We are happy to announce Security Review guidelines for MongoDB. CIS guidelines are not available for Mongo DB and we thought this might be helpful for you.
Content has been reference from MongoDB Original Website.
I have create a sample command which will help you to extract the exact details required for performing security review. Along with Recommended setting suggested by MongoDB.
Please note that this Document will only highlight the point related to MongoDB not the underlying OS Security.
This benchmark is intended for Security specialists, auditors who are planning to review the security of MongoDB Server. Please find below attached link for the same
Below are the steps of how to fix the banner (version information) in IIS 8.0/8.5
Install the latest version of Microsoft Web Platform Installer (https://www.microsoft.com/web/downloads/platform.aspx/).
Install URL Rewrite 2.0 using Web Platform Installer on the server.
This article presents the key risks with DirectAccess and how to audit them.
Let’s begin by first understanding the DirectAccess technology
Introduction of DirectAccess
From the Wikipedia definition
DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet.
Direct Access overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network so users never have to think about connecting to the enterprise network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.
When a DirectAccess client is outside of the corporate network and has an active Internet connection, the client will attempt to establish connectivity with the DirectAccess gateway by creating IPsec tunnels defined by the connection security rules in the Windows Firewall on the client.
How does the DirectAccess Server work?
It’s been long time haven’t write any security post but i have come up with security issue on HP ALM Product 11.
While testing HP ALM Product latest version I have found that the password encryption used by the Web Application was weak. I was able to break the Password encryption logic.
What is Encryption ?
In cryptography, encryption is the process of encrypting messages or information in such a way that only authorized parties can read it.
Below is the explanation for it.
Hello Every One,
Recently Web Researcher has uncovered an extremely critical vulnerability in recent versions of OpenSSL in short this vulnerability allows anyone on the Internet to read the memory of the systems protected by the OpenSSL software.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).CVE-2014-0160 is the official reference to this bug.
Recently, I found an interesting issue qualifying on Yahoo! Pipes. But before going into the details of this specific issue, let’s understand some basic points.
What does Authorization mean?
In general, authorization relates to the set of activities which a user can perform once logged on to a particular system. This is typically divided into the following two categories:
The issue I found on Yahoo! relates to improper implementation of CSRF token validation, where the CSRF token generated by an attacker can be used to change the environment of victim. The Yahoo! Security team informed me that the issue was successfully reproduced once but then later they just couldn’t reproduce it again. They fixed this issue but did not reward me with a bounty. But never-mind I found this issue pretty interesting so here are the details on it:
Issue was reported on 12 Nov 2013 to Yahoo Security Team.
Recently i have found Insecure Direct Object Issue on Nokia. I have already reported this issue and also got fixed.
Thanks to Nokia developer Team. They have listed my name on Nokia Hall Of Fame List on below mentioned URL:
Before we start discussing the issue we will first look into what Insecure Direct Object Reference is?
What is Insecure Direct Object Reference?
The Insecure Direct Object References represent the flaws in system design where access to sensitive data/assets is not fully protected and data objects are exposed by application with assumption that user will always follow the application rules.
Insecure Direct Object Reference is an attack where attacker who is an authenticated system user, simply changes a parameter value that directly refers to a system object or another object the user isn’t authorized for.
***Authentication:***Authentication verifies who you are.
Authorization: Authorization verifies what you are authorized to do. )