How to enforce HTTPS on your web application
Enforcing HTTPS is a lot harder than most people make it seem So, lemme break this down into the 7 (yes 7!) different things you are gonna need to have configured to meet the requirement in the top paragraph: create the unencrypted "origin" service create a load...
Risky Business
Risky Business Podcast In this edition of Snake Oilers we'll be hearing from Google Security -- Anton Chuvakin is appearing on their behalf to talk more about how switching to its cloud-native SIEM actually makes sense now. Paul McCarty from SecureStack will be along...
Australian ISM – Guidelines for Secure Development
The Australian Cyber Security Centre (ACSC) is the arm of the government that provides guidance on how to improve cybersecurity in Australia. As part of this mandate, they have been producing a document called the "Information Security Manual" (ISM) since 2017. You...
Automate responses to security questionnaires!
Are you sick of filling out security questionnaires to meet some compliance or audit objectives? Most of the software engineers we talk to that have to fill these pesky forms out hate the process. Many of them say to us that they really want something that could...
The DevSecOps Playbook
The DevSecOps Playbook SecureStack is committed to open-source projects, that's the reason we recently open-sourced the "DevSecOps Playbook". This playbook, originally written by our CEO Paul McCarty, was an internal automation document that explained how to secure...
One GitHub Action To Rule Them ALL!
What are GitHub Actions? Automate, customize, and execute your software development workflows right in your repository with GitHub Actions. You can discover, create, and share actions to perform any job you'd like, including CI/CD, and combine actions in a completely...
How to secure git
How can I make git more secure? Git is super powerful. We use git to interact with our most important intellectual property: our source code. For a SaaS provider this source code really is the whole business. If someone steals it, your IP is gone and so, probably...
The Log4J Vulnerability & Log4Shell Incident Explained
What is the Log4J vulnerability? Log4j 2 is an open source Java logging library developed by the Apache Foundation. It is a key building block which is reused to provide logging functionality to help system developers troubleshoot in a large number of applications...
What is a SBOM?
One of my friends messaged me on LinkedIn today and asked "What is this SBOM you keep talking about?" I realized that he's right and I should probably explain what an SBOM is. First, the term refers to a "Software Bill of Materials". An SBOM is a complete inventory...
DevSecOps predictions for 2022
2021 was a CRAZY year! We spent most of 2021 at home. We had to build new ways of working and migrate things to the cloud WAYYY too quickly. We saw new types of threats to our applications including "dependency confusion attacks" and "software supply chain...