Enabling a secure culture in engineering: the SecEng Team

A sense of separation has sometimes existed between Security and Development, as though the two are not inherently connected. Security considerations have always fed into the way we work at Tes, but without the right connections it can be easy to end up viewing security as an impediment to speedy delivery or vice versa. We started a Security Engineering team (‘SecEng’ if you like) to bridge this gap and ensure our engineering teams see strong security in data handling as critical, and crucially, something firmly within reach.

Read more...

Automated vulnerability checks and the end of NSP

Exploiting known vulnerabilities is still the number one way attackers compromise a system and is on the OWASP list of the Top 10 Most Critical Web Application Security Risks, so we’ve made automated vulnerability checking an important part of our development flow here at Tes. We’ve been using nsp, a neat little command line tool from the Node Security Platform (NSP), to find known vulnerabilities. All good things come to an end The NSP was recently acquired by npm and has just been shut down.

Read more...

Secure file uploads with redux-plupload, ClamAV and S3

We have recently added a new feature that allows a user to upload a file from our webpage. We implemented this using redux-plupload, ClamAV and S3 to satisfy the following requirements: the file should be uploaded from the client to avoid excessive memory use on the server while streaming files. the upload must be secure and the file must be stored securely (and ideally encrypted at rest). the file should be virus free so that it can be downloaded without worry.

Read more...

The things we trust to github

One of the issues of using public GitHub is that, well, it’s public. Even with the layers of security, it’s all your information ‘out there’. Somewhere. However, it is a fact of life that we all use GitHub and many large and small companies choose the hosted GitHub option over hosting an in-house, expensive GitHub Enterprise environment. The problem is that developers and operations folks sometimes push things into GitHub without thinking.

Read more...