Collaborate Disseminate
We’ve been developing a Flask app for a customer and a part of the agreement was that “customer admins” would be allowed to access Flask admin page to manage users, roles and business entities.
The admin functionality is ba… Continue reading Securing Flask admin pages
In 2017 and 2018 there were these infamous stories about malicious packages being uploaded to the PyPI (Python Package Index) which tried to do all sorts of things (collecting and sending data, reverse shells etc) during inst… Continue reading Is it possible to block non-PyPI requests during pip install?
Recently, eslint-scope and eslint-config-eslint packages were hacked in an interesting way – one of the maintainer’s account was compromised by an attacker and a new “patch” version with the malicious code was published to th… Continue reading Recent ESLint hack or how can we protect ourselves from installing malicious npm packages?
I’ve recently created a relatively simple smart Christmas tree which is a Raspberry PI Zero W powered LED strip.
In order to control it via IFTTT webhooks, I’ve started a lightweight flask server on the Raspberry Pi – on a s… Continue reading Port-forwarding to a web server on Raspberry Pi
I’ve recently created a relatively simple smart Christmas tree which is a Raspberry PI Zero W powered LED strip.
In order to control it via IFTTT webhooks, I’ve started a lightweight flask server on the Raspberry Pi – on a s… Continue reading Port-forwarding to a web server on Raspberry Pi
Currently, we don’t have a specific dedicated penetration or security tester/specialist in the team.
We’ve been scanned and audited by different companies specialized in internet security and we’ve been addressing the discov… Continue reading When does a company need to hire a dedicated security specialist?
Listening to the Secure code lessons from Have I Been Pwned made me really think about logging.
It appears that in the real world a lot of data breaches are discovered long after they happened which makes the investigation … Continue reading Should we keep logs forever to investigate past data breaches?
We have a set of internal Python/Django web applications that are pretty well tested functionality-wise, but from time to time we do discover vulnerabilities and, specifically, places where SQL and other types of injections m… Continue reading Continuous SQL injection testing
We were recently handed a security report containing the following:
Cookie(s) without HttpOnly flag set
vulnerability, which we apparently had in one of our internal applications.
The applied fix was as simple as setting Django’s CSRF_CO… Continue reading Does a CSRF cookie need to be HttpOnly?
From time to time when debugging SQL queries, we use online SQL prettifiers (e.g. this one) that reindent and properly format the queries to increase readability.
Can this potentially be a source of a schema or data security… Continue reading Is using online SQL prettifiers considered safe?