Leaderboard
Popular Content
Showing content with the highest reputation on 03/22/21 in all areas
-
The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence: make it fast, cheap, and easy to move users in to, out of, and around the cloud. scimify is a PHP application that supports both SCIM 1.1 and SCIM 2.0 servers with operations for /Users, /Groups and /ServiceProviderConfig endpoints. This application was created in order to test SCIM capabilities with Okta SCIM enabled applications. Link: https://github.com/dragosgaftoneanu/scimify Aplicația e făcută pe baza RFC-urilor 7642, 7643 și 7644 și folosită pentru teste la muncă. Nu e făcută pentru production environment (structura bazei de date nu e production friendly) și nu autentifică request-urile (nu verifică headerul Authorization).1 point
-
1 point
-
Multe forumuri sau transformat in OLX undercover , pe seopedia spre exemplu nu poti intreba ceva , nu poti sustine ceva pentru ca este trolling continu ... arenaweb a disparut ... a fost refacut sub forma de roforum si acolo gasesti efectiv doar bazaconi si reclame ale administratorului. RST a ramas singurul loc unde mai poti intreba ceva fara jena si sa te astepti la un raspuns corect. BlackHatWorld ( sa transformat in vanzare de backlink , like-uri si alte tampenii )1 point
-
Parea proasta e ca oamenii nu prea mai stau in general pe forum. Partea buna e ca raspunsurile pe care le primesti pe un forum sunt infinit mai bune decat toate cacaturile pe care le posteaza toti retardatii pe Facebook. Nu stiu cum e pe alte medii ca discord/telegram...1 point
-
Data privacy and security is an essential R&D stage for many applications. Here, we’ll walk you through on how to securely handle sensitive or personal information in your applications and reduce their chance of leaking. There are all kinds of data obfuscation tools out there. Instead of covering them, we’ll share: How we implement our own ways to protect PII Some of our data-masking techniques MASKING SENSITIVE DATA SHOULD BE A DEFAULT – PHOTO BY DAYNE TOPKIN ON UNSPLASH What is PII? Personally identifiable information (PII) is any data used to identify, locate, or contact an individual. Data privacy regulations each have their own standards of what constitutes PII, so be mindful of what PII you should protect. For starters, check out how The National Institute of Standards and Technology(NIST) classifies PII. What is Sensitive Data? While the term looks self-explanatory, boundaries separating data from being sensitive can still be blurry. So let’s resort to the definitions from the European Commission. The following are considered sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation. In this walkthrough, we will use PII and sensitive data interchangeably. But in real life, sensitive data often refers to something more general and broad, while PII has a stricter definition. Why is protecting PII/sensitive data so important? Information and data privacy regulations and laws compel you to do so. Nobody wants to get slapped with a hefty fine! The European Union’s (EU’s) General Data Protection Regulation (GDPR) comes to mind. Depending on the nature of your application, it has to comply with data privacy requirements for it to be legally released and used by the end users. Besides, keeping the user’s data secure and private must be a default to any developer. Right, even if your team have the correct attitude, it’s often a careless mistake that causes a sensitive data exposure. Awareness is key to avoid this, hopefully this piece will provide some insights. Onto the walkthrough! The examples below are in Kotlin, but the underlying concepts and principles are all applicable to different kinds of software development, especially on the front end. Data Class Sensitive<T> – Masking Sensitive Data by Default Here’s our very own data-masking tool. When a data field itself contains some sensitive value, it should be encapsulated within the below data class to achieve data obfuscation by default. Since the toString() method is overridden, where “masked” is always returned, its actual value can’t be printed out unless explicitly requested. Access to sensitive or restricted information is controlled this way, reminding the developers not expose one. Below is a data-masking example class written in Kotlin: data class Sensitive<T>(private val data: T) { override fun toString() = "masked" fun getSensitive(): T = data } A hint – some programming languages support memory erasure, you may want to implement a clear() function with that. Here’s an example data class User where three of its properties are considered sensitive, which hence needs data masking with Sensitive<T>: data class User( val name: Sensitive<String>, val email: Sensitive<String>, val cardLast4: Sensitive<String>, val username: String ) Below is a demo on masking with Sensitive<T>: data class Sensitive<T>(private val data: T) { override fun toString() = "masked" fun getSensitive(): T = data } data class User( val name: Sensitive<String>, val email: Sensitive<String>, val cardLast4: Sensitive<String>, val username: String ) fun main() { val