CodeIsGo.com

The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy. By Connor Jones.

A leading Microsoft security executive said the efforts of law enforcement to try and shut down ransomware operations aren’t enough to provide a meaningful deterrent.

“The problem with the efforts by law enforcement globally to try to address ransomware is that the challenges of conducting traditional law enforcement investigations and prosecutions against ransomware actors are just too difficult given the the cross-border nature of that activity, the fact that a lot of the actors are beyond the reach of law enforcement that care about this issue. It’s just too difficult,” said Burt.

Asked about the nature of ransomware organisations’ evolving tactics, such as triple extortion, Microsoft said the primary development in tactics, techniques, and procedures (TTPs) is in how they evade detection. Interesting read!

TLS, or transport layer security, is a protocol used across the globe to encrypt and secure communication over the internet. In this article, we’ll discuss what TLS is, what benefits it provides, and why you need it. Then we’ll walk through implementing TLS in Java. By Himanish Munjal.

The article then goes and explains:

• What is TLS?
• The importance of TLS
• Core concepts
• Implementing TLS in Java

If you have created a Java application that communicates over the internet, it’s necessary to implement TLS at both client and server side. TLS ensures that the data is safely transferred by providing encryption and integrity, and also helps in authentication of both parties. Good read!

At some point you have probably come across a website that uses an autocomplete text box, drag and drop, or scroll based animations. If you have then chances are also pretty high that you have encountered debouncing and/or throttling without even realizing it. By @webdevsimplified.com.

First I want to talk about debounce since debounce is the ideal solution for things like autocomplete text boxes. Debouncing works by delaying our function call by a set period of time. If nothing happens during that time then the function will run just like normal, but if something happens that causes the function to be called again during the delay then the delay will be restarted.

Like debounce, throttle is also used to limit the number of times a function is called, but, unlike debounce, throttle will call the function passed to it every time the delay ends as long as the trigger for the function is still happening. For example, if our delay is set to 1 second then our throttled function will execute immediately when it is called and then at most once per second while the user is actively typing.

Anytime you are dealing with groups of events that you want to group together debounce and throttle are perfect. They save you money on server costs, save your users money on data costs, and overall make your app more performant. Nice one!

This guide describes, what of the different configurations described in those guides is already implemented as default in the nginx implementation of kubernetes ingress. By @kubernetes.github.io.

There are several ways to do hardening and securing of nginx. In this documentation two guides are used, the guides are overlapping in some points:

• nginx CIS Benchmark
• cipherlist.eu (one of many forks of the now dead project cipherli.st)

Be aware that this is only a guide. Some of the configurations may lead to have specific clients unable to reach your site or similar consequences. The guide clearly depicts what needs to be configured, what is obsolete due to the fact that the nginx is running as container (the CIS benchmark relates to a non-containerized installation) and what is difficult or not possible. Nice one!

Until 2022, NGINX supported the well-known ModSecurity open-source WAF solution and OWASP Core RuleSet Signatures. However, following Trustwaves End-of-Life notice about ModSecurity, and possibly related also to the acquisition of NGINX by F5, NGINX announced in May 2022 that it will end of life ModSecurity, leaving NGINX open-source with no open-source security solution. By Christopher Lutat.

In this article, authors will briefly compare the NGINX App Protect signature-based WAF solution and a new open-source initiative called “open-appsec,” which builds on machine learning. open-appsec provides preemptive web app and API threat protection against OWASP-Top-10 and zero-day attacks, and it can be deployed as an add-on to both NGINX and NGINX Ingress open-source and premium (Plus) versions.

NGINX App Protect WAF is based on the traditional F5 signature-based WAF solution, with good coverage for OWASP-Top-10 and other common attacks. The App Protect WAF comes with two policies - Default and Strict. The Default policy provides OWASP-Top-10 protection.

open-appsec is a new open-source initiative that builds on machine learning to provide enterprise web application and API security with the visibility, protection and manageability that is required by modern workloads that updates frequently and are based on are often based on many 3rd party components not in full control of the developers. For DevOps/DevSecOps and AppSec teams, open-appsec:

• protects web applications and APIs preemptively against OWASP-Top-10 and zero-day attacks using machine learning with no threat signature upkeep required
• blocks attacks such as Log4Shell, Spring4Shell and Text4Shell with default, settings and no updates required, due to its preemptive nature
• delivers precise threat prevention through continuous learning, finding attacks while eliminating the manual tuning and exception creation inherent to traditional WAFs

Signature-based solutions are well-proven, but they are reactive by nature, meaning that often signatures aren’t available until after vulnerabilities have been known for some time and exploits are put into circulation. In many high profile High and Critical risk zero-day attacks that happened in the last year. Good read!

On 1 June 2022, a Google Cloud Armor customer was hit with a Distributed denial-of-service (DDoS) attack over the Hypertext Transfer Protocol Secure (HTTPS) protocol that reached 46 million requests per second (RPS), making it one of the largest ever recorded Layer 7 DDoS attacks reported this year. By Debashis Pal.

