Skip to content

Instantly share code, notes, and snippets.

View nickmalcolm's full-sized avatar

Nick Malcolm nickmalcolm

View GitHub Profile
@nickmalcolm
nickmalcolm / SecuritySubscriber-updated.php
Last active February 27, 2017 11:31
Code example from "Subscribing to Symfony's Security Events" https://thisdata.com/blog/subscribing-to-symfonys-security-events/
namespace AppBundle\EventSubscriber;
use AppBundle\Entity\User;
...
use ThisData\Api\ThisData;
use ThisData\Api\Endpoint\EventsEndpoint;
class SecuritySubscriber implements EventSubscriberInterface
{
@nickmalcolm
nickmalcolm / AWSLambdaSimpleVoice.js
Last active October 8, 2023 06:18 — forked from stevebowman/AWSLambdaSimpleSMS.js
AWS Lambda Function to make Voice calls via the Twilio API
// 2016 MIT licence. Nick Malcolm.
// Based on https://gist.github.com/stevebowman/7cff9dd80b227c899728
// Makes a call using Twilio's API.
// Expects the following Lambda environment variables:
// TWILIO_ACCOUNT_SID - your account ID
// TWILIO_AUTH_TOKEN - an auth token generated in the Twilio console e.g. ABCD1234
// TWILIO_FROM_NUMBER - the number you've purchased to make calls from e.g. +14243700000
// We'll call this number
# Use Warden's on_request hook to track each page view
# (every GET request that isn't for an asset)
Warden::Manager.on_request do |proxy|
if proxy.request.get? && !proxy.request.original_fullpath.start_with?("/assets")
payload = {
ip: proxy.request.remote_ip,
user_agent: proxy.request.user_agent,
verb: 'page-view',
object: {
url: proxy.request.original_url
@nickmalcolm
nickmalcolm / okta.rb
Created August 10, 2016 01:48
Simple ruby script to pull events from Okta's API, and push them to ThisData
require 'this_data'
require 'httparty'
# A simple proof of concept which will pull a page of events from Okta, and push
# them to ThisData. This enables ThisData to detect behavioural anomalies, and
# keep a third-party access log.
#
# Requires the ThisData and HTTParty ruby gems.
#
# Usage:
@nickmalcolm
nickmalcolm / thisdata_php_curl.php
Last active May 20, 2016 00:14
Use ThisData's API using PHP curl
<?php
$user = array("id" => "1234", "email" => "[email protected]");
$data = array("verb" => "log-in", "ip" => "1.2.3.4", "user_agent" => "Chrome", "user" => $user);
$data_string = json_encode($data);
$url = 'http://api.thisdata.dev:3000/v1/events.json';
$api_key = 'ABC123'; // Use your real API key here
$ch = curl_init($url. "?api_key=". $api_key);

Shorter version

Security Together is dedicated to providing a harassment-free experience for everyone, regardless of gender, gender identity and expression, sexual orientation, disability, physical appearance, body size, age, race, or religion. We do not tolerate harassment of participants in any form.

This code of conduct applies to all Security Together spaces, including our Slack group and associated events, both online and off. Anyone who violates this code of conduct may be sanctioned or expelled from these spaces at the discretion of the Security Together administrators.

Some Security Together spaces may have additional rules in place, which will be made clearly available to participants. Participants are responsible for knowing and abiding by these rules.

Longer version

String equality is something we check all the time when writing code. Are all_systems == "nominal"? Most of the time using your programming language's default equality operator is fine. However when performing equality checks in sensitive areas of your app, like authentication, you need to be extra careful.

What is a Timing Attack?

Timing attacks are a way of learning information about something by measuring the time it takes to respond to different queries. When a response is faster or slower based on what you send it, the algorithm is leaking information about what two values are being compared.

Don't do this!

@nickmalcolm
nickmalcolm / Bridging the security-gap between you and your users.md
Last active March 7, 2016 08:03
Bridging the security-gap between you and your users: a presentation idea for developer conferences

Abstract

What is your talk about?

We build apps. We build them as secure as we can. But no matter what we do behind the scenes, the weakest link is often our end users. Bad passwords, phishing attacks, leaving credentials on post-it notes - is there anything we can do?! Yes! During this talk you will learn how to turn your app in to a powerful re-enforcer of good, secure, user behaviour. You'll have gained empathy for the risks your customers face. You'll have begun building a stronger bridge between you and your users.

Details

Explain the theme and flow of your talk. What are the intended audience takeaways? Include any pertinent details such as outlines, outcomes or intended audience.

The theme of this talk is how to help us help our users. When our users get hacked their lives can be massively impacted, financially and emotionally. Even if it wasn't through the websites we've made. The intended takeaway is that anyone can, and needs to, help in the role of education. The threat is growing, a

@nickmalcolm
nickmalcolm / Becoming a Security Champion.md
Last active March 6, 2016 09:40
Becoming a Security Champion: A presentation idea

Following the RedDot Ruby 2016 CFP Format

Abstract

What is your talk about?

What the 💁 is a Security Champion? You are! Or, you will be after this talk. You know that security is no longer a nice-to-have, it's a requirement, and one of the biggest risks in our industry. By learning the current threats we face, and getting some practical steps to mitigate them, you'll develop a security mindset. More than just writing better code, you'll be inspired and equipped to encourage your bosses, co-workers, and customers to adopt secure best-practices too! You'll be a champion for better security.

##Details Explain the theme and flow of your talk. What are the intended audience takeaways? Include any pertinent details such as outlines, outcomes or intended audience.

@nickmalcolm
nickmalcolm / variables.rb
Last active August 29, 2015 14:22
Ruby Instance Variables vs Local Variables, and overriding getters / setters
# Shows the diffference of calling methods different ways
class Foo
# attr_accessor defines def bar;end and def bar=(val);end
attr_accessor :bar
def initialize
self.bar = "hello"
end
def method_one