Security

help :

Learn more about Metal Toad's best practices around security by browsing the following articles.  From AWS to Drupal we've got configuration and code covered.

  • cloud security

    The Cloud is More Secure Than Your Facility

    A recent article in the Wall Street Journal ominously titled Capital One Breach Casts Shadow Over Cloud Security, veers dangerously close to blaming an internal company error at Cap

  • whispering

    Your Serverless Function has a Secret

    Your Serverless function has a secret... maybe it's a password for a remote API, a private key, or signing certificate. These secrets have to be stored somewhere, and in the old days that usually meant just a plaintext config file on your server.

  • AWS WAF & Shield

    Origin Protection with AWS WAF & Shield

    Amazon has been steadily improving their CloudFront CDN offering with WAF (Web Application Firewall) capabilities. This is a great feature, however it's ineffective if origin servers can be attacked directly, bypassing CloudFront. With a little extra work, access to the origin can be restricted. The solution is to add a secret header value at the edge, and configure the load balancer to block requests that are missing this secret. This is necessary because CloudFront distributions are not associated with security groups, nor are fixed IPs available (unlike higher-priced competitors like Kona Site Shield).

  • clouds and security

    Best Practices For a Secure Cloud Part 1

    Whether you’re running on premise datacenter, using a private or public IaaS (Infrastructure as a Service) hosting platform, security is extremely important. We’ve all seen the horror stories in the news when companies experience data security breaches.

  • cool tech graphics

    Anatomy of a Drupalgeddon attack

    Before working at Metal Toad, I saw an email from Acquia. A strange email. It went something like this:  On October 15th, we will be addressing a security concern at 9:00 am.

  • cool tech graphics

    OAuth 2.0 and OpenID Connect: Now What?

    A former Toad recently asked my opinion about this article:OAuth 2.0 and the Road to Hell The question is well-timed: I'm in the middle of a big OpenID Connect / OAuth 2 implementation.

  • cool tech graphics

    Simple password grants with OAuth 2.0 and Drupal

    Like many Drupal developers, we have become big fans of decoupled front-ends using Drupal as a RESTful backend (a.k.a. "headless" Drupal). The myriad of authorization options can be confusing, however. We've settled on OAuth 2.0 for most situations. When OAuth is brought up, many people will think of the single-sign-on flow in a browser, with the associated redirects and permission dialogs. This flow is widely used, but not always a good fit for first-party applications, or machine-to-machine API interactions.

  • cool tech graphics

    Evolution of the Custom Cloud: Part 1 "Architecting the Cloud"

    Last year Metal Toad launched its Custom Cloud Service. Since then, our Custom Cloud Architecture has evolved to handle the increased complexity and security requirements of our clients cloud applications.

  • Heart bleed with bandaid

    Providing Time for Employees to Change Their Passwords

    With the highly publicized Heartbleed vulnerability this week, a vulnerability in the core of internet security has been exposed.

  • cool tech graphics

    ToadCast 008 - Just use a password manager

    We are back! ToadCast 008, I was joined by Jonathan Jordan to discuss password security, programmer mentality and philosophy, and more!

  • cool tech graphics

    How to talk to your customers about Drupal Security updates

    With the recent release of versions 7.2 and 6.22, a significant Drupal security flaw in 6.x has been identified and fixed. While I feel strongly this is illustrates the value of Drupal and Open Source, it can be a significant challenge to talk to your customers about this. Here's the email that we drafted up and shared with our customers (please feel free to use it, rewrite and share if it proves useful)...

  • cool tech graphics

    New York Times Claims HTML5 is a "Pandora's Box" of Privacy Risks

    Alarmist rhetoric from news organizations about the web is nothing new, but today's front-page headline on the New York Times still caught my eye: "Web Code Offers New Ways to See What Users do Online." I

  • cool tech graphics

    URL Shorteners Must Die

    URL shorteners (such as bit.ly and tinyurl) have been called the "herpes of the web". Beyond just link-rot, a public shortening service is per se an open redirect vulnerability. Their ubiquity makes them an easy vector for spammers, phishers, and cross-site forgery attacks. Joshua Schachter writes: With a shortening service, you're adding something that acts like a third DNS resolver, except one that is assembled out of unvetted PHP and MySQL, without the benevolent oversight of luminaries like Dan Kaminsky and St. Postel. Luckily, you don't have to contribute to this scourge.

  • cool tech graphics

    Using JSONP Safely

    JSONP is a way to make cross-domain requests through javascript. It takes advantage of a loophole in the browser's same-origin policy: <script src="https://anywhere.com/data.jsonp"></script> tags are allowed to load files from any domain. This differs from normal AJAX requests, which are only allowed to make requests to the same domain as the page you are viewing. Unfortunately, many guides to implementing this technique in PHP contain a dangerous security flaw. Can you spot it?

  • cool tech graphics

    Running Drupal Secure Pages behind a proxy

    If you plan to use the securepages module behind a proxy that terminates SSL, there are some additional server configuration steps you need to take. In order to detect what the protocol is in use, securepages tests the value of...

  • cool tech graphics

    With Drupal+Ubercart, be wary of alternative payment gateways

    If you are using Ubercart to do ecommerce with Drupal, be sure to use one of the mainstream payment gatways: Authorize.net or Paypal.

  • cool tech graphics

    How to Select a Good Drupal Development Shop: Trust, UX & Security

    If you are in the market for Drupal development, you may feel like you are trying to pick a car mechanic without knowing anything about cars. Like picking a mechanic, you often have to go on how you feel about the vendor. You should listen to what they say, and how they say it - carefully considering how that makes you feel.

  • cool tech graphics

    Dylan Wilder-Tack, Drupal Security Team Member

    When discussing the benefits of open-source frameworks (especially Drupal), I've often heard, "But if everyone has access to the source code, how secure can it possibly be?" My standard response would be to discuss the platforms maturity and how it's been hardened by years of real world use.

  • cool tech graphics

    Authorize.net is deprecating their SSL 2.0 Protocol

    I recently received email notification that Authorize.net will be deprecating their SSL 2.0 Protocal the week of March 16 - 20, 2009. All of our Authorize.net ecommerce development was done using the 3.0 version, even going back a few years so it's been around a while. However don't be surprised when ecommerce sites (especially old ones) stop accepting transactions in the middle of March.

Have questions?