TL;DR — This post talks about my learnings on building a generic Policy Decision Platform using Open Policy Agent that’s been integrated at various points (CI/CD platform, pre-commit hooks etc) in the development pipeline to detect and prevent security misconfigurations. This is a foundational piece in moving an organization to a standard based security posture and also a platform component needed in moving an enterprise to a zero-trust model

I first came across Open Policy Agent (OPA) in late 2017 from an old colleague of mine who was looking at OPA as a way to enforce authorization for their platform’s…

I have the privilege of working with a startup like company that has gone through a hypergrowth phase over the last 5 years. When I was hired, I was the 2nd Application Security Engineer in a 9 person Security team . We’re now a ~70 person Security org made of 7 different teams that are responsible for various aspects of securing our member’s data and the company.

In this post I plan on sharing a few things I’ve learned and observed over the last 5 years that I wish someone had told me when we were a small Security team…

TL;DR: I’m open-sourcing a Hapi plugin that provides a fair amount of flexibility in regards to enabling Feature Policy on a route/frame level so it should be easy for any Hapi developer to deploy Feature-Policy in a manner that adds real protection

I came across HTTP Feature Policy during a W3C WebAppsec meeting in September 2019 but back then I didn’t give it much thought until recently I found myself needing to use this to solve a problem. The problem I was trying to solve was allowing our application to access one’s location (if the member consents to it) for…

I have heard many people in the industry state that the level of effort to deploy Content Security Policy (CSP) is not worth the value it brings. I disagree; it depends on what threat model are you solving for.

This is not yet another post that explains what CSP is. I personally followed Google’s csp.withgoogle.com website and found it helped me deploy a config quickly. Here’s another good resource that links you to blog posts on how companies have deployed this in the past and references to tools such as Mozilla’s Observatory.

Why did I deploy CSP in my organization?

Was it to prevent content injection attacks? Not…

MSarm

A curious being! :) I enjoy doing Security stuff and fortunately make my living doing it. The contents I share here are my own and not the views of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store