Friday, October 4, 2019

Web Security Issues

No Authentication & Authorization

Authentication is knowing who an entity is, while authorization is knowing what a given entity can do. APIs should have proper authentication and authorization in place.

What is the solution?

  1. We added authentication and authorization for most APIs.

XSS (Cross-site scripting)

Qualys scan result can help on XSS detection.
With that being side, any sensitive data in HTML body or Javascript is not allowed.

What is the solution?

  1. Always encode customer input to avoid display direct HTML/JS
  2. Move the data from visible JS object to browser memory
  3. Use a framework which takes care of XSS.

CSV Injection

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula.

What is the solution?

To remediate it, ensure that no cells begin with any of the following characters:
Equals to ("=")
Plus ("+")
Minus ("-")
At ("@")
This should apply to all download CSV files.

No Input Validation

Input validation on backend APIs is so critical to application security.

What is the solution?

Anything that our application receives from untrusted sources must be filtered, preferably according to a whitelist.
Input validation
Input filtering
Input encoding

Sensitive data exposure

Sensitive data should be encrypted at all times, including in transit and at rest. Also, the logging file should not print any sensitive data.

What is the solution?

  1. In transit: Use HTTPS. Do not accept anything over non-HTTPS connections. Have the secure and HttpOnly flag on cookies.
  2. In storage: if you have sensitive data that you actually do need, store it encrypted and make sure all passwords are hashed.

Security misconfiguration

Do not widely open your environments to the internet access, which gives Hacker chance to explore vulnerabilities.

What is the solution?

  1. Do NOT widely open environment to outside. Use IP whitelist for access control
  2. Perform regular host/container vulnerability scan
  3. Perform regular web application vulnerability scan using Qualys alike tool

DoS or DDoS

Denial of service attack is crucial.

What is the solution?

  1. Add rate limit control to the application 

CORS (cross-origin resource sharing)

The most common and problematic security issue when implementing CORS is the failure to validate/whitelist requestors. Too often developers set the value for Access-Control-Allow-Origin to ‘*’. Unfortunately, this is the default. This allows any domain on the web to access that site’s resources.

What is the solution?

  1. Should we Set Access-Control-Allow-Origin to * ?
  2. What About Access-Control-Allow-Methods?

SSL Certificate Uses Weak Signature

The integrity of the signature hash algorithm used in signing a certificate is a critical element in the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can obtain fraudulent certificates. The MD5 signature has long been considered outdated by cryptographic specialists. SHA-1 is outdated and has been phased out by several sources - including Microsoft, Google, and Mozilla as of January 1, 2016.

What is the solution?

  1. Use SHA256 algorithm

101 Questions at 1-on-1 meeting

Happened to read this excellent blog/article, so copy & paste as a reading note. All information and copyright belong to original author.

These are questions you can ask in every single 1-on-1:
What can each of us do to make progress on what we talked about today?
Could you talk to me about ideas, feedback, and problems?
What can I hold you accountable for next time we talk?
What can I be accountable to you for the next time we talk?

These 101 questions are coming from the following categories:
Short term goals
Their long term goals
Ideas to improve the company
Ideas for their self-improvement
How you can improve
Their happiness, both work and personal
Team relations and morale
Their work habits

101 questions
1) How is [project] going? What could we do to make it better?
2) Is there anything blocking you from getting your work done?
3) Are there any projects you’d really like to work on if you were given the opportunity?
4) What parts of your job would you like to deepen your skills in or get additional training in?
5) Is any part of your project unclear or confusing?

6) What do you want to be doing in 5 years? 10 years? 3 years?
7) What are your long term goals? Have you thought about them?
8) Do you feel like you’re making progress on your big goals here? Why or why not?
9) What’s one thing we could do today to help you with your long term goals?
10) Do you feel we’re helping you advance your career at a pace you would like?
11) Who do you really admire? Why? (People often admire those they want to become)
12) If you had millions of dollars, what would you do every day?
13) What are your super powers? What powers would you like to develop?
14) What are your big dreams in life? Are you making progress on them?
15) Could you see yourself making progress on more of your goals here? What would need to change to do so?
16) What work are you doing here that you feel is most in line with your long term goals?
17) As a kid, what did you want to be when you grew up?

18) What is the company not doing today that we should do to better compete in the market?
19) What’s one thing we’d be *crazy* not to do in the next quarter to improve our product?
20) How could we change our team meetings to be more effective?
21) If you were CEO, what’s the first thing you’d change?
22) Do you think our company is loyal to its employees? Why or why not?
23) Are there any aspects of our culture you wish you could change?
24) What are your favorite parts about our culture?
25) Do you feel over-worked, under-worked, or just the right workload?
26) Why do you think [employee who recently quit] left? What did they tell you?
27) What would convince you to leave for a job somewhere else?
28) Which company values do you like the most? Which the least? Why?
29) What is the #1 Problem at our company? Why?
30) Do you feel like you’re on the same page with your team? How often do you think you need meetings to ensure you stay that way?
31) What do you think are the long term prospects of the company?
32) How many hours a day do you feel you’re productive? How could we help you be more productive?
33) How could we be more creative or innovative as a company?

