I’m Nick, an information security consultant, a public speaker, a trainer, a sometimes software developer, and - most important of all - a dad and husband. Read more about me…
This blog is updated now and again with talks I’ve given, thoughts I’ve had, and things I hope others can learn from.
I’ve just come back from OWASP NZ Day 2020, held at Auckland University this February. As well as seeing some excellent presentations I was also able to present a talk on how developers can store their users’ passwords safely.
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
You can flick through the slides here: https://www.slideshare.net/NickMalcolm/a-recipe-for-password-storage-add-salt-to-taste
I’ll update this post once the MP3 recording, and links to other great talks from the conference, become available.
This post was first published on aurainfosec.com.
Technology managers and business owners understand that they are kaitiaki, or guardians, of their organisation and customer data and that they must take steps to safeguard it. This responsibility is heightened during projects which change the way we interact with or store data – whether it’s creating a new website on AWS, lifting-and-shifting a legacy application to Azure, or switching from on-premise office to Office365. There is a perception that security is hard or requires expertise, so it’s easier to ignore it until the end of the project, but this line of thinking is letting the perfect be the enemy of the good. There can be a middle ground!
There are three straightforward teams can take to deliver a secure solution that your customers can trust. First, think about what could go wrong; second, leverage the tools, frameworks, and knowledge which already exists; and third, verify before go-live.
What actually is OWASP?
For many development teams, OWASP is the go-to resource when starting to think about security. Usually we look at the “OWASP Top 10” (or say we do…) but there is much more to OWASP than that.
OWASP is the Open Web Application Security Project, or - more accurately - coming up on a hundred projects. These range from mature “Flagship” projects to up-and-coming “Lab” and “Incubator” projects, amongst a field of old and unloved wiki pages. Even though you see company policies issuing commandments to “follow the OWASP standards”, only a handful of them could be interpreted as “standards” or “guidelines”. So where to start, if you’re looking to get some good security guidance?
This post is going to provide what I consider the Top 5 OWASP Projects. We’ll answer two simple questions - what is it, and when’s the best time to use it.
Showing the latest 3 posts. Read older posts…