“We take your Security Seriously” – part 3

Posted by Martijn van Lambalgen on October 29, 2019

At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on it. You need to work on it every day.

In this series of 3 blog posts we’d like to share a bit of the Serious work we’re doing at TOPdesk to Secure our customers’ data. We’re doing this not just to keep the data safe, but also because Security is an amazingly interesting and fun topic to work on.

In part 1 and part 2 we talked about making all our colleagues aware of the risks, and how we help Developers write Secure code. In this part we’d like to tell you how we’re continuously monitoring our software for suspicious behavior and how we can respond if something needs our attention.

Read more

“We take your Security Seriously” – part 2

Posted by Martijn van Lambalgen on October 14, 2019

At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on it. You need to work on it every day.

In this series of 3 blog posts we’d like to share a bit of the Serious work we’re doing at TOPdesk to Secure our customers’ data. We’re doing this not just to keep the data safe, but also because Security is an amazingly interesting and fun topic to work on.

In part 1 we talked about making all our colleagues aware of the risks. In this part we’d like to tell you how we’re helping our fellow Developers to actually build Secure software.

Read more

“We take your Security Seriously” – part 1

Posted by Martijn van Lambalgen on October 1, 2019

At first, the title of this blog sounds like an excuse. It’s that sentence that almost every company uses ‘after’ they got hacked. (Don’t worry, we didn’t!). According to me it’s a bad excuse if you present it after everything has fallen apart and only then start working on Security. It’s something you need to work on every day. And once you think you’re doing fine, you probably still need to speed up, because attackers continuously improve their skills too.

Although we have no intention of getting hacked anytime soon, we’d like to share with you some of the Serious things we’re doing to take care of your Security. Today the first of three blog posts, in which we’ll talk about awareness and training.

Read more

What all Developers Need to Know about: Threat Modeling

Posted by Martijn van Lambalgen on December 11, 2018

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Threat modeling is a process which far too few developers know about. It is a process that does what the name suggests: It helps you to model all threats to your application. Basically you make a list of threats, but in a structured way, such that you can assess the risks, and decide what to do about them.

Read more

What all Developers need to know about: Data Security vs. Data Privacy

Posted by Martijn van Lambalgen on November 5, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Recently I’ve been doing a lot of work for Data Privacy at TOPdesk. Since May 2018 the GDPR is in effect, so our developers need to be aware of the consequences. Since I’m mostly a security guy, I was wondering about the differences and similarities between Data Security and Data Privacy. Do they have the same goal? Can you use the same approach? Or is there a trade-off?

Read more

GDPR – What do Developers need to Think about?

Posted by Martijn van Lambalgen on September 20, 2018

GDPR

Since May 25th 2018 the European privacy law GDPR is effective. Although everybody knows this is all about privacy and respecting the customer’s data, it may not always be clear for you as a developer what is expected of you. Basically there are 6 principles in the GDPR that we need to follow. I’ll try to shed some light on the principles with practical examples to make you understand better what to think of during your daily work.

Read more

What all Developers need to know about: Session management

Posted by Martijn van Lambalgen on September 3, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

The HTTP protocol is stateless, meaning that the server is not required to store state information for a conversation. This simplifies the protocol a lot, but there are often situations where keeping state is desired. For example, you don’t want users to send their login credentials with each request. To prevent having to reauthenticate all the time, sessions were invented. Sessions are great because they allow the user to authenticate once, and then stop thinking about it. However, hackers also find them great, because if sessions leak, the hacker doesn’t need to authenticate either to use your account. So, how do we do proper session management and prevent session data from falling into the wrong hands?

Read more

What all Developers need to know about: Security Headers

Posted by Martijn van Lambalgen on August 1, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

Adding security headers is usually a quick win when improving the security of your web application, but nowadays there’s so many to choose from. Or shouldn’t you choose at all? Why not add all of them? How does this work? We tried to make an overview of which headers improve your security, and what they actually try to achieve for you.

Let’s start at the beginning. The HTTP protocol tells you to specify the HTTP protocol version, add a bunch of headers and optionally include a body for your request/response. The response headers can be thought of as meta data to the response, or as additional instructions for the browser. E.g. it tells the browser which content type the reponse page has, what server handled the request, or how long the requested resource can be cached. Below is an example of an HTTP response. The relevant security headers are marked in red.

Read more

What all Developers need to know about TLS 1.0

Posted by Martijn van Lambalgen on June 4, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

TLS stands for Transport Layer Security and it is a cryptographic protocol to secure communication over a network. This is what is used when you type ‘https’ instead of ‘http’ in your browser to communicate with a server, but it is also used to secure other end-to-end communications like email, voice-over-IP or DNS. TLS is the successor of SSL (Secure Sockets Layer). Many people still use the word SSL when they actually mean a TLS connection. SSL is old and deprecated. Just like SSL, TLS 1.0 has been found to be insecure. This is why TOPdesk is slowly going to drop support for this protocol version in favor of version 1.2 (and soon also 1.3).  Here we’ll discuss what you need to know of TLS 1.0.

Read more

What all Developers need to know about: Reverse Tabnabbing

Posted by Martijn van Lambalgen on May 2, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

It’s been a while ago when I first heard about reverse tabnabbing. Initially I didn’t think much of it, because exploits are not always straightforward. At TOPdesk we fixed any potential issues some time ago, but recently it’s getting more attention. I always applaud it when security topics get more attention, and therefore I’d like to explain here how we approach this at TOPdesk.

“Reverse tabnabbing” you say? What are you talking about? Never heard of this thing. Okay, so apparently it hasn’t gotten enough attention yet. Reverse tabnabbing can easily lead to some nasty phishing attacks. I originally read this article by Mathias Bynens on rel=noopener. It explains (and demonstrates) that if a site has a link to an external domain, and when you click the link, the site on the other domain gets full control over the parent’s  window object.

Read more

What all Developers need to know about: Password guidelines

Posted by Martijn van Lambalgen on April 4, 2018

— This post is part of a series of monthly blog posts about all kinds of Security topics for Developers —

It’s time for our monthly security blog again.  Almost a year ago NIST published a new version of their password and digital identity recommendations. What are those recommendations, and why have they changed?

The new recommendations put an end to many of the crappy guidelines that we all hated, like requiring all kinds of special characters in your password, or having to change the password every x weeks. Slowly, people start to understand that these were not very good guidelines as they weren’t very well aligned with human behaviour.

Are you an ambulance driver, and need a password? Try ‘ambulance’. If the system also requires numbers, what about ‘ambulance1’? Special characters? Good chance that you will select ‘ambulance1!’. And next month, when the password needs to be changed, it will be ‘ambulance2!’, and so on. That’s what happens when you try to annoy people with these requirements. It gets ‘less’ secure, instead of ‘more’.

Read more

What all Developers need to know about: Cookie Security

Posted by Martijn van Lambalgen on February 13, 2018

— This post is part of a series of blog posts about all kinds of Security topics for Developers —

Cookies are small packets of data which a server can send to your browser to store some configuration or personal data. The browser automatically sends them along with all requests to that same server. The contents are usually very interesting to hackers, so it’s important to know how to secure these cookies. Fortunately there are a lot of things you can do to improve cookie security. So… what do you need to know?

Read more

What all Developers need to know about: Clickjacking

Posted by Martijn van Lambalgen on January 17, 2018

— This post is part of a series of blog post about all kinds of Security topics for Developers —

Clickjacking is still one of those amazingly simple attacks that are also easy to prevent. That is, if you know what clickjacking is, because considering the amount of websites that are vulnerable, not many developers know about this.

In a clickjacking attack, an attacker attempts to ‘hijack’ clicks by making the user think he is clicking something else. The basic idea here is that the attacker loads the thing he wants you to click on in an invisible iframe and then shows you something else. For example, you may see a button ‘Click here to get a Free iPad’, but when trying to click it the button, the click-event goes to a ‘Transfer $1000,- from my creditcard’ button in the invisible iframe. Clickjacking may cause all kinds of harm to the user. E.g. the hacker may get access to your webcam, steal money, send emails on your behalf, or worse… It is possible to hijack basically any type of event in the browser (like mouse events or key strokes) if the website that executes that action is not properly secured.

Read more

Rolling updates in Kubernetes

Posted by Martijn van Lambalgen on January 8, 2018

So, you want to do rolling updates of your services in Kubernetes to achieve zero-downtime? That’s what we wanted to reach too, and what we’re doing now (mostly). Our journey involved quite a bit of research, filling of gaps in our lacking knowledge, learning from a multitude of mistakes, and a fair bit of trial and error. To make your journey more efficient, here is what we learned.

Read more

Getting Docker Security Right

Posted by Martijn van Lambalgen on July 21, 2017

I started working with Docker at TOPdesk almost a year ago. Security is an interest of mine, so I did some research. You can’t look at Docker without thinking about Microservices, although they are separate topics. It is often said that Microservices can greatly improve your security. But also, that if you do it wrong, security can actually get worse.
So, what do you need to do to improve (Docker) security, rather than get rid of it? For most security concerns there is already a good solution, although not all of them are widely adopted. Let’s have a look at our concerns and how we take care of them.

Read more

Code Reviews Done Right

Posted by Martijn van Lambalgen on January 20, 2017

(This story originally appeared on https://martijnvanlambalgen.wordpress.com/2016/12/27/code-reviews/)

Recently, I’ve read several articles, and heard multiple discussions on the quality of code reviews. To order my thoughts on this topic, I decided to write down my own ideas. Perhaps it helps someone, or it might lead to even more discussions.

So, what is a good code review? Obviously it depends on the situation. How big is the code change, how important is the feature, how many people are going to read that particular piece of code in the future, are there deadlines, etc. Let’s focus on the situation where there’s a reasonable amount of time available (no emergency fixes), for a feature change that has average importance, in a medium-sized team. Note that when I talk about a ‘code review’, usually I don’t just do a review of the ‘code’, but also of all the other parts my colleague has worked on. According to me the reviewer should for example also look at design and documentation, and check whether the acceptance requirements for the story have been met.

Read more