Dominic Sayers

Pentest jobsworths

Wed, 19 Jun 2024 08:00:00 +0000

One of our apps has been pentested by our client’s infosec provider and the results are … less than useful.

The so-called pentest appears to have been a scripted nmap (of CloudFront!) and a scripted poke around the HTTP headers returned by the CloudFront server fronting the React app. I hope the client didn’t pay very much for a check I could have run in 5 minutes for them.

Anyway, one of the findings is that you can see from the HTTP header “Server” that the service is delivered by CloudFront and that’s apparently a problem. Because an attacker could target their attacks based on known CloudFront vulnerabilities, I guess.

This is bullshit because there are many other ways to detect a CloudFront service and changing the Server header achieves absolutely nothing. Except one thing: “look we’re doing something about security”. The client is a corporate and there are literally teams of people being paid salaries to generate, manage and document this bullshit.

In the meantime there is genuine, well-known and actionable technical debt that we could be addressing except for the maintenance budget being used up by this box-checking crap.

Here’s my response to the ticket. I don’t use the word “futile” very often in Jira.

Background

I believe this finding is about the HTTP header “Server”, which in the case of our app returns

Server: CloudFront

Although the finding mentions port 80 (HTTP) this is also true for port 443 (HTTPS) requests.

This Server header is returned whichever URL is used for either of the apps in production.

Options

The Server header cannot be removed entirely with CloudFront.
The Server header could be set to an arbitrary string such as “Undisclosed”

Other remarks

CloudFront sets several other headers which identify the service’s origins as follows:

X-Cache: this header is set to indicate whether the page was served from CloudFront’s cache and always includes the word “CloudFront”. It cannot be user-configured and is always present.
Via: this header is set to indicate which of CloudFront’s CDN servers actually served the page. It always includes the word “CloudFront” and cannot be user-configured
X-Amz-Cf-Id , X-Amz-Cf-Pop and X-Amz-Server-Side-Encryption: the names of these headers indicate an Amazon AWS source for the page. They are not configurable.
The IP addresses of CloudFront’s global PoPs are well known and would reliably indicate the page has been served by CloudFront in the absence of any headers.

The reasoning behind this finding is that allowing an attacker to know which type of server serves the web page could steer them towards known vulnerabilities in that engine. In the case of CloudFront it is not possible to conceal the type of server since headers other than “Server” also identify the page’s origin.

It is therefore futile to change the “Server” header to an arbitrary string as there are other ways to determine that the page is served by CloudFront.

We rely on AWS CloudFront to securely serve the React app and this is true whether or not it is identifiable as the origin. CloudFront does not serve the app’s data which comes entirely from the back end service.

If it helps you in any way to change the Server header to an arbitrary string then we can do this but all non-default configuration options carry with them the minor risk that they are less well understood and less widely tested than default configuration options.

No-fuss wholemeal sourdough

Sun, 11 Feb 2024 07:00:00 +0000

A wholemeal loaf with the minimum of process and no manual kneading

Like everyone else I started baking with sourdough in lockdown. I stopped when my starter died while we were on holiday in Crete. It didn’t come with us, I just left it out in a hot summer kitchen for two weeks and it asphyxiated like a dog in a hot car. Now I keep a batch of sourdough starter frozen in the oven in case of similar mishaps. I’ve never tried it but my mum reckons it will spring to life when defrosted, as if nothing had happened.

This is one of those recipes that seems more complicated when you write it down than it is when you do it. Especially if you do it regularly, when it becomes second nature. If it doesn’t work first time there’s a reason for it, so just try something slightly different next time.

The fermenting of the dough and the initial creation of the levain take a long and unpredictable time. The worst case scenario is that it’s ready for the next step at 4 o’clock in the morning and you’re sound asleep. By the time you wake up it’s over-proved and useless. Don’t panic. You can stop the clock by putting it in the fridge. In the morning just take it out and leave it to come up to room temperature, then the fermentation will start again.

The loaf in this recipe isn’t my best work. I’m sharing it in a spirit of have-a-go and don’t worry too much about the result. Sourdough bread always tastes great even if it hasn’t quite worked. This loaf disappeared very quickly.

Slow-cooked glazed pork belly Korean style

Tue, 30 Jan 2024 07:00:00 +0000

A rich dish of twice-cooked pork belly in a spicy sauce.

I served this at my 60th birthday party dinner and it all got eaten. Maybe I didn’t cook enough, or maybe it was so delicious people couldn’t bear to leave any. Who knows.

The point about it is that the pork belly is cooked twice. Once in a slow cooker to render the fat and make it tender enough to fall apart. Then it is glazed and roasted to add yet more flavour.

There are a lot of ingredients; most of them are optional. This is just a record of how I did it on one occasion. You do you.