In Wireshark, tls.handshake.type == 1 will show all instances of Client Hello. If there are too many of these packets coming from the same source IPs, this could be an attack …

This article is good analysis of Layer 7 attacks:

• HTTP flood DDoS attack
• How to analyse for HTTP flood attacks
• HTTP pipelining attack
• How to analyse HTTP pipelining
• SSL renegotiation and HTTPS flood DDoS attack
• How HTTPS works
• SSL/TLS renegotiation
• How to analyse for thc-ssl-flood attacks
• HTTPS flood DDoS attack
• How to analyse for HTTPS flooding

HTTP floods consist of a continuous legitimate session of HTTP GET or HTTP POST that GET and POST requests to a targeted web server. These requests are specifically designed to consume a significant amount of the servers resources. To achieve maximum impact, malicious actors usually employ botnets — many devices infected with malware. Malicious actors may also use other HTTP methods such as PUT and DELETE to make the attack more complex. Very informative!

During the pandemic, the use of Maersk App skyrocketed. To meet the growing number of feature requests and scale our solution, a different approach was required. Keeping up with requirements to solve the business needs of our customers was challenging and time-consuming as all development had to be done twice for two native (Android and iOS) apps. Over time, tech debt for maintaining two codebases was getting high as the underlying platforms changed as well as new features and services for our customers in a rapidly growing userbase. By Gaurav Bhatnagar, Satish Kumar.

The challenge was to upskill our engineers;no one had prior experience with Dart or Flutter. We had to take three (Android, iOS, and Web) distinctive teams from diverse backgrounds and bring them together. This was a rigorous process, and we got great support from the engineers. Flutter’s documentation is excellent for beginners and the familiar widget tree structures helped engineers to start contributing quickly.

The article then describe teams journey to Flutter:

• Why Flutter?
• Learning the ropes
• The main course
• Robust booking journey
• Revised UI with reusable components
• Customer feedback
• Phenomenal benefits

The Maersk App team has continued to add features at a rapid rate. Having Flutter as our main technology has significantly reduced technical barriers, allowing new engineers to be able to contribute to our app within days after being onboarded. By using a single framework to ship two apps we can get creative and create something amazing. Excellent read!

We are in a state where companies are releasing software and solutions within minutes, and they are doing so by following the Continuous integration (CI) and continuous delivery (CD) set of operating principles. By Himanshu Sharma.

A CI/CD pipeline makes the automatic delivery of your software more frequent, reliable, and secure. It focuses on higher code quality, and that’s why it is vital for a mobile developer or team. Flutter is an open source framework by Google for building beautiful, natively compiled, multi-platform applications from a single codebase.

The article will help yuo to make sense of:

• What is GitHub Actions?
• Use a basic Flutter action to build an Android release
• How can you make your workflow faster?
• Prepare for the Play Store release
• Sign the app
• Deploy the app
• Flutter web release to GitHub pages

In this tutorial, you learned about how to set up a GitHub Actions workflow to deploy your Flutter app across the Web and Android. For the next step, you can copy and modify the workflow to directly release the app to the app store or learn about other alternatives of GitHub Actions like CircleCI, GitLab CI, Jenkins, and more. Nice one!

Retail is changing so fast that even this advice is reaching its expiration date. Soon, a presence in the metaverse will be an absolute necessity, and retailers stranded in today’s e-commerce environment will be left behind.

Changing online habits will almost certainly benefit suppliers, but it will also put them under new pressures. Where one photograph of a product in a catalog was enough, for example, three to five became the norm online, followed by a video. The cost of doing business in the metaverse will include developing 3-D digital assets where traditional photography once sufficed.

The article answers few questions:

• The current state of retail
• How retailers can prepare for the Metaverse
• The Metaverse evolution

While the metaverse has some way to go before retailers are compelled to engage with it, its rapid emergence means they must plan. The trick will be to focus on the customer, not the technology. Good read!

So, you’ve said goodbye to the monolithic application and refactored it into services. You are shipping faster and the code is cleaner. But the complexity of communication between the services is causing performance issues. And every time a new team needs to integrate, it’s a whole lot of meetings. By Priyanka Vergadia, Kir Titievsky.

The time has come to consider asynchronous communication, where services publish and react to events reliably delivered by a messaging system. In this model, a service needs only to do its computation on an event and publish it to Pub/Sub. It does not need to accommodate the different latency and availability characteristics of the downstream services. In fact, it needs to know nothing about them. This article introduces you to Pub/Sub and how it works:

• Pub/Sub
• Pub/Sub Lite
• How does Pub/Sub work?
• Pub/Sub features
• Pub/Sub use cases

Pub/Sub works as a messaging middleware for traditional service integration or a simple communication medium for modern microservices. Push subscriptions deliver events to serverless webhooks on Cloud Functions, App Engine, Cloud Run, or custom environments on Google Kubernetes Engine or Compute Engine. Low-latency pull delivery is available when exposing webhooks is not an option or for efficient handling of higher throughput streams. You will also find link to video explaining the concept in this article. Excellent read!