dev – Page 2 – WindowsTechs.com

Exploit – Code execution without assembly call instruction, int etc on ia_64

Posted on October 14, 2020 by dev

Found a bug in a function in a loop where I can go past a loop in assignment where value is read from past malloced memory
The function has no call, int or other assembly instructions afterwards.
Instruction I control is movzbl. I control … Continue reading Exploit – Code execution without assembly call instruction, int etc on ia_64→

Cookie secure flag with HSTS

Posted on September 18, 2020 by dev

We have a portal and we are trying to win a big corporate client.
Our pentest showed that we don’t have the secure flag on an authentication cookie.
We use HSTS with preload, however.
In latest Chrome, it looks good. In Firefox, the cookie… Continue reading Cookie secure flag with HSTS→

How to implement zero trust concept on a pod running in Kubernetes?

Posted on August 19, 2020 by dev

Was thinking to use Ambassador design pattern and filter each request through Nginx with Waf (mod_security or Naxsi) in reverse proxy and ACL, authentication and authorization to pod.
What are the best practices?
How to prevent "soft … Continue reading How to implement zero trust concept on a pod running in Kubernetes?→

Security Team and Security in a small-medium organization/startup [closed]

Posted on July 29, 2020 by dev

How should one structure and how should a Security Team work in an agile organization (100 devs).
Found this article:
https://kislayverma.com/organizations/independence-autonomy-and-too-many-small-teams/
Where I agree with it, for software… Continue reading Security Team and Security in a small-medium organization/startup [closed]→

Software update process (dependencies) in organization

Posted on July 23, 2020 by dev

Wondering how other organizations manage software update process.
We are a startup, were we try to define components owners, which should update them (security updates etc).
This does not to seem to work well. People leave, components are … Continue reading Software update process (dependencies) in organization→

Dom based Cross-Site Scripting (XSS) sources

Posted on May 4, 2020 by dev

Which are still relevant sources for Dom-based Cross-Site Scripting (XSS) in 2020?

Had a list of those:

document.URL, document.documentURI, document.location, location, location.href, location.search, location.hash, document.referer, win… Continue reading Dom based Cross-Site Scripting (XSS) sources→

What are security best practices and compliance areas in Agile Software Development process

Posted on February 28, 2020 by dev

How do you ensure on a high level that developed software is secure and compliant.

We want to introduce a service checklist that will list each item, including “Security and Compliance” section.

It will have things/requirements like:

… Continue reading What are security best practices and compliance areas in Agile Software Development process→

InfoSec certifications for global startup

Posted on February 24, 2020 by dev

I am working in a global startup. Recently we have undergone several InfoSec processes with potential large corporate customers.

All of them asked for:

SOC
ISO 27k

Which makes sense for large organizations.

What certificates are wo… Continue reading InfoSec certifications for global startup→

memcpy() in device/program with jemalloc allocator does not crash

Posted on February 16, 2020 by dev

Managed to get signed length value to memcpy()

02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch reassemble_and_dispatch
02-16 01:44:49.096 6423 6471 W bt_hci_packet_fragmenter: reassemble_and_dispatch p… Continue reading memcpy() in device/program with jemalloc allocator does not crash→