VirtualTam's bookmarks

21. OWASP CycloneDX - A full-stack Bill of Materials (BOM) standard

    2024-04-02
    programming/go programming/python programming/rust security software-engineering/bill-of-materials

    Permalink
    • CycloneDX
    • CycloneDX/cyclonedx-gomod
    • CycloneDX/cyclonedx-python
    • cyclonedx-rust-cargo
22. facebookexperimental/kperf - TCP and TLS performance testing tool

    2024-03-31
    network/tcp network/transport-layer-security performance/benchmark programming/c

    Permalink
23. OpenGFW - A flexible, easy-to-use, open source implementation of GFW (Great Firewall of China) on Linux

    2024-03-31
    linux network/firewall network/ipv4 network/ipv6 network/packet-capture/wireshark programming/go reverse-engineering

    Permalink
    • USENIX Security Symposium 2023 - How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic
24. oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

    2024-03-31
    compression/lzma compression/xz linux programming/c programming/shell/bash security security/backdoor

    Permalink
    • XZ Utils backdoor
    • xz/liblzma: Bash-stage Obfuscation Explained
    • /r/Linux - XZ Utils backdoor
    • Debian Bug report logs - #1068024 revert to version that does not contain changes by bad actor
    • FAQ on the xz-utils backdoor
    • LWN - A backdoor in xz
    • Everything I Know About the Xz Backdoor
25. Comprehensive Rust 🦀 - a free Rust course developed by the Android team at Google

    2024-03-28
    embedded google mobile/android programming/rust

    Permalink
    • Rust in Android
    • Rust in Chromium
    • Bare Metal Rust
    • Concurrency in Rust
    • google/comprehensive-rust
    • Scaling Rust Adoption Through Training
26. The Family of Safe Golang Libraries is Growing!

    2024-03-25
    compression programming/go security text/formatting

    Permalink
    • google/safetext
    • google/safeopen
    • google/safearchive
27. Standard Webhooks - Open source tools and guidelines to send webhooks easily, securely and reliably

    2024-02-28
    network/http programming/json

    Permalink
    • standard-webhooks/standard-webhooks
    • Specification
28. Have I Been Pwned - Pwned Passwords

    2024-02-28
    programming/go programming/python programming/ruby programming/rust security/credentials security/password

    Permalink
    • HaveIBeenPwned/PwnedPasswordsDownloader
    • API Clients:
      • mattevans/pwned-passwords - Go API Client
      • lionheart/pwnedpasswords - Python API Client
      • philnash/pwned - Ruby API Client
      • wisespace-io/pwned-rs - Rust API Client
29. AWS Access Key Format

    2024-02-28
    cloud-computing/aws programming/go programming/python security security/credentials security/token

    Permalink
    • AWS Security Credentials Formats
    • A short note on AWS KEY ID
    • Research Uncovers AWS Account Numbers Hidden in Access Keys
    • TruffleHog Now Detects AWS Canaries without setting them off
30. SOC - System and Organization Controls

    2024-02-17
    code-review infrastructure/automation observability security security/audit security/authentication security/authorization single-sign-on source-code-management/git source-code-management/github

    Permalink
    • The SOC2 Starting Seven
    • SOC2: The Screenshots Will Continue Until Security Improves
31. Vulnerability Management for Go

    2024-01-15
    programming/go security static-analysis

    Permalink
    • Go Vulnerability Database (Go Blog)
    • Go Vulnerability Database
    • govulncheck command
32. Sequoia-PGP - OpenPGP Implementation in Rust

    2023-11-09
    command-line cryptography/encryption cryptography/pgp cryptography/pgp/gnupg linux/debian linux/fedora programming/rust security

    Permalink
    • Sequoia PGP: A Sapling Matures: Meet sq 1.0
    • Talk about OpenPGP interop testing at the IETF 110
    • sequoia-pgp/sequoia - APIs for dealing with OpenPGP data
    • sequoia-pgp/sequoia-sq - the Sequoia-PGP command line tool
    • RpmSequoia
33. Rust Safety Dance - Auditing crates for unsafe code which can be safely replaced

    2023-10-01
    memory programming/assembly programming/rust security/audit

    Permalink
34. Firezone - WireGuard-based VPN server and firewall

    2023-08-30
    network/udp network/vpn/wireguard security

    Permalink
    • https://www.firezone.dev/
35. HAProxy - TLS Termination Setup

    2023-07-24
    cryptography/encryption network/http network/reverse-proxy network/reverse-proxy/haproxy network/transport-layer-security security

    Permalink
    • Traffic Routing - Rewrite Requests
    • Client IP Preservation - X-Forwarded-For
    • HAProxy & HTTP Strict Transport Security (HSTS)
    • Secure Cookies Using HAProxy Enterprise
36. Web Security Cheat Sheet | Mozilla Infosec

    2023-07-23
    network/http network/http/cookie network/transport-layer-security programming/html programming/javascript security web

    Permalink
37. How to manage CVE security vulnerabilities with Grafana, MergeStat, and OSV-Scanner

    2023-06-12
    database observability/grafana security

    Permalink
    • google/osv-scanner
    • OSV - A distributed vulnerability database for Open Source
    • mergestat/mergestat
38. passkeys - Hello passkeys! Goodbye passwords.

    2023-06-11
    cryptography/public-key-infrastructure internet/browser/chrome internet/browser/firefox mobile/android mobile/ios security/authentication

    Permalink

    Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.

    • https://fidoalliance.org/passkeys/
    • Apple Developer - Passkeys Overview
    • Apple Support - About the security of passkeys
    • Google Identity - Passwordless login with passkeys
    • Google Blog - The beginning of the end of the password
    • Google Security Blog - So long passwords, thanks for all the phish
    • Chromium BLog - Introducing passkeys in Chrome
    • Tailscale doesn't want your password
    • Tailscale - Custom OIDC Providers
    • YubiKeys, passkeys and the future of modern authentication
    • A Yubico FAQ about passkeys
    • Why Passkeys Will Be Simpler and More Secure Than Passwords
    • Passkeys: A shattered dream
39. WebAuthn - An API for accessing Public Key Credentials

    2023-06-11
    cryptography/public-key-infrastructure internet/browser security/authentication

    Permalink

    The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.

    • Guide to Web Authentication
    • Asynchronous Remote Key Generation: An Analysis of Yubico’s Proposal for W3C WebAuthn [PDF]
    • Issue 664630: Web Authentication API for Chrome
    • Bugzilla - [meta] Update WebAuthn JS API to the L1-REC spec
    • keepassxc#1870 - Feature Request: Integration with the Web Authentication API
40. Legacy Rails: Silently Judging You

    2023-06-03
    framework/ruby-on-rails legacy programming/ruby security/audit

    Permalink

    How can you judge the quality of a legacy Rails application?

    • bundler-audit
    • rails-erd