Monday, November 27, 2017

Security Boundaries

Knowing the security boundaries of our applications help building safer code. Read to understand.

In order to properly implement secure applications, developers should understand the concept of security boundaries (or trust boundaries) in the context of software development/architecture.

So let's start with a solid definition. According to IEEE, security boundaries are:
defined by a set of systems that are under a single administrative control. These boundaries occur at various levels, and vulnerabilities can become apparent as data “crosses” each one.
A good guideline to understand what the security boundaries of your app are is by:
  • examining their applications from both functional and technical perspectives;
  • understanding and evaluating the boundaries in and between their applications;
  • taking into account all the interfaces and integrations to/from their systems;
  • knowing that vulnerabilities can be propagated from one boundary to the other, possibly affecting not only your application but also leaking to your users;

Trust Model

how an organization determines who to trust with its assets or pieces of its assets.
As developers, we could use the same paradigm by considering:
  • who should have access to my system;
  • what can they access;
  • which internal components in my application I trust, which I don't;
  • which external components in my application I trust, which I don't;
With all that information you should be able to draw lines (security boundaries) around your architecture, helping you identify what are the trust levels between those boundaries.

Performing security verification

Once we know which are the boundaries of our apps, we could reduce the development effort to check security only in the application boundaries. For example: if my web app talks exclusively (is coupled) to my backend and vice versa, it's fair to say that I only need to validate my data once.
But don't treat that as a general rule. Actually, I would treat that as an exception as applications today are getting more and more complex.

Security checks in the cloud

What if my web app talks exclusively to my backend via a message queue or a storage account in the cloud? Is it safe to say that I should trust everything that reaches the backend? Of course not. After all, being the transport layer publicly available, it could be compromised. Being compromised, messages reaching the backend might also be compromised, resulting in breaches in my system. I should validate them whenever possible.

Every new element we add to our architecture is another element in the security boundary equation: should I trust everything that comes from it or not?

Security checks with Different Networks

Same for applications in different networks. Just by adding a public network between them, means that the information we're getting (if not encrypted) might have been tempered with. Should we trust it? The answer to that is related to how trustable our network is. Being a private vnet in the cloud, I would be ok. Public, not so much.

Local Security checks

In the same process

For two assembly in the same process for example, I don't think no security checks needs to be done. However, if two applications share the same process and a component in one calls a component in the other, a security check should be done because we crossed an application boundary.

In with different Processes

Likewise, if two applications reside in different server processes and a component in the first application calls a component in the second application, a security check is done.

Final Thoughts

I briefly introduced the concept of security (or trust) boundaries in this post. I hope you use that information to, in the future, evaluate how your company is treating the data you are injecting from your users and 3rd-party APIs.

See Also

Monday, November 20, 2017

How and why use stronger passwords

The number of online attacks increases and weak passwords is one of the main reasons. Learn how to create stronger passwords and be safer online.
Passwords are probably the most sensible aspect of our lives today. With more and more leaks happening every day, it's strongly recommended to start thinking about stronger passwords for our personal online accounts and our applications. So how can we leverage existing tools in a non-complex way to enhance our online protection?

Let's take a look.

What you should do

Let's start with simple basic tips for everyone. For starters, this is what we should be doing:
  • Using passwords with at least 8 characters;
  • Using complex passwords that include numbers, symbols, and punctuation;
  • Using a variety of passwords for different accounts or roles;
  • Using a secure password tool;

What you should not do

It's also important to remember what we should not do. For example, below I list somethings we should not be doing:
  • using dictionary words as passwords, e.g. apple, cat, Raptors, etc;
  • use sequences of characters, e.g. 3333, abcdabcd;
  • use personal information in passwords, e.g. your birthdate;
  • reutilize passwords;
  • avoid setting the password as the associated service, e.g. Gm@il or Dropbox123;
  • combinations of those above;
Other interesting tips to increase our protection are:
  • Avoid storing passwords on devices that you take out of home;
  • Use a password manager to securely keep track of your passwords (see the section below);
  • Setup MFA/2FA when available (see the section below);
  • Use a secure password generator to generate stronger passwords (see the section below);
  • Never remember a password!

Use Password Managers

While the  above tips are good to start and have in mind, let's now see concrete examples in how we can increase the complexity of our passwords and how we can protect them from external access. Utilizing stronger password demands a better memory. In case you don't have one as me, I  strongly recommend the utilization of a password manager like 1password, KeePass and it's forks KeePassX and KeePassXC. That's why I never remember my passwords! =)

And because I need to access my passwords on Linux and Windows machines, I'm currently using KeePassXC. I also advocate for files on disk instead of services like LastPass because you cannot trust anyone else nowadays =). How safe is LastPass data for example? Well, they were hacked before...

Using KeePass

Since KeePass is one of the most familiar out there, let's provide a very quick introduction on it. The rest, I'm pretty sure you can figure out. Also, if you're using one of its forks, should be the same, just varying the visual look and feel.

Step 1 - Create your password database

The first step is to create your password database. Launch KeePass, 

Step 2 - Start adding your passwords


See? KeePass not only manages our passwords but also helps us generating a very complex passwords for us.

Step 3 - Keep using it!

Yes, keep using it! Add all your accounts to this file and keep it safe on your disk, doing periodical backups. And sice KeePass is remembering your passwords for you, you have no excuses for sharing passwords or using simple passwords. Plus, backing up this file online is safer as the file is encrypted and assuming you didn't choose a very simple password for the file, it should take a long time for someone to crack it.

Which takes us to the next tip...

Recycle Passwords

Another relevant tip is recycling passwords. You may have already figured out that it's a technical term for not reusing the same passwords. But why? Yes, you should recycle your passwords every 3 months or so. It helps against data leaks. Or, if your service has something like a password expiration policy, even better:
Source: Outlook.com

How to create stronger Passwords

Most password managers have a very useful tool to generate passwords. After getting familiar with KeePass, I suggest getting acquainted with the Password generation tool.  To access it, do:
Tools -> Password Generator:

As we can there there are lots of intresting options here:
  • You can set the length of the generated passwords;
  • You can set/unset multiple options (I would recommend checking at least 4 of them);
  • You can provide patterns, certain characters;
  • You can strengthen entropy by clicking on the "Advanced" button
And, by clicking on the "Generate" button, KeePass will generate a password for you. It will even tell you how strong your password is (92 bits in this case). Remember to keep an eye on the bar. It will tip you how strong your password is. In theory, we should have the tool generate passwords for us as their algorithm handles better the complexity required.

Enable multiple-factor authentication

Multiple-Factor Authentication (MFA) and it's simpler form Two-Factor Authentication (2FA) is a way of logging in that requires more then a password. Example: a text message or a verification e-mail with a random code on a different email account are sent and the user will only be allowed access if she enters the right code..

MFA adds a very strong security component to our online accounts since it reduces dramatically the chances an unauthorized user can access our accounts. Many recent hacks such as the celebrity hack could have been avoided if MFA was enabled. But Apple have learned from the episode and now advise users to protect themselves using 2FA:
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Example 1 - Enabling MFA for an Apple ID

The majority of the most used websites currently offer MFA. As an example, here's what you need to do to enable MFA on you Apple ID.

Source: https://support.apple.com/en-ca/HT204915

Example 2 - Enabling MFA on GitHub

In GitHub, go to your profile -> security, and click:

Then you choose one of the options below to get your code:

How Secure is your Password?

Speaking of strong passwords, how secure is a  92 bits password compared to my own password? According to howsecureismypassword.net:
  • your simple password like "Apple123" is broken instantly;
  • a complex password as that one generated above would be broken in 52 quadrillion years;

Just access that type and enter your password to get a quick feedback on how long it would take for someone to crack your passwords:
Source: https://howsecureismypassword.net/
Spot the difference? Few hours x 52 quarillion years. But wait! There are techniques to speed up this process but we will not cover them now. The objective of that was to illustrate the importance of creating and using stronger passwords.

Conclusion

On this post I presented many suggestions on how to create strong passwords, store, transport and additional protection layers such as MFA. Please, start use them all and make your information safer. As a final note, consider using stronger passwords and enabling MFA on all your accounts.

See Also

Tuesday, November 14, 2017

Why use Firefox

Understand why Firefox is still the best browser for those looking to keep their privacy online.
If you have been following this blog, you may know that I've been discussing the importance of security and privacy. If not, please read how we are being tracked without consent everywhere: by search engines, browsers, mobile apps, social networks, TVs, games, devices, etc. Turns out we're living in difficult times for those seeking privacy

My Favorite Firefox Features

Apart from its privacy-first commitment, let me list my favorites of  Firefox.

Performance

This version of Firefox is 2x-faster than a year ago, significantly faster than Chrome. Do not believe? Check the video below for a quick comparison between the performances of Firefox and Chrome.

