Hello from the Internet!
This is your guide to the various aspects of the lovely world of web development.
Every month we shall get together, and discuss an aspect of web development. We will unwrap the subject using questions sent by YOU the listener.
You can contact us via the twitter on @localhostfm or email your questions to show@localhost.fm
Mark Drew and Rob Dudley are stepping up to the challenge to answer these questions for you.
All content for Localhost Podcast is the property of Localhost Podcast and is served directly from their servers
with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.
Hello from the Internet!
This is your guide to the various aspects of the lovely world of web development.
Every month we shall get together, and discuss an aspect of web development. We will unwrap the subject using questions sent by YOU the listener.
You can contact us via the twitter on @localhostfm or email your questions to show@localhost.fm
Mark Drew and Rob Dudley are stepping up to the challenge to answer these questions for you.
Hello from the Internet
In this we count down the OWASP TOP 10 and explore the implications of each of the issues that we should be looking at in securing our applications.
Enjoy the show!
## Show Notes
- [OWASP](https://www.owasp.org/index.php/Main_Page)
- [OWASP TOP 10 for 2017](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf)
### 10. Logs
- Insufficient Logging and Monitoring - https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring
- Graylog - https://www.graylog.org/
- Logstash (ELK) - https://www.elastic.co/elk-stack
### 09. Components
- https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities
- Safety - Python - https://pyup.io/safety/
- Ruby - http://guides.rubygems.org/security/
- Node - Node Security - https://github.com/nodesecurity/nsp
### 08. Deserialization
- https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
### 07. XSS
- https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
### 06. Security Misconfiguration
- https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration
- How to harden a Linux server:
- https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf
- https://medium.com/viithiisys/10-steps-to-secure-linux-server-for-production-environment-a135109a57c5
- https://www.cyberciti.biz/tips/linux-security.html
### 05. Broken Access Control
- https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
- Firesheep - https://codebutler.com/projects/firesheep/
### 04. XML External Entities
- https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)
- Billion Laughs Attack - https://en.wikipedia.org/wiki/Billion_laughs_attack
### 03. Sensitive Data Exposure
- https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
- PCI DSS - https://www.pcisecuritystandards.org/pci_security/
- GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Password Hashing - https://crackstation.net/hashing-security.htm
- Best practice for SSL + TLS
- https://www.ssllabs.com/ssltest/
- https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- Let’s Encrypt - https://letsencrypt.org/
- CipherList - Strong config for Apache / Nginx https://cipherli.st/
### 02. Broken Authentication
- https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication
- Horse staple - https://xkcd.com/936/
- NIST - https://www.passwordping.com/surprising-new-password-guidelines-nist/
- Rainbow tables - http://project-rainbowcrack.com/table.htm
- Google 2FA
- Authy - https://authy.com/
- Duo - https://duo.com/
### 01. Injection
- https://www.owasp.org/index.php/Top_10-2017_A1-Injection
- Bobby Tables - https://xkcd.com/327/
- Misc
- Nessus - https://www.tenable.com/products/nessus/nessus-professional
- OpenVas - http://www.openvas.org/
- ZED Attack Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- zxcvbn: realistic password strength estimation - https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
- Be afraid, be very afraid - https://attack.mitre.org/wiki/Main_Page
Localhost Podcast
Hello from the Internet!
This is your guide to the various aspects of the lovely world of web development.
Every month we shall get together, and discuss an aspect of web development. We will unwrap the subject using questions sent by YOU the listener.
You can contact us via the twitter on @localhostfm or email your questions to show@localhost.fm
Mark Drew and Rob Dudley are stepping up to the challenge to answer these questions for you.
