LIST

OWASP Using Components with Known Vulnerabilities

Components with Known Vulnerabilities Most developers don't even know what all is in their dependency tree. Sadly, most successful attacks are not the exciting "zero day, rush to patch before they get it" kind of thing. Most attacks are mundane. pattern: use your build tool to extract a report of ALL the artifacts that went into your build (including build tool’s plugins) pattern: check CVE manually weekly or automatically (src:...

September 10, 2022

OWASP XML External Entities (XXE)

XML external entity (XXE) injection <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "<file:///etc/passwd>"> ]> <foo>&xxe;</foo> Most xml parsers are vulnerable to XXE injection by default. You need to configure them to be safe (src: Book_ release it! - Michael Nygard)

September 10, 2022

Heuristic: when software load balancing becomes insufficient

Heuristic: when software load balancing becomes insufficient :) scale :( require network access :( specific skill once you start contemplating a load balancer in front of your reverse proxy servers, it's time to look at other options (src: Book_ release it! - Michael Nygard)

August 19, 2022

Architecture pattern: global dns + regional load balancers

Global server load balancing (GSLB) with DNS regional Load Balancers (src: Book_ release it! - Michael Nygard)

August 16, 2022

Book: release it! - Michael Nygard

(Book_ Release It! - Michael Nygard) Part 1 - Create Stability Ch2 case study Ch3 Stabilize your system Ch04 Stability Anti-patterns Ch05 Stability Patterns Part 2 - Design for production Ch06 case study Ch07 Foundations Ch08 Processes on Machines Ch09 Interconnect Ch10 Control plane Ch11 Security Part 3 - Deliver your system Ch12 Ch13 Ch14 Part 4 - Solve Systemic Problems Ch15 Ch16 Ch17 Model: cap theorem Model_ OSI model...

August 16, 2022

Heuristic: log level INFO for interesting state transitions

(src: Book_ release it! - Michael Nygard)

August 16, 2022

Heuristic: log levels ERROR & SEVERE should require action of the by the operators

ERROR & SEVERE should require action of the by the operators eg. ERROR circuit breaker tripped to open (probably needs fixing ont he other side of the connection) eg. ERROR failure to connect to database (src: Book_ release it! - Michael Nygard)

August 16, 2022

Heuristic: nominal values for continuous metrics

Heuristic: Alerts for continuous metrics (src: Book_ release it! - Michael Nygard)

August 16, 2022

Heuristic: production software vs control plane

If production user data passes through it, it is production software. If it's main job is to manage other software, it is the control plane (src: Book_ release it! - Michael Nygard)

August 16, 2022

Heuristic: useful controls for Control Plane - live control

Which controls (src: Book_ release it! - Michael Nygard)

August 16, 2022