Tuesday, July 11, 2017

2017-07-11 Tuesday - JavaScript Security/Audit/Vulnerability Checks

So, quite often, I have need to analyze a massively long list of JavaScript modules that are used in a vendor's solution, when I'm providing Enterprise Architecture oversight and assessment during the vendor evaluation phase of client RFP efforts.

To provide some confidence that there are no lurking serious security concerns with any of the JavaScript modules used in the vendor solution (and equally important - to identify those that are at, or beyond, end-of-life) - I would like to find a tool that would allow me to submit a file with the list of module names (with version numbers) - via a command line tool - and receive back some form of a report/analysis - identifying which ones may pose a high risk.

This posting is a placeholder for tools that I find that might be of utility in this effort - and hopefully of use to some future reader.

First, a quick survey of a Google search to help identify initial problem/solution domain articles to review:
I'll post an update next week based on what I find to be of practical use from the above list.


Monday, July 03, 2017

2017-07-03 Monday - STRUTS 2 - CVE-2017-5638


this time, a “minerd” crypto coin mining program will be downloaded as well with all of its prerequisites. The attacker masquerades the malicious process and its configuration with names similar to Apache server, to make it look more innocent when the infected user will list all the running processes.”
"These cryptocoin pools appear to be hosted in France under the 'crypto-pool.fr'"
One of the more fascinating aspects of this malware was the creative technique that the spearhead exploit uses to propagate itself. It will search for all the remote IP addresses that the administrator of the server was connecting to on this server. It searches the SSH “known_hosts” file, which keeps the IP addresses and fingerprints of all the servers to which the administrator was connecting. It also scans the Bash history file for any IP addresses used within the SSH command. Once this list of IP addresses is compiled, the script tries to connect to them via SSH. If the configured authentication was set up to use a key file instead of a username and password, the malware will successfully deploy itself on the remote machine.”
The same attacker (surprisingly using the same IP address) behind the previously described Apache STRUTS campaign varied the campaign again during the week of March 20th. This time, the payload infected Windows machines with the “Cerber” ransomware”






Saturday, July 01, 2017

2017-07-01 Saturday - Continuous Delivery

I'm interested in how folks have implemented approaches to achieving Continuous Delivery, so this posting is a placeholder for interesting stories I happen to find.

Expedia (under leadership by the then Senior Release Program Manager, Sandy Anuras) initiated a project called the "Shuntless Release Project" (circa 2008-2010) - which allowed Expedia "...to reduce the downtime for a release from 8+ hours to 0 minutes...".  I would like to find out more about that specific effort's approach, but in the meantime, here are a few more recent presentation decks I found on SlideShare.net that may be of interest: