Cookie Security

Cookies are small packets of data which a server can send to your browser to store some configuration or personal data. The browser automatically sends them along with each request to that same server. The contents are usually very interesting to hackers, so it’s important to know how to secure these cookies. Fortunately there are a lot of things you can do to improve cookie security. So… what do you need to know?

Continue reading “Cookie Security”

Advertisements
Cookie Security

Getting Docker Security Right

I started working with Docker in my job at TOPdesk almost a year ago. Security is an interest of mine, so I did some research. You can’t look at Docker without thinking about Microservices, although they are separate topics. It is often said that Microservices can greatly improve your security. But also, that if you do it wrong, security can actually get worse.
So, what do you need to do to improve (Docker) security, rather than get rid of it? For most security concerns there is already a good solution, although not all of them are widely adopted. Let’s have a look at our concerns and how we take care of them.

Continue reading “Getting Docker Security Right”

Getting Docker Security Right

Code Reviews

Recently, I’ve read several articles, and heard multiple discussions on the quality of code reviews. To order my thoughts on this topic, I decided to write down my own ideas. Perhaps it helps someone, or it might lead to even more discussions.

So, what is a good code review? Obviously it depends on the situation. How big is the code change, how important is the feature, how many people are going to read that particular piece of code in the future, are there deadlines, etc. Let’s focus on the situation where there’s a reasonable amount of time available (no emergency fixes), for a feature change that has average importance, in a medium-sized team. Note that when I talk about a ‘code review’, usually I don’t just do a review of the ‘code’, but also of all the other parts my colleague has worked on. According to me the reviewer should for example also look at design and documentation, and check whether the acceptance requirements for the story have been met.

Continue reading “Code Reviews”

Code Reviews

Total Scheduling Engineering Culture

My team at Raet is a bit different then other teams. We use a different programming language, we’re on a different operating system. We do our own maintenance, deployments, releases and monitoring. This brings extra work, but also has many benefits. We rarely have issues and are able to roll out new releases and patches in no time. We are ‘in control’. We are only a small step away from continuous delivery and have automated many parts of the process, that other teams are still struggling with manually on a daily basis. I’m proud of what my team accomplished so far, and I think in general people are happy with their work. We get asked often how we do this, so, inspired by the Spotify Engineering Culture movies (part 1 and part 2), I thought I’d try to write down my thoughts about the culture in our team.

Continue reading “Total Scheduling Engineering Culture”

Total Scheduling Engineering Culture

Automated Vulnerability Scan with OWASP ZAP

A few months ago, I set myself the goal of automating our vulnerability scan, and run it as part of our nightly builds. At that time I just started checking the different scanners that are out there, so I wasn’t attached to a particular scanner yet. I ended up with OWASP ZAP. Why? Because it’s free, it has an easy to use API and in general it’s just a great scanner. Maybe it’s not as complete as some of the expensive ones out there, but a very good start nonetheless. And because it is open source, there’s plenty of help available online.

Continue reading “Automated Vulnerability Scan with OWASP ZAP”

Automated Vulnerability Scan with OWASP ZAP

White Chocolate Mousse

White chocolate mousse, one of those things for which you can wake almost everyone in the middle of the night. No, I’m not exaggerating. Wait until you try this recipe. A friend of mine hates white chocolate, but she almost begged me to make more of it. I consider this positive feedback.

Some advise upfront, only make this recipe if you have at least 3 or 4 guests or friends who help you eat, because this stuff contains quite a lot of calories. Eat at own risk!

Continue reading “White Chocolate Mousse”

White Chocolate Mousse

Clickjacking

When I first heard about clickjacking, I was amazed at how easy it is to use this type of attack and what damage it can do. Later I was amazed at how easy it is to secure your site against clickjacking. Now I’m just amazed at how many websites are still vulnerable. I’ve been thinking about it for some time and the only reason I can come up with is a lack of awareness, so here’s my contribution to making this world a little better (safer).

Continue reading “Clickjacking”

Clickjacking