34) Do you feel challenged at work? Are you learning new things?
35) What area of the company would you like to learn more about?
36) What skills would you like to develop right now?
37) Who in the company would you like to learn from? What do you want to learn?
38) How do you prefer to receive feedback?
39) Do you feel you’re getting enough feedback?
40) What’s a recent situation you wish you handled differently? What would you change?
41) What additional training or education would you like?
42) Are there any roles in the company you’d like to learn more about?
43) What do you think are the key skills for your role? How would you rate yourself for each of them?
44) Is there an aspect of your job you would like more help or coaching?

45) What could I do as a manager to make your work easier?
46) What do you like about my management style? What do you dislike?
47) Would you like more or less direction from me on your work?
48) What could I do to make you enjoy your work more?
49) How can I better support you?
50) What would you like to know about me?
51) Is there a situation you’d like my help with?
52) What is something I could do better? What is a criticism you have for me?

53) Are you happy?
54) Are you happy working here?
55) Are you happy with your recent work? Why or why not?
56) What would make you leave this job for another?
57) What’s one thing we do to help you enjoy your job more?
58) Is your job what you expected when you accepted it?
59) What worries you?
60) What’s on your mind?
61) What’s not fun about working here? What do you enjoy most about working here?
62) Who are you friends with at work? (Shown to be a key to enjoying your job)
63) When was the time you enjoyed working here the most?
64) What do you feel is your greatest accomplishment here?
65) What’s something you feel is undervalued that you contribute to the team?
66) What part of your job do you wish you didn’t have to do?

67) How are you? How is life outside of work?
68) How do you feel your work/life balance is right now?
69) How do you feel about your current compensation (salary and benefits)?
70) What’s one thing we could change about work for you that would improve your personal life?
71) If around a holiday: What did you do for [Holiday]? How was it?
72) How are your parents/grandparents? Where do they live?
73) If they have children: How is [name of child] doing? (Ask something related to their age like starting school, playing sports, or other interests.)
74) What do you like to do in your free time? What are your hobbies?
75) What did you do for fun in the past that you haven’t had as much time for lately?
76) What drives you? What motivates you to come to work each day?

77) Who on the team do you have the most difficulty working with? Why?
78) How would you describe the work environment on the team? Is it more competitive or collaborative?
79) How could we improve the ways our team works together?
80) Who is kicking ass on the team? What have they done?
81) Who do you admire on the team? Why?
82) Do you feel your ideas are heard by the team and I?
83) Who would you like to work more often with? Why?
84) Is everyone pulling their weight on the team?
85) Do you help other members on the team? Do others help you when you need it?
86) What’s one thing we should change about how our team works together?
87) What characteristics make someone a good fit for our team? How would you look for those characteristics in an interview?
88) What’s the biggest thing you’d like to change about our team?
89) What do you like most about working on our team?
90) Has anyone on the team ever made you feel uncomfortable? What happened?

91) What part of the day do you have the most energy and focus? When do you have the least? What changes could we make to your work schedule to accommodate this?
92) What are 3 things would you buy to improve your productivity if money was no object?
93) What is an ideal, productive day at work for you? Walk me through the day…
94) What’s an inexpensive thing we could do to improve our office environment?
95) What are the biggest time wasters for you each week?
96) What makes you excited and motivated to work on a project?
97) When you get stuck on something, what is your process for getting unstuck? Who do you turn to for help?
98) What part of your work routine do you find is working best? What area do you want to improve?
99) Are there any meetings or discussions you feel you should be a part of that you’re not? Are you included in any you don’t want to be a part of?
100) What do you do when you feel low energy or unmotivated?
101) How can I help…? (be more productive/happier at work/enjoy work more/etc)

Contact Centers

Cloud-based Contact Center (CC) is getting very popular with a few major players in 2019. Almost each Contact Center can provide essential call center features, as well as Omni-channel routing, integrations, analytics, live reporting, workforce optimization.

Five9 has Predictive AI technology, with features such as intelligent call routing, dialer modes, CRM integration (Salesforce, Zendesk), analytics, workflow management, and an omni-channel solution.

Talkdesk provides call center features such as ACD, IVR, dialers, CRM integrations, real-time reporting & analytics, workforce management, and AI automation.

Genesys call center software is powered with modern features ACD, IVR, routing, workforce optimization, and omnichannel support.

NICE inContact’s CXone platform comes packed with features such as omni-channel routing, analytics, workforce optimization, integrations, automation, and AI, all built on an open cloud foundation.

Twilio platform is highly customizable with communication APIs for SMS, voice, video & authentication. Twilio Flex is the first fully-programmable contact center platform.

8x8 supports features such as omni-channel routing, IVR, integrations, analytics, supervisor management systems, and agent productivity knowledge. The ultimate plan comes with a full list of features, including a multichannel contact center, advanced analytics, and predictive dialer. 

RingCentral CC has features such as omni-channel routing, CRM integrations, reporting & analytics, and agent management software that allows businesses to build a powerful customer engagement platform. Its ultimate plan supports advanced IVR and ACD, as well as omni-channel capabilities that supporting things like chat, email, SMS, and social media.

Please note that RingCentral and 8x8 are also major cloud PBX players in the industry, besides Cisco and Microsoft calling.

Thursday, October 3, 2019

Zip with password on Mac OSX

To compress a file with password:
zip -e example.txt

To compress a folder with password:zip -er FolderToZip/

To preview a zip file

To unzip a zip file