Archive for September, 2017

Holistic Info-Sec for Web Developers F1: Content Complete

September 12, 2017


Fascicle 1 is now content complete
Weighing in at aprox 550 pages incl Additional Resources and Attributions

  • Added links to Network Security Interview between Kim Carter and Haroon Meer on Software Engineering Radio … to be released in a day or two
  • Updated threat tags
  • Code formatting changes
  • Punctuation modifications


Ready for technical review
Strong focus on AWS, although other CSPs discussed
50 Pages of content added

  • Shared Responsibility Model: CSP Responsibility, CSP Customer Responsibility
  • CSP Evaluation
  • Cloud Service Provider vs In-house
    • Skills
    • EULA
    • Giving up Secrets
    • Location of Data
    • Vendor lock-in
    • Possible Single Points of Failure
  • People Sec
  • App Sec
  • Net Sec
  • Violations of Least Privilege
  • Storage of Secrets
    • Private Key Abuse: SSH, TLS
    • Credentials and Other Secrets
      • Entered by People
      • Entered by Software: HashiCorp Vault, Docker secrets, Ansible Vault, AWS Key Management Service and Parameter Store
  • Serverless
    • Third Party Services
    • Perimeterless
    • Functions
    • DoS of Lambda Functions
  • Infrastructure and Configuration Management

Web Applications

  • Updated OWASP Top 10 resources to 2017
  • Added AWS WAF

Additional Resources

  • Getting Secrets out of Docker images
  • Password Managers For Business Use
  • Many tooling options covered


  • Thinkst tools (Canary tools and tokens)
  • DropboxC2C for Data Exfiltration, Infiltration
  • Hosting providers forced to give up customer secrets
  • Software Engineering Radio show on Network Security with host: Kim Carter, guest: Haroon Meer
  • Docker Image layers
  • AWS Lambda

Many other attributions added

Holistic Info-Sec for Web Developers (F1)(VPS, Network, Cloud, Web Applications)