Nursery Spaghetti Bolognese

Sun, 28 Jan 2024 07:00:00 +0000

This is how I make spag bol for my kids, who are slightly fussy eaters

This works without the meat as a pasta sauce or as pizza topping.

My sister’s children eat healthy Mediterranean food with relish. My own children refused to eat anything with visible ingredients. The worst thing you can give them is food that “pops” in your mouth like peas, beans or onion pieces.

So in order to get them to eat a spag bol it was necessary to remove any visible obstacles. Hence my “nursery” spag bol, which is a delicious full-flavoured sauce with no hurdles to tea-time consumption.

Choosing an open source component

Tue, 11 Jan 2022 08:00:00 +0000

Before I approve the use of an open source component in one of my projects, there are some simple checks I ask the team to do before we use it. Below are the checks we do - you may have others, in which case I’d love to hear about them. Hit me up in the comments or on social media.

I’m writing this in the week that the maintainer of two widely-used Node packages deliberately sabotaged his own code to make some kind of point, causing problems for many other projects.

It’s a living example of the fragility expressed in this famous XKCD cartoon:

License

Open source licensing is often straightforward but can occasionally get a bit complicated and you need to assure yourself that the license under which the component is published is compatible with how you intend to use it.

If you’re making some commercial software and incorporating open source components in it then this should be part of your due diligence before you sell your software or a service based on it.

Most open source software is compatible with a commercial project although you may have to credit the authors and make a copyright declaration in your code and in your app. I won’t discuss individual licenses here and any further details are beyond the scope of this piece.

Security

Any manifest security issues are a red flag - you should not use a component if it has security issues.

Unresolved vulnerabilities: check for outstanding CVE records. It’s OK for a component to have had vulnerabilities in previous versions but not in the current version, especially if the vulnerability has been known about for a long time.

Project health

Open source software is safe and secure so long as there are many eyes reviewing the code and a body of contributors who actively address issues. This can be assessed by reviewing the project’s source code home page, often on GitHub or GitLab.

Unmerged PRs: lots of unmerged changes submitted by potential contributors is a sign that the project is not really active from the maintainer’s point of view
Open issues: lots of unanswered questions and issues is a sign that the maintainers are not giving the project as much attention as it needs
Recent commits: a lack of recent commits may mean the project is end-of-life.
Number of contributors: a one-person project has two problems, a lack of eyes on the code to spot vulnerabilities and a single point of failure for the project’s lifecycle. If the central person abandons the project it dies.

Contributor background

Basic profiling: More of a feeling than a rule, but for instance a sudden influx of contributors from one country may be a sign of inappropriate activity. On the other hand it might just reflect a new trend in that country’s engineering community. But beware.

Project gatekeepers

Recent change of maintainer: there have been examples of respectable projects turning into malware when a maintainer hands over the reins to somebody else. Something to check.

Users

Public sector users: if this open source project is used by public sector bodies they may have done some due diligence of their own. On the other hand they may not.
Major corporate users: it’s dangerous to assume that major corporates would always do due diligence before using an open source component, but it’s reassuring nonetheless to see a component in widespread corporate use.
Domicile of significant users: if a piece of open source software is used exclusively or for the most part by people or organizations from a country where you would not wish to do business, that may be a warning sign.

Code reviews commit-by-commit

Tue, 26 Oct 2021 07:00:00 +0000

Here’s how I approach a code review for a merge request (or pull request if you’re using GitHub). It’s a general approach, not language-specific. I’d really like to improve my process so if you have any thoughts or tips please let me know.

This is a rough draft and needs tightening up and refactoring. I hope it makes some sort of sense as it is.

Bibliography

On reviewing:

Guidelines on code review - Thoughtbot
Derek Prior video - worth 30 mins of your time

We’re looking for merge requests that use git sensibly to present a change in a way that helps us understand it. I’ve found these articles helpful to know what good looks like in this respect:

Telling stories through your commits - Joel Chippindale
A Note About Git Commit Messages - Tim Pope
My favourite Git commit - Dave Thompson
A Branch in Time (a story about revision histories) - Tekin Suleyman

Not included

I’m assuming the build process includes

automated checks for code quality
running the test suite
checking for known security issues like vulnerabilities in 3rd party components

If not then you should put these in place. It’s not a good use of human time to do these things manually.

Getting started

1. Read the merge request overview

Do you understand the overall change that is being made, and the approach taken?
Why was the change necessary?

2. Review each commit individually (see below for how I do this)

Click the Commits tab, then ⌘-click each commit description.
This will open a new browser tab for each commit (which I find useful).
Review the commit in isolation.
If you’re 💯 sure the commit is fine, close the tab.

