Learn more about Metal Toad's best practices around security by browsing the following articles. From AWS to Drupal we've got configuration and code covered.
-
What is AWS CloudTrail
AWS CloudTrail provides a record of all API calls made within an AWS account.
-
The Cybersecurity threat from Russia
On Thursday, February 24, 2022, Russia invaded the sovereign nation of Ukraine. Immediately after, in a speech, President Biden said the following:
-
How to avoid malware
The SUNBURST malware, likely of Russian origin, was a remarkable and devastating breach of cybersecurity. The data gathered will likely advantage the hackers and their government for years to come.
-
The Cloud is More Secure Than Your Facility
A recent article in the Wall Street Journal ominously titled Capital One Breach Casts Shadow Over Cloud Security, veers dangerously close to blaming an internal company error at Cap
-
Your Serverless Function has a Secret
Your serverless function has a secret... maybe it's a password for a remote API, a private key, or signing certificate. These secrets have to be stored somewhere, and in the old days that usually meant just a plaintext config file on your server.
-
Origin Protection with AWS WAF & Shield
Amazon has been steadily improving their CloudFront CDN offering with WAF (Web Application Firewall) capabilities. This is a great feature, however it's ineffective if origin servers can be attacked directly, bypassing CloudFront. With a little extra work, access to the origin can be restricted. The solution is to add a secret header value at the edge, and configure the load balancer to block requests that are missing this secret. This is necessary because CloudFront distributions are not associated with security groups, nor are fixed IPs available (unlike higher-priced competitors like Kona Site Shield).
-
Best Practices For a Secure Cloud Part 1
Whether you’re running on premise datacenter, using a private or public IaaS (Infrastructure as a Service) hosting platform, security is extremely important. We’ve all seen the horror stories in the news when companies experience data security breaches.
-
Anatomy of a Drupalgeddon attack
Before working at Metal Toad, I saw an email from Acquia. A strange email. It went something like this: On October 15th, we will be addressing a security concern at 9:00 am.
-
OAuth 2.0 and OpenID Connect: Now What?
A former Toad recently asked my opinion about this article:OAuth 2.0 and the Road to Hell The question is well-timed: I'm in the middle of a big OpenID Connect / OAuth 2 implementation.
-
Simple password grants with OAuth 2.0 and Drupal
Like many Drupal developers, we have become big fans of decoupled front-ends using Drupal as a RESTful backend (a.k.a. "headless" Drupal). The myriad of authorization options can be confusing, however. We've settled on OAuth 2.0 for most situations. When OAuth is brought up, many people will think of the single-sign-on flow in a browser, with the associated redirects and permission dialogs. This flow is widely used, but not always a good fit for first-party applications, or machine-to-machine API interactions.
-
Evolution of the Custom Cloud: Part 1 "Architecting the Cloud"
Last year Metal Toad launched its Custom Cloud Service. Since then, our Custom Cloud Architecture has evolved to handle the increased complexity and security requirements of our clients cloud applications.
-
Providing Time for Employees to Change Their Passwords
With the highly publicized Heartbleed vulnerability this week, a vulnerability in the core of internet security has been exposed.
-
ToadCast 008 - Just use a password manager
We are back! ToadCast 008, I was joined by Jonathan Jordan to discuss password security, programmer mentality and philosophy, and more!
-
How to talk to your customers about Drupal Security updates
With the recent release of versions 7.2 and 6.22, a significant Drupal security flaw in 6.x has been identified and fixed. While I feel strongly this is illustrates the value of Drupal and Open Source, it can be a significant challenge to talk to your customers about this. Here's the email that we drafted up and shared with our customers (please feel free to use it, rewrite and share if it proves useful)...
-
New York Times Claims HTML5 is a "Pandora's Box" of Privacy Risks
Alarmist rhetoric from news organizations about the web is nothing new, but today's front-page headline on the New York Times still caught my eye: "Web Code Offers New Ways to See What Users do Online." I
-
URL Shorteners Must Die
URL shorteners (such as bit.ly and tinyurl) have been called the "herpes of the web". Beyond just link-rot, a public shortening service is per se an open redirect vulnerability. Their ubiquity makes them an easy vector for spammers, phishers, and cross-site forgery attacks. Joshua Schachter writes: With a shortening service, you're adding something that acts like a third DNS resolver, except one that is assembled out of unvetted PHP and MySQL, without the benevolent oversight of luminaries like Dan Kaminsky and St. Postel. Luckily, you don't have to contribute to this scourge.
-
Using JSONP Safely
JSONP is a way to make cross-domain requests through javascript. It takes advantage of a loophole in the browser's same-origin policy: <script src="https://anywhere.com/data.jsonp"></script> tags are allowed to load files from any domain. This differs from normal AJAX requests, which are only allowed to make requests to the same domain as the page you are viewing. Unfortunately, many guides to implementing this technique in PHP contain a dangerous security flaw. Can you spot it?
-
Running Drupal Secure Pages behind a proxy
If you plan to use the securepages module behind a proxy that terminates SSL, there are some additional server configuration steps you need to take. In order to detect what the protocol is in use, securepages tests the value of...
-
With Drupal+Ubercart, be wary of alternative payment gateways
If you are using Ubercart to do ecommerce with Drupal, be sure to use one of the mainstream payment gatways: Authorize.net or Paypal.
-
How to Select a Good Drupal Development Shop: Trust, UX & Security
If you are in the market for Drupal development, you may feel like you are trying to pick a car mechanic without knowing anything about cars. Like picking a mechanic, you often have to go on how you feel about the vendor. You should listen to what they say, and how they say it - carefully considering how that makes you feel.
-
Dylan Wilder-Tack, Drupal Security Team Member
When discussing the benefits of open-source frameworks (especially Drupal), I've often heard, "But if everyone has access to the source code, how secure can it possibly be?" My standard response would be to discuss the platforms maturity and how it's been hardened by years of real world use.
-
Authorize.net is deprecating their SSL 2.0 Protocol
I recently received email notification that Authorize.net will be deprecating their SSL 2.0 Protocal the week of March 16 - 20, 2009. All of our Authorize.net ecommerce development was done using the 3.0 version, even going back a few years so it's been around a while. However don't be surprised when ecommerce sites (especially old ones) stop accepting transactions in the middle of March.