Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #3

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. Just like the previous edition, the massive DDoS attacks make it to the headline of this digest.

Since we last covered the DDoS attacks caused by ‘internet-of-things’ botnets, the Internet has seen large and small attacks against a variety of targets. Undoubtedly, the attack against Dyn was most noticeable, as it took major sites like Github, Twitter and Reddit offline.

A few people started digging into the Mirai source code, and have written about their interesting and even weird discoveries. And if you’re interested to follow what the botnet operators are up to, you can follow a twitter bot that monitors attacks seen in the wild.

The list of data breaches for 2016 has gotten a bit longer. The Austrialian Red Cross Blood Service has been breached, leaking the personal data of half a million donors. If you have ever donated blood before, you know that you have to provide a lot of personal information, well beyond your name and home address. The sad part about this story is that the data was allegedly accessed through a web server that allowed file indexing.

This October, the web has hit a milestone. Mozilla Firefox has reported that more than 50% of the pages that their users have visited, were served over HTTPS. This is huge, and hopefully means that the push towards HTTPS will stay strong until most of the traffic on the web is encrypted.

In related news, one of the engineers of Google Chrome has announced that in October 2017, Chrome will require the use of Certificate Transparency for all public SSL certificates. Certificate Transparency requires CAs to register all issued certificates in a public log, and allows administrators to easily detect mis-issued certificates.

To conclude, I wanted to share a bit of positive news that’s a bit farther out of the general scope of this digest. A security audit of the VeraCrypt encryption platform (forked from the abandoned TrueCrypt) has uncovered 26 vulnerabilities, of which 8 critical ones. Most of these have been patched in the latest version, or a workaround is available. The security audit was sponsored by the Open Source Technology Improvement Fund, and is a great illustration of how you can build better and more secure software.

Upcoming Events

There are two upcoming events for the month of November:

  • I’m talking about AngularJS security at Devoxx Belgium. Let me know if you’ll be there and want to meet.
  • On November 24th, I’ll be giving a one-day training on A+ grade TLS for the OWASP BeNeLux Day 2016

As usual, you can find the full list of events on my speaking page.

Finally, if you’re interested in building better and more secure applications, you may want to start by coming to the 2-day Web Security Essentials course in December!

Comments & Discussion