4. Go back and re-review any commits you didn’t fully understand on the first pass

Maybe now you’ve been through the whole code change they might make more sense.

5. Add any final comments and questions on the code

Click Submit review in any of the open tabs and add your summary thoughts

Reviewing a commit

1. Read the commit message

Do you understand the change that is being made?
Do you understand the reason for the change and the approach taken?

2. Ask yourself these questions

Has the submitter taken steps to make the review process easy for you?
Is the commit the embodiment of a single intention?
Is it comprised of the minimum code change necessary to implement that intention?
If the submitter is making you work harder than you need to then say so. Cognitive overhead is a big drain on team time.

3. Are there any code changes in the commit that are not necessary for what is described in the commit message?

Maybe they should be in a separate commit (e.g. whitespace changes, code reformatting, etc.)

4. Would the specs pass after this commit?

This is not a hard-and-fast rule, but ideally each commit would take a step forward without breaking any specs.
Any necessary spec changes should be in that same commit.

5. If you don’t fully understand the change then it’s useful to ask a question in the merge request

Others will certainly have the same question so ask it where everybody can see it.
If you think it’s a naïve question that’s OK - stupid questions should be encouraged in your team. If they aren’t then you’re working in a poisonous environment and you should get out!

6. Answers to questions should go in a commit message

The submitter will be tempted to answer your question in the merge request web page because that’s easier
Make sure any useful information is added to the commit message then it’s in the git log for posterity.
The merge request is ephemeral, the git log is permanent.
Others in the future will undoubtedly have the same question.

7. For legacy codebases, consider this

You may have a list of known exceptions to the static code quality checks because the legacy code is rubbish
For example, in Ruby using Rubocop this would be in .rubocop_todo.yml
Check that none of these exceptions have been fixed by this merge request, otherwise your legacy list will get out of date and be utterly useless.

8. Credit where it’s due

If you see something doubleplusgood, say so.

Should I approve the merge request?

Yes, unless there is a reason not to.

A no-effort white loaf using a Kenwood Chef

Wed, 27 May 2020 07:00:00 +0000

This is how I make an easy and quick white loaf using my kitchen mixer. It’s trouble-free and reliable and a great time-saver.

I mentioned my Kenwood Chef by name because I know it works. Your mixer may be just as good so long as it has a dough hook.

There are longish gaps in this recipe while we wait for things to happen, like the yeast activating or the dough rising. You will find yourself with a spare egg yolk if you use the egg white I suggest in the ingredients. I now whip up a bowl of fresh mayonnaise with the egg yolk while I’m waiting for the next step in this recipe. I would never have learned how to make my own fresh mayonnaise had I not started baking bread with this recipe. By far the hardest work with this bread recipe is whisking the mayonnaise while you wait.

Here are the detailed steps. I’ve made each one easy and unambiguous, I hope.

The future is bleak

Thu, 21 Jun 2018 12:00:00 +0000

Sorry if this is obvious or trite but the problem isn’t Trump or Jacob Rees-Mogg, it’s that they are massively popular.

Slightly more than half the people in the world seem to think that identity is the most important thing to them.

Being part of a tribe and seeing that tribe victorious over its enemies is more important than overall prosperity.

This is the behaviour common to the Inter-City Firm in the 1980s, the Burundi Civil War in the 1990s, the Tea Party in the 2000s, UKIP, Gamergate and balkanisation in general.

Two generations or more of liberal education in the UK and the US have not produced an electorate rational enough to prevent Trump or Brexit. Identity politics is majority politics.

Two things have helped reinvigorate it after decades of being a minority passtime:

The time that has elapsed since the failure of Western fascism in 1945 has removed it as a visceral shame. It’s just history now. The people who remember it are mostly dead.
Climate change and disastrous Western intervention in north African states, the Middle East and, earlier, in Central and South America has led to massive population movements. Millions of people are fleeing death and poverty and arriving at the borders of the West.

I’m not aware of any society in history that has prevented mass migration. Borders are large, migrants are many and the cost of turning an entire country into a fortress has always been unsustainable.

So it’s an easy sell. Strangers are at our gates and they are scary. The thought speaks to our irrational mind and triggers atavistic fears.

A compelling simple message will always win against a complex one, and if you aren’t bothered about the truth then you can make your message really compelling.

Fascism was suppressed in the West after the Second World War for a few decades but in Soviet Russia, the Far East and South America authoritarian regimes drew their support from somewhere. Those regimes were (and in some cases still are) well-supported by their people.

Today’s best case scenario is that Democrats get working majorities in November, and that Brexit is mitigated a bit. That’s the best case. It still leaves the far-right in power in Hungary, Poland, Italy and Turkey and fascists on the march in Germany and France.

