Inspec - Compliance as code

posted May 1, 2017, 9:57 AM by Chris G   [ updated May 1, 2017, 9:58 AM ]

InSpec is an open-source testing framework for infrastructure with a human-readable language for specifying compliance, security and other policy requirements. When compliance is code, you can integrate automated tests that check for adherence to policy into any stage of your deployment pipeline.

This tool can also be used to validate the deployment of new systems by describing what should/should not be installed. Great stuff!

Salted Password Hashing - Doing it Right

posted Mar 13, 2017, 1:22 PM by Chris G

A very nice article with examples:

Let’s Encrypt: Delivering SSL/TLS Everywhere

posted Nov 19, 2014, 6:15 PM by Chris G

Let’s Encrypt is a new Certificate Authority: 
It’s freeautomated, and open
Arriving Summer 2015

An Introduction to the JS WebCrypto API

posted Oct 29, 2014, 11:44 AM by Chris G   [ updated Oct 29, 2014, 11:45 AM ]

Keeping Secrets with JavaScript - An Introduction to the WebCrypto API

Kippo SSH honeypot

posted Sep 17, 2014, 7:49 PM by Chris G   [ updated Sep 17, 2014, 7:49 PM ]


Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.


  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Just like Kojoney, Kippo saves files downloaded with wget for later inspection
  • Trickery; ssh pretends to connect somewhere, exit doesn't really exit, etc


Software required:

  • An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
  • Python 2.5+
  • Twisted 8.0+
  • PyCrypto
  • Zope Interface

Making Sense of Content Security Policy Reports

posted Sep 9, 2014, 12:49 PM by Chris G

Making Sense of CSP Reports - a great article on Yelp Engineering Blog

CSP is Awesome

Content Security Policy isn’t new, but it is so powerful that it still feels like the new hotness. The ability to add a header to HTTP responses that tightens user-agent security rules and reports on violations is really powerful. Don’t want to load scripts from third party domain? Set a CSP and don’t.  Trouble with mixed content warnings on your HTTPS domain? Set a CSP and let it warn you when users are seeing mixed content. Realistically, adding new security controls to a website and a codebase as large as Yelp needs to be a gradual process. If we apply the new controls all at once, we’ll end up breaking our site in unexpected ways and that’s just not cool. Fortunately, CSP includes a reporting feature – a “lemme know what would happen, but don’t actually do it” mode. By using CSP reporting, Yelp is able to find and fix problems related to new CSP controls before they break our site.

Visualize, monitor, and alert for the win

The Yelp security team is a huge fan of Elasticsearch/Logstash/Kibana.  Like we do with pretty much any log, we throw these CSP reports into our ELK cluster and visualize the results.

Great overview of the various security initiatives at Google

posted Sep 8, 2014, 2:22 PM by Chris G

Great overview of the various security initiatives at Google: safe browsing, transparency reports, end-to-end (PGP) email encryption, plus lots more... including, of course, progress towards 100% TLS!

P.S. Great tip from the presentation.. You can use Safe Browsing API in your own projects! Docs @

YouTube Video


posted Sep 8, 2014, 2:20 PM by Chris G

Google End-To-End Chrome Extension

End-To-End is a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP.

This is the source code for the alpha release of the End-To-End Chrome extension. It's built upon a newly developed, JavaScript-based crypto library. End-To-End implements the OpenPGP standard, IETF RFC 4880, enabling key generation, encryption, decryption, digital signature, and signature verification. We’re releasing this code to enable community review; it is not yet ready for general use.

For more background, please see our blog post.

Disconnect - Fast. Private. Secure.

posted Sep 4, 2014, 12:40 AM by Chris G   [ updated Sep 4, 2014, 3:27 PM ]

The Internet on your terms

Fast. Private. Secure.

Why Disconnect

You should be in control of your personal info. But these days thousands of companies, governments, and other parties invisibly keep track of your Internet activity. Often, this very personal data is sold or analyzed without your permission. Disconnect reduces your exposure to many threats, including malware, identity theft, and tracking of your search and browsing history. Our software also makes your Internet faster and reduces bandwidth consumption, by blocking tracking requests. We strive to give you the Internet on your terms: fast, private, and secure.

VirusTotal - a free service to analyzes suspicious files

posted Jul 30, 2014, 5:09 PM by Chris G   [ updated Apr 24, 2016, 5:47 PM ]

VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.

1-10 of 20