Rules to Better Security

Authentication and authorization are complicated, and it is risky to try and implement them yourself. Use this rule as a guide on choosing the right service or framework for your situation.

Web security patterns are a lot like fashion trends. What looked sharp ten years ago now feels outdated, and the styles everyone thought would last forever sometimes vanish in a season. Cookies, tokens, proxies, they’ve all had their runway moment.

Let’s take a light-hearted but practical tour of how browser security has evolved - from the early days of cookies, to the heyday of SPAs, to the modern approaches.

Passwords are a traditional technology that create security vulnerabilities through reuse, breaches, and phishing attacks. Passwords remain a weak point in your security chain.

Passkeys represent the next evolution in authentication, providing phishing-resistant, seamless integration with biometric technology, and passwordless security that's both more secure and more convenient than traditional methods.

Protecting your Remote Desktop connections is crucial in today's cybersecurity landscape. One effective way to enhance security is by using Azure MFA (Multi-Factor Authentication) in conjunction with the Azure MFA NPS (Network Policy Server) extension. This setup ensures that even if an attacker obtains a user's credentials, they still need a second form of authentication to gain access, significantly reducing the risk of unauthorized access.

Do you know who is entering your premises, when, and how? Keys or key-cards can be expensive, they can be lost, and people can loan them to one another without any restriction.

As developers when we think security we commonly become fixated with issues in the code, out of date software versions or incorrectly configured firewalls. However, we miss one glaring vulnerability which there is no patch for: Users.

Social engineering is a technique which mixes art and science to exploit common human behaviours to compromise information systems. The following is a classic example of social engineering performed over the phone.

The following checklist is a good example of areas to focus on:

• Run penetration tests with SSLLabs.com to check how exposed your servers are
• Look for passwords in .config and code (SSW Code Auditor can help)
• Authentication process of identifying who the user is
• Authorization what the user can do within the application
• Licensing to control the usage of the software
• Validation of all inputs in the system (cross site scripting (XSS) and SQL injection)
• No in memory generation of SQL statements (and are they using a good ORM)
• Encryption of passwords and any sensitive data
• Software Licensing protection mechanisms (and a recommendation to a subscription model)
• Methodologies and best practices to reduce your exposure to hostile attacks
• Logging who is doing what and when (audit trails)

There is a more comprehensive list here on GitHub: A practical security guide for web developers.

Did you know that you can stop your users from logging into any of your Azure or Office365 resources based on the location they are in? What about the types of devices that they can connect from or only allowing connections that use MFA? These things are all possible to restrict.

This seriously limits the attack surface and also helps to stop compromised devices and accounts from being used.

Microsoft Defender XDR is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It is managed at https://security.microsoft.com/

In today's complex digital landscape, managing user access to resources can be a daunting task for organizations. Entra Access Packages emerge as a game-changer in this scenario, offering a streamlined and efficient approach to identity and access management.

By bundling related resources into cohesive packages, they simplify the process of granting, reviewing, and revoking access. This not only reduces administrative overhead but also enhances security by ensuring that users have the right permissions at the right time. Furthermore, with built-in automation features like approval workflows and periodic access reviews, organizations can maintain a robust and compliant access governance structure. Adopting Azure Access Packages is a strategic move for businesses aiming to strike a balance between operational efficiency and stringent security.

Leveraging SCIM (System for Cross-domain Identity Management) in conjunction with Entra ID (or whatever Identity provider you use) is crucial for efficient and secure identity synchronization across cloud-based applications and services.

Intune is a feature that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.

Ensuring the security of personal data is paramount. However, when breaches occur, it's essential to approach them with understanding and support. This not only fosters trust among staff but also provides valuable insights for proactive security measures.

When using IdentityServer 5 (aka Duende IdentityServer), you don't need to use UseDeveloperSigningCredentials() anymore as it is now enabled by default.

When hackers or security researchers find a vulnerability in your system, they need a way to tell you. If you don’t have a [email protected] email, they might give up or go public.

Your security@ inbox is your first line of defense.

For better server security (especially regarding public facing servers), certain security protocols and ciphers should be disabled.

Passwords are the keys to user accounts. Proper protection transforms them into a form that is useless to attackers, even if the database is compromised. Here is a recipe to secure passwords using hash, salt, and pepper - the essential ingredients for keeping accounts safe.

If you need to remember the password then a passphrase is best. Preferably these should be made up of 4 random words with a length of at least 16 characters. These eliminate the requirement for special characters and are incredibly difficult for a computer to guess.

A strong password would look something like this:

🙂 Figure: OK example - A strong memorable password

However the best passwords in the world are the ones you can never possibly remember. Computer generated passwords, with a length of at least 16 characters, offer the most protection. A super strong password looks something like this:

✅ Figure: Good example - A strong computer-generated password

This is obviously not something you can realistically type in every time you need to use it. Fortunately, the same tools that generate these for us also manage them, storing them securely and automatically entering them into websites and apps for us.

With a password manager, you don't have to remember that strong, unique password for every website. The password manager stores them for you and even helps you generate new, random ones.

The best way to protect your passwords is to never share them. However, in some cases, sharing passwords may be necessary. In these situations, it is essential to follow a strict password sharing procedure to ensure the security of sensitive information. The key to this procedure is having a powerful password manager to be able to share passwords securely and efficiently.

When using service accounts, you should have a specific AD account for each major service.