Liberal education has failed to produce a rational population.
The migrants won’t go away in our generation.
A majority of people can be made to believe their identity is under threat, and that is the most important thing to them.

It’s a bleak outlook.

I’m not sure what can be done but signing petitions isn’t it.

Education and rational suasion isn’t it; the simpler lie will win. Truth is powerless.

It needs to be direct action of some sort, on a massive scale. Fascism has to be tainted with losing, like it was in 1945.

That will only suppress it for a while; our children will have to do it all over again. But this time it’s our turn. Suit up.

Chocolate Mousse

Tue, 16 May 2017 07:00:00 +0000

This recipe is from our friends the Poggios. We first ate it at their house and when they came to dinner we insisted they brought chocolate mousse with them.

It is extremely chocolately.

Using Jekyll to markup a recipe

Mon, 15 May 2017 16:00:00 +0000

I wanted to share my no-weighing flapjack recipe with the world so I added a post last month.

Before I published it I researched how to mark up the HTML so that Google knew it was a recipe rather than just a bit of text. Turns out there’s a reasonably mature markup schema that Google uses to show recipes differently in its search results.

Here’s how my recipe looks on Google:

As you can see, Google shows the preparation time as well as the calorific content and the star rating. This is because the post I created has the proper markup for a recipe.

I wanted to be able to do this easily for any other recipes I posted in the future, so I created a template that ensures that all the recipe elements are marked up correctly.

To add a recipe using this template, the recipe elements (ingredients and method for example) need to be added to the page as Front Matter (YAML) rather than just text.

I tried to make this easy and human-readable. Here’s the flapjack recipe as data:

---
ingredients:
  porridge oats: 1kg
  condensed milk: 400g
  soft brown sugar: 500g
  butter: 500g
instructions:
  - Preheat the oven to 150C fan.
  - Line a large baking tin with baking parchment (my tin measures 39cm x 26cm).
  - Melt the butter and sugar in a large pan over a low heat. Don't cook the butter, just warm it enough to melt it.
  - Remove the pan from the heat and stir in the condensed milk.
  - Mix in the oats until well coated by the mixture.
  - Pour into the baking tin and smooth out with the back of a large spoon.
  - Cook for about 15-20 minutes. When the flapjack starts to brown around the edges of the tin, take it out of the oven - it should still be relatively pale in the middle.
  - Leave to cool for a few minutes before cutting into pieces.
calories: 10547
prepmins: 20
cookmins: 15
layout: recipe
title: Moist flapjack with condensed milk
date: 2017-04-21 08:00:00 +0100
image: flapjack.jpg
thumbnail: flapjack.jpg
tags:
  - featured
  - recipe
---
This recipe makes enough flapjack for two hungry children for several weeks of school lunches.

To translate this front matter into HTML I created a simple layout. You should be able to adapt this for your own recipes.

<!-- recipe post-content -->
<div class="post-content">
  <div class="post-reading">
    <span class="post-reading-time"></span> read
  </div>

  <!-- ingredients -->
  <div>
    <h3>Ingredients</h3>
     <ul>
        {% for ingredient in page.ingredients %}
        <li itemprop="ingredients">{{ ingredient[1] }} {{ ingredient[0] }}</li>
        {% endfor %}
     </ul>
  </div>
  <!-- ingredients -->

  {{content}}

  <!-- instructions -->
  <div itemprop="recipeInstructions">
    <h3>Instructions</h3>
    <ol>
      <li>{{ page.instructions | join: '</li> <li>' }}</li>
    </ol>
  </div>
  <!-- instructions -->
</div>

{% if page.prepmins or page.cookmins %}
  <dl class="dl-horizontal">
    {% if page.prepmins %}<dt>Preparation time</dt><dd>{{ page.prepmins }} mins<span itemprop="prepTime" class="invisible">PT{{ page.prepmins }}M</span></dd>{% endif %}
    {% if page.cookmins %}<dt>Cooking time</dt><dd>{{ page.cookmins }} mins<span itemprop="cookTime" class="invisible">PT{{ page.cookmins }}M</span></dd>{% endif %}
  </dl>
{% endif %}

<p class="invisible" itemprop="description">{{ page.excerpt | strip_html | strip_newlines | truncate: 200 }}</p>
<p class="invisible" itemprop="nutrition" itemscope itemtype="http://schema.org/NutritionInformation"><span itemprop="calories">{{ page.calories | default: 2 }}</span></p>
<p class="invisible" itemprop="aggregateRating" itemscope itemtype="http://schema.org/AggregateRating"><span itemprop="ratingValue">5</span><span itemprop="reviewCount">1</span></p>
<!-- recipe post-content -->

Boom! Now I can add recipes easily and quickly.