user = User( Sensitive("Elliot"), Sensitive("elliot@oursky.com"), Sensitive("1234"), "elliot" ) println(user) println(user.name.getSensitive()) } An interactive code snippet is available here, try run it! The result should be: User(name=masked, email=masked, cardLast4=masked, username=elliot) Elliot Explicitly Obtain Sensitive Data In cases where the developer really has to obtain a sensitive data field, they can do so by calling the function getSensitive() from the data class Sensitive<T>. Such operation is intentionally designed to be inconvenient so the developer will need to think twice before impetuously printing PII to the console. Track Exposed Sensitive Data To visualize which part of code explicitly requested to expose sensitive data, type the following grep command in your terminal: grep -nR getSensitive . This can be effortlessly integrated into a CI pipeline to conduct auto checks on exposed sensitive data. Build InputFields and Picker with Sensitive<T> By wrapping standard UI widgets regardless of the platform (iOS, Android, web), you can build input components like InputFields or DatePicker that return Sensitive<T>. Doing this secures an input flow on sensitive data, from the second an end user starts entering data to the end of your process. This should be applied on all input components that contain sensitive data, where processes like masking credit card numbers or phone numbers become automatic. Let’s say a user is entering a credit card CVC. We’ll always handle it with a SensitiveInputField that returns Sensitive<String>. The actual CVC value is hidden until the stage of serialization (for data transit), which minimizes direct contact. In other words, a masked credit card CVC value becomes the default output from the user input process. Disable Screenshot and Background Preview when Handling Sensitive Information Thorough understandings on behaviours of the underlying operation system is also essential to a secure development cycle. While we may have PII data hidden by sensitive filters in the code and log console, it’s still possible that the sensitive data value is shown on the UI. Make sure to disable screenshot ability and background preview on such screens. Android – Disable Screenshot window.setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE) Android – Hide Sensitive Screen on Recent Apps List This StackOverflow post covers the logic in lifecycle onPause() and onResume() to hide an app’s screen from Recent Apps List on Android. It may not work on older Android versions (i.e., pre-Android 8/Oreo), so you may have to opt for more robust measures like setting android:excludeFromRecents="true" in your manifest, or self-replacing the screen with a black image temporarily. iOS – Replace Task Switcher Thumbnail This document covers how to hide sensitive information from the Task Switcher preview. Store Sensitive Data in Mobile App with System Secret Manager Avoid storing sensitive data on your app (though sometimes it’s inevitable) like storing an access token in local storage. Android Always store such tokens in Android Keystore. Here’s a sample flow we’ve adopted lately: Generate an AES key first (per app) and store it in Android Keystore. Encrypt tokens with the AES key before saving to SharedPreference. iOS Always go with Keychain Services. Set your .gitignore, .dockerignore and .gcloudignore properly A developer with less experience can set up a repo’s .gitignore properly right at the start. But s/he may never realize if other ignore files like .dockerignore are not configured carefully, which can lead to a lot of security problems. The internet is loaded with all kinds of ignore file templates and discussions on them, so be sure to study thoroughly when you are not sure if yours is correct enough! Conclusion So, there you have it! Data masking blocks certain fields and pieces of data from being visible. These data obfuscation techniques help prevent sensitive information from being visible while preserving the data’s integrity and the overall semantics. The takeaway here is that there’s no silver bullet for data masking and preventing sensitive data exposure. Depending on the business requirements, use cases,and the data you’re working with, some techniques will be more relevant and need to be consistently applied than others. There are also solutions with different stacks, like an authentication solution for web and mobile apps that went through rounds of security audit. For self-maintained ones, you’ll have to take up the responsibility in securing PII. Source1 point
-
About GitLab Watchman GitLab Watchman is an application that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally. Features It searches GitLab for internally shared projects and looks at: Code Commits Wiki pages Issues Merge requests Milestones For the following data: GCP keys and service account files AWS keys Azure keys and service account files Google API keys Slack API tokens & webhooks Private keys (SSH, PGP, any other misc private key) Exposed tokens (Bearer tokens, access tokens, client_secret etc.) S3 config files Tokens for services such as Heroku, PayPal and more Passwords in plaintext and more Time based searching You can run GitLab Watchman to look for results going back as far as: 24 hours 7 days 30 days All time This means after one deep scan, you can schedule GitLab Watchman to run regularly and only return results from your chosen timeframe. Rules GitLab Watchman uses custom YAML rules to detect matches in GitLab. They follow this format: --- filename: enabled: #[true|false] meta: name: author: date: description: #what the search should find# severity: #rating out of 100# scope: #what to search, any combination of the below# - blobs - commits - milestones - wiki_blobs - issues - merge_requests test_cases: match_cases: - #test case that should match the regex# fail_cases: - #test case that should not match the regex# strings: - #search query to use in GitLab# pattern: #Regex pattern to filter out false positives# There are Python tests to ensure rules are formatted properly and that the Regex patterns work in the tests dir More information about rules, and how you can add your own, is in the file docs/rules.md. Logging GitLab Watchman gives the following logging options: Log file Stdout TCP stream Results are output in JSON format, perfect for ingesting into a SIEM or other log analysis platform. For file and TCP stream logging, configuration options need to be passed via .conf file or environment variable. See the file docs/logging.md for instructions on how to set it up. If no logging option is given, GitLab Watchman defaults to Stdout logging. Requirements GitLab versions GitLab Watchman uses the v4 API, and works with GitLab Enterprise Edition versions: 13.0 and above - Yes GitLab.com - Yes 12.0 - 12.10 - Maybe, untested but if using v4 of the API then it could work GitLab Licence & Elasticsearch To search the scopes: blobs wiki_blobs commits The GitLab instance must have Elasticsearch configured, and be running Enterprise Edition with a minimum GitLab Starter or Bronze Licence. GitLab personal access token To run GitLab Watchman, you will need a GitLab personal access token. You can create a personal access token in the GitLab GUI via Settings -> Access Tokens -> Add a personal access token The token needs permission for the following scopes: api Note: Personal access tokens act on behalf of the user who creates them, so I would suggest you create a token using a service account, otherwise the app will have access to your private repositories. GitLab URL You also need to provide the URL of your GitLab instance. Providing token & URL GitLab Watchman will first try to get the the GitLab token and URL from the environment variables GITLAB_WATCHMAN_TOKEN and GITLAB_WATCHMAN_URL, if this fails they will be taken from .conf file (see below). .conf file Configuration options can be passed in a file named watchman.conf which must be stored in your home directory. The file should follow the YAML format, and should look like below: gitlab_watchman: token: abc123 url: https://gitlab.example.com logging: file_logging: path: json_tcp: host: port: GitLab Watchman will look for this file at runtime, and use the configuration options from here. If you are not using the advanced logging features, leave them blank. If you are having issues with your .conf file, run it through a YAML linter. An example file is in docs/example.conf Note If you use any other Watchman applications and already have a watchman.conf file, just append the conf data for GitLab Watchman to the existing file. Installation Install via pip pip install gitlab-watchman Or via source Usage GitLab Watchman will be installed as a global command, use as follows: usage: gitlab-watchman [-h] --timeframe {d,w,m,a} --output {file,stdout,stream} [--version] [--all] [--blobs] [--commits] [--wiki-blobs] [--issues] [--merge-requests] [--milestones] [--comments] Monitoring GitLab for sensitive data shared publicly optional arguments: -h, --help show this help message and exit --version show program's version number and exit --all Find everything --blobs Search code blobs --commits Search commits --wiki-blobs Search wiki blobs --issues Search issues --merge-requests Search merge requests --milestones Search milestones --comments Search comments required arguments: --timeframe {d,w,m,a} How far back to search: d = 24 hours w = 7 days, m = 30 days, a = all time --output {file,stdout,stream} Where to send results You can run GitLab Watchman to look for everything, and output to default Stdout: gitlab-watchman --timeframe a --all Or arguments can be grouped together to search more granularly. This will look for commits and milestones for the last 30 days, and output the results to a TCP stream: gitlab-watchman --timeframe m --commits --milestones --output stream Other Watchman apps You may be interested in some of the other apps in the Watchman family: Slack Watchman GitHub Watchman License The source code for this project is released under the GNU General Public Licence. This project is not associated with GitLab. Download gitlab-watchman-master.zip or git clone https://github.com/PaperMtn/gitlab-watchman.git Source1 point