Lightweight

Firefox made significant improvements to its new engine and now uses 30% less memory than Chrome:
Source: https://www.mozilla.org/en-US/firefox/quantum/

Development Tools

Every developer deserves an awesome development environment. Firefox Quantum ships with a completely revamped DevTools with multiple improvements included. Check more on this blog post to find out more.
Source

Privacy Considerations

As previously said, Firefox is the only browser committed to privacy. Even Brave who marketed themselves as the best privacy-oriented browser were caught replacing ads with their own and probably also tracking you.

Beautiful UI

And, my last personal favorite: the new Photon UI. Simply gorgeous:
Source: https://hacks.mozilla.org/2017/09/firefox-quantum-developer-edition-fastest-firefox-ever/

Mobile

I've used many browsers on different mobile devices and honestly, never have been completely satisfied. Lately, I've been using Firefox Focus and if you want speed, privacy in a lightweight browser, you got it there:
Source: https://www.mozilla.org/en-US/firefox/focus/

Contributions to the Open Standard

Apart from Firefox, Mozilla has been doing very important advances in open science in:
  • Gaming: WebAssembly & WebGL;
  • MDN: extensive documentation on web technologies including HTML, CSS, and APIs for both Web sites and progressive web apps.
  • WebVR: an incubator for virtual reality on the web;
  • Servo: an amazing parallel browser engine 
  • Rust: an amazing open-source programming language that focuses on speed, memory safety and parallelism.
  • Open Codecs: if you use Linux, you know what I mean...
  • Speech and Machine Learning

Conclusion

If you agree with me and thing that it's time for a more open web, more privacy and security, join me and millions of other users and start using Firefox again! So what are you waiting for? Go get your Firefox right now!

See Also

Tuesday, November 7, 2017

How can you become a FOSS / Open-Source Contributor

Considering joining the open-source movement but don't know where to start? Learn some tips on this post.
Photo by Mohamed Nohassi on Unsplash

FOSS is awesome! Millions of people around the world dedicate their time working and free/open-source software benefiting the world around us. Most likely the tools use love and use are probably backed by open-source software one way or another. For example, the internet you're using now runs on Linux. SmartTVs, drones, cars, super computers, your android phone and yes, even your iOS device is also based on BSD, a FOSS project. 

There are hundreds thousands of projects you probably use that available for free. Projects like like Mozilla Firefox, OpenOffice, git, Bootstrap, React, FontAwesome, OpenSSH, internet servers, just to name a few. On this post let's learn ways you too can help free/open-source communities around the world.

Tips for programmers

If you know how to program and would like to contribute that way, here's a couple of ways you could help the community:
  • Writing code;
  • Submitting pull requests;
  • Reviewing code;
Once you understand the project requirements, philosophy, workflow and communication channel, get in touch with the project maintainer(s) to present yourself. The easiest way for those that know how to program is to go directly to the project page. A nice start page would be Git Explore.

Tips for non-programmers

Do not have programming skills? Don't give up! There are lots of other ways you can help. Check the list below.

Writing

Like writing? There's definitely gaps in documentation on free/open-source software. Consider supporting your favourite project on:
  • Documentation;
  • Tutorials;
  • Translations;

Designing

You're a designer? There are lots of opportunities to contribute with your artistic skills on free/open-source software. For example:
  • Logos;
  • UI mockups;
  • Event banners;
  • Fonts;
  • User Experience
  • TShirts;

Participating / Organizing Events

Social events? You can always participate in:
  • Meetups;
  • Install fests;
  • Volunteering in bigger events

Using the software

Know well some specific software? Why not help people:
  • installing free software;
  • on Q/A sites around the internet
  • on Slack/IRC/Discuss channels;
  • helping someone else installing/troubleshooting someone else's computer;

Helping with Infrastructure

Know systems and infrastructure? What about:
  • supporting servers;
  • donating servers;
  • maintaining the build systems;
  • packaging;

Donating

None of the previous? What about donating to organizations you like / admire / support other FOSS projects like:

Supporting other Users

You can always support other users by answering their questions on StackOverflowAskFedora or AskUbuntu for example.

Divulging

On your school, university or company? What about educating people on how to use free/open-source software?

Writing posts

What about blog posts? Even those as simple as as this one help people around the world! 😊

References

Conclusion

This post was just to present ideas on how to start helping open source projects. Most people think that contributing to open source is just about code while it is not. There's tons of ways we can start helping others out there so why not?

See Also

About the Author

Bruno Hildenbrand