Security

It can be incredibly easy for a frontend developer to accidentally write a client-side cross-site-scripting (DOM-XSS) security issue, and yet these are hard for security teams to detect. Vulnerability scanners are slow, and suffer from false positives. Can smarter collaboration between development, operations and security teams provide a way to eliminate these problems altogether? Google claims that Trusted Types has all but eliminated DOM-XSS exploits on those of their sites which have implemented it. Let’s find out how this can work! ...

At the end of March, the source code to StackRox was released, following the 2021 acquisition by Red Hat. StackRox is a Kubernetes security tool which is now badged as Red Hat Advanced Cluster Security (RHACS), offering features such as vulnerability management, validating cluster configurations against CIS benchmarks, and some runtime behaviour analysis. In fact, it’s such a diverse range of features that I have trouble getting my head round it from the product page or even the documentation. ...

On Tuesday I attended the Open Source Strategy Forum in London, which is a meeting of the Fintech Open Source Foundation (FinOS), part of the Linux Foundation. (There is a New York version coming up in November for those across the pond.) The morning keynotes included Gabriele Columbro introducing the day, then Russell Green highlighting the progress FinOS has made; Liz Rice of CNCF fame with an inspiring talk about contributing back to upstream; an interesting conversation between Nick Cook and Jane Gavronsky about innovations in financial regulation, and finally a presentation from Andrew Agerbak of BCG about how open source can help banks move to public cloud. (I disagreed with some of Andrew’s presentation; I would weight the regulatory requirements more strongly, but agree with the point that open source can help with cloud portability.) ...

Maglev is the codename of Google’s Layer 4 network load balancer, which is referred to in GCP as External TCP/UDP Network Load Balancing. I read the 2016 Maglev paper to better understand various implementation details of Maglev with an emphasis on security (in particular as affects availability). Maglev uses a scale-out approach, implemented within clusters built from commodity hardware achieving n+1 redundancy, providing greater tolerance to failure compared with traditional hardware load balancers deployed in pairs (only 1+1 redundancy). The collection of Maglev machines are in an active-active setup, with the router balancing across them via Equal Cost Multipath (ECMP) routing. This permits greater hardware utilization compared to an active-passive approach. ...

I recently had cause to remind myself of Google Workspace administrator account best practices. Briefly: Set up separate admin accounts, e.g. admin-alice@example.com to exist side-by-side with alice@example.com. Keep accounts individually identifiable, and ideally ensure there are multiple Super Admins in your organization.1 Avoid using admin-alice@example.com for day-to-day use. One of these Super Admin accounts must be set as the primary account contact, but (due to the previous point) you’re unlikely to be checking the emails very often. Set up a “Secondary email” for the organization to receive alerts and updates. ...

One of those enlightenment moments that I should have had sooner: every time I have seen someone set up an OpenVPN VPN, they have generated all the certificates on the VPN server as root using easy-rsa. This is kind of strange, because you end up with an incredibly sensitive directory on the VPN server containing every private key for every client. Another angle is whether you trust the random number generators used to create all these keys - does your hosting provider use a weak RNG? ...

Note to self: when disabling Range headers in Apache to fix CVE-2011-3192, be sure to read the updated advisory and also disable Request-Range headers. (Presumably not "Range-Request" as in the summary of that link?) Or just apply the handy Debian update, of course.