Greeting from Felix
Shift Security Left #12
Working in security is both difficult and fascinating. As a developer, you can look at it from different perspectives and constantly uncover new challenges and curious solutions. The good news is that you are not alone; many security engineers and researchers are working hard to support you. Let's get going!
The misadventures of an SPF record
Do you control your company’s email supply chain (including the Senders Policy Framework configuration and IPs)? Sebastian Salla explains why it’s essential for protecting your company, customers, vendors, partners, and even the public from phishing. He scanned three million most visited domains to gather statistics around SPF implementation status. Here are the results.
Exploiting URL parsers: the good, the bad, and the inconsistent
In their research of 16 URL parsing libraries, Team82 and Snyk discovered 5 types of inconsistencies: scheme confusion, slashes confusion, backslash confusion, URL encoded data confusion, and scheme mixup. They found vulnerabilities in existing web apps as well as third-party libraries used by many popular apps. They provide details and recommendations for every web developer in this 34-page document.
Real-world engineering challenges: data migrations
While personal experience is ♔ king, learning from others' experiences is critical to keeping your kingdom safe, especially when migrating
all of the king's horses data from an old system. So, let's uncover the story behind great migration challenges faced by Box, Stripe, Pinterest, Doordash, and LinkedIn. Gergely Orosz shared plenty ideas to learn from.
Notorious Russian spies piggybacked on other hackers’ USB infections
The USB-based attack vector has never disappeared. 15 years ago, the Russian cyberspionage group Turla gained widespread access to US Department of Defense systems via infected USB drives inserted by Pentagon employees. In the story by Andy Greenberg, you'll see how Turla now piggybacks on other hackers' infections to deliver backdoor tools to targets in Ukraine.
A graduate course in applied cryptography
What about reading 1100+ pages book about constructing practical cryptosystems? :) The latest version of A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup is now available online. You can read it as a beginner to learn how cryptographic systems work, or you can go deeper to investigate the detailed proofs in cryptography.