It needs to be set to “Access-Control-Allow-Credentials: true

The post CORS origin False Positives appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

What you are trying to teach – EXISTS independently of your teaching!  So – it is a truth within this Universe. How you convey that truth is dependent upon your own teaching method.

Nothing Prepared – Except the teaching SPACE

– Create a SPACE for communicating your thoughts

– Let the teaching unravel itself (remember, it is a Universal truth that can unravel on it’s own – you are just the medium).

The post The art of teaching appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Hash functions lose  information that is present in the input data. This is required in order to generate a fixed-length output hash value.

This loss of information makes it IMPOSSIBLE to recover the original input data from the output hash value.

In addition, many hash functions use key derivation functions to generate the hash value, which further complicates the process of recovering the original input data.

The Avalanche Effect in hashing:

• A good hash function exhibits the avalanche effect. A  small change in the input data should result in a significant change in the hash value.
• This makes it difficult for an attacker to guess the input data by modifying the hash value.
• In other words, even a small change in the input data should cause a completely different hash value to be produced, which further obscures the relationship between the input data and the hash value.

Salt:

In some cases, a salt is added to the input data before hashing.

• The Salt is a random value that is added to the input data.
• This makes it more difficult for an attacker to guess the input data by pre-computing a table of hash values for common input data.
• When a salt is used, the attacker would need to pre-compute a table of hash values for every possible salt value, which significantly increases the computational effort required to guess the input data.

The post Hashing and Loss of Information appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Recently, I came across some code that did this. It makes no sense to do this.

Hashing an input before encrypting it with an algorithm like DES/AES is generally unnecessary. Here’s a breakdown of when and why you might or might not do this:

The post Hash and then Encrypt? appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

When building software, ensuring security is paramount, especially when working with a widely used language like JavaScript. To achieve this, developers and security teams use various techniques, each targeting specific aspects of code security. In this post, we’ll explore the differences between static code analysis, penetration testing (pen testing), and threat analysis, using JavaScript code as a practical example.

1. Static Code Analysis

Static Code Analysis involves analyzing the source code without executing it. This method identifies potential vulnerabilities, bugs, or performance issues early in the development process. The analysis is performed by automated tools that scan through the codebase to find issues based on predefined rules.

What it Does:

• Looks for insecure patterns, improper use of functions, or vulnerabilities like SQL injections, buffer overflows, or cross-site scripting (XSS).
• Identifies best practice violations (e.g., poor error handling, lack of input validation).
• Highlights syntax errors and unused variables.

Example in JavaScript:

let userInput = "<img src=x onerror=alert(1)>";  // Untrusted input
document.getElementById("output").innerHTML = userInput;

Here, an attacker could exploit this vulnerability for cross-site scripting (XSS) attacks. Static code analysis tools like ESLint with security plugins (e.g., eslint-plugin-security) can flag this as a potential issue.

Static Code Analysis Tools for JavaScript:

• ESLint
• SonarQube
• JSHint
• Snyk Code

Pros:

• Quick to run and can be integrated into CI/CD pipelines.
• Provides immediate feedback to developers.
• Detects common vulnerabilities early in the development cycle.

Cons:

• Cannot find runtime issues.
• May produce false positives (flagging non-issues).

2. Penetration Testing (Pen Testing)

Penetration testing (commonly known as pen testing) is a security testing method where testers simulate real-world attacks on an application to find vulnerabilities. Unlike static code analysis, pen testing involves executing the application to see how it responds to various attack vectors.

What it Does:

• Simulates real-world attack scenarios, testing how an attacker might exploit vulnerabilities in the live environment.
• Finds issues that may not be detectable by simply scanning the source code.
• Focuses on both front-end and back-end vulnerabilities, such as SQL injection, cross-site request forgery (CSRF), or insecure API endpoints.

Example in JavaScript:

fetch("/api/update-user", {
    method: "POST",
    body: JSON.stringify({ username: "new_user", role: "admin" }),
    headers: { "Content-Type": "application/json" }
});

A penetration tester could try to manipulate the request body to elevate privileges (e.g., setting role: "admin" to gain unauthorized access).

Pros:

• Tests the entire application stack, including third-party services and configurations.
• Finds security weaknesses in the real-world execution of the application.
• Simulates how an actual attacker might behave.

Cons:

• Requires more time and expertise than static code analysis.
• Typically performed later in the development cycle, when changes are more costly.
• Can miss code-specific vulnerabilities if not combined with static analysis.

3. Threat Analysis

Threat analysis (also known as threat modeling) is a proactive approach where the goal is to identify potential threats or risks to the system before they become actual problems. It involves understanding how attackers might exploit various vulnerabilities in the application and designing defenses to mitigate these threats.

What it Does:

• Identifies potential attack vectors, like unauthorized access or data leakage.
• Maps out all the assets, entry points, and possible attack scenarios.
• Helps design the system architecture to minimize security risks from the outset.

Example in JavaScript:

Suppose you are building an e-commerce site using JavaScript and back-end services. A threat analysis may outline:

• Sensitive data exposure: Users’ payment information could be compromised if the API isn’t secured with HTTPS.
• Authentication threats: Weak passwords or a lack of multi-factor authentication (MFA) could be exploited.

Pros:

• Helps prevent vulnerabilities from being introduced in the design phase.
• Informs developers and architects about potential risks throughout the application’s lifecycle.
• Can guide security-focused development.

Cons:

• Requires security expertise and detailed system knowledge.
• Can be difficult to cover all potential threats.
• More of a preventive measure, so it may not address runtime vulnerabilities directly.

Key Differences

The post Javascript Security Testing – Pen Tests, Static Code analysis and Threat Analysis appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

1. Identity-Based Encryption (IBE):
   • Instead of relying on certificates like PKI, IBE uses identity information (e.g., email address) as the public key.
   • Competitors: Voltage Security (now part of Micro Focus), Zscaler.
2. Decentralized Identity Systems:
   • Blockchain-based and decentralized identity models provide alternatives to centralized PKI by enabling self-sovereign identities (SSI).
   • Competitors: Sovrin, uPort, Microsoft ION (built on Bitcoin), Hyperledger Indy.
3. Hardware Security Modules (HSM) and Secure Key Management:
   • HSMs offer secure key storage and management without relying on traditional PKI infrastructures.
   • Competitors: Thales, Entrust, AWS CloudHSM.
4. Web of Trust (WoT):
   • A peer-to-peer approach where trust is decentralized, and relationships are built on mutual endorsements rather than centralized authorities.
   • Competitors: PGP (Pretty Good Privacy) implementations like GnuPG.

The post Alternatives and Competitors to PKI Encryption appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Encryption-as-a-Service Providers:

1. Amazon Web Services (AWS) Key Management Service (KMS):
   • Provides encryption services with integrated key management for AWS services and custom applications.
2. Microsoft Azure Key Vault:
   • Offers cloud-based key management and encryption services integrated with Azure infrastructure.
3. Google Cloud Key Management:
   • Provides a cloud-based encryption service that supports symmetric and asymmetric keys for Google Cloud resources.
4. Thales CipherTrust Cloud Key Manager:
   • A multi-cloud encryption service offering centralized key management, with support for both cloud-native and hybrid environments.
5. IBM Key Protect:
   • A cloud-based key management solution that helps manage encryption keys used across IBM Cloud services.
6. Entrust Cloud Encryption Services:
   • Offers encryption and key management solutions for various cloud environments, supporting compliance and data security.
7. Boxcryptor:
   • Provides end-to-end encryption as a service for cloud storage solutions like Dropbox, Google Drive, and OneDrive.

The post Cloud Encryption as a service providers appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Project Maps (created by any agile software like Jira, Rally..even Azure DevOps…) is a better visual.

The post project maps replace gannt charts appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Relativistic Quantum Theory Part 2 – by Landau

An introduction to Quantum Field Theory  – Peskin and Schroder

Student Friendly Quantum Field Theory: Volume 1:   Klauber

Student Friendly Quantum Field Theory: Volume 2: – The standard model     Klauber

The post Books on Quantum Field Theory – Self Learning appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

These  stages are

a) Developing Powers of Concentration and

b) Developing Powers of Detachment.

c) Combining one and two – COncentration with Detachment

My Personal Experience – Detachment reigns supreme

Detachment is key to maximizing the outcome of any activity.

Concentration is a little overrated – at least  in the western meaning of the word. For instance, caffeinated people often believe that their concentration improves on caffeine. And while that may be true, that is NOT the type of concentration that is