idea behind those headers is, that web developers need to make sure that their website works with those anyway (otherwise people using modern browsers might complain) so it makes sense to take care of those situations during development.
Given that I’ve spent more time in my flat (hello, COVID-19) I also spent more time looking at my book shelf.. and wasn’t too happy with it: in hindsight, some of the books I’ve read are way to pretentious and the books I remember as life-changing were mostly read on my kindle anyways. Speaking of Kindles, my first kindle (must be bought around 2008 in the United States) was stored between the books.
So I am back at teaching web application security. This time I wanted to setup a CTF challenge for my students. To not reinvent the wheel, or rather, to stand on the shoulders of giants I am reusing the OWASP Juice Shop vulnerable web app in its CTF mode. Normally I would teach at a (physical) lab which would make the setup easy: all students are situated in the same physical room, I can setup the game server on my laptop and distribute virtual machines containing the vulnerable web app over the local network.
After I’ve bought a new and fast 1TB SSD, it’s time to setup my aging Desktop again. Last time I went with Fedora Core, this time I will try to reduce some of the ubuntu-iness of a Ubuntu 20.10 Desktop for that. After preliminary tests Ubuntu seems to be more resource efficient than Fedora Silverblue and I should be able to remove most of Ubuntu’s problematic packages. Given that my Notebook still runs Fedora Core, I’m also keeping in touch with both the Ubuntu/Debian as well as with the Redhat/Fedora world through that.
Now that wireguard will be part of the upcoming Linux 5.6 Kernel it’s time to see how to best integrate it with my Raspberry Pi based LTE-Router/Access Point Setup. What is my scenario? Raspberry Pi 3 with a LTE hat, using a public IP address. This will be the VPN server (called edgewalker in this post) An Android Phone that should use the VPN for all communication when connected An Linux Laptop that should use the VPN only accessing network services that are exposed to the VPN Each device connected to the VPN should be able to connect to all other devices, e.
2019 was a year in which I expanded my comfort zone and forced myself to face some fears. I haven’t always been victorious, there’s enough to face next year. I see progress and hope; I do not feel trapped in my situation but rather see a comfy base from which I can explore further. I shed some possessions, mostly donated them or gave them away to friends. This calms my mind tremendously.
After 15 or so years I’m finally closing down my own company (it was a small one-person vehicle, in Austrian Einzelpersonenunternehmen or EPU). How so? I’ve been self-employed since I’ve started to study at university. Mostly I did software engineering for various research projects at AIT. There was a short side-project (a failed startup that I created with friends of mine), after that more web development with other friends of mine.
The last weeks I’ve tried to improve upon my Raspberry Pi based LTE-Router/Access Point. Normally I would heave tons of software on it, try it out and let it simmer on. I did that this time too: the ELK-Stack (too little memory) and HomeAssistant (too little SmartHome-devices in my flat) only had a short intermezzo on this hardware. What stuck? Before that a small note: originally I was using a IKEA USB charger; its spec should be sufficient but I kept getting “Undervoltage detected” error messages in dmesg/syslog.