security posts

Oracle Wallets for credential storage

6 minutes to read
Sunday, 6th of February 2022
- security
- automation
- databases
- access control
- web

If you're developing for the web (or something else) and you need to connect to an Oracle database, such as an Oracle Autonomous Database that comes for free with oracle cloud free tier, you may run to the typical problem of storing db connection credentials in configuration files and scripts. Nevertheless, Oracle has, since ages, a functionality called Oracle Wallet that can help you manage these connections more securely. Keep in mind that Oracle migrates away from Wallets, but my understanding is that this is a response to usability concerns, as the security standard is not maintained in the new set-up.

Vulnerability and Patch management

5 minutes to read
Sunday, 14th of February 2021

During the last 3 months I got more times than expected in discussions about patch and vulnerability management. I need to say, there is much misunderstanding going around about these two processes; so much that I could argue that several organizations are exposing themselves significantly, just because the touch points and (lack of) dependencies in these two processes are not clear.

Networking concerns in virtual environments

2 minutes to read
Thursday, 2nd of April 2020

Some months ago I bought a desktop system. I hadn't had one for years, but a very strange and unexpected need came up; I wanted to play games with my son who lives in Greece, in an attempt to spend a bit more time with him, even virtually. I bought and built a desktop system based on AMD's excellent Ryzen line, but that's for another time. On that computer, and as it would be used predominantly for games, I installed MS Windows. That is another thing that hadn't happened in my household for decades!

SSL certificate revocation gotchas

2 minutes to read
Wednesday, 4th of March 2020
- web
- security

As you may have heard, Let's Encrypt revoked several certificates today that were issued through a faulty process. Read on for the details, and on how to identify the revoked certificates themselves.

What to do with the center of security?

7 minutes to read
Monday, 17th of June 2019

Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let's fire every user that falls for a phishing mail! That will solve the problem for good. I considered it a joke, and I replied pretty much with a rhyme: Let's train them before we blame them and I didn't give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I'm inclined to blame the IT deparment more than the user.

Fighting bias in security analysis

8 minutes to read
Tuesday, 19th of March 2019

I am a huge fan of automation; I strongly believe that automation, machine learning and / or artificial intelligence (whatever these terms mean for different people) are our best chance to tackle one of the biggest problems we have in the cyber security industry: the human limitations.

What do you think this is?

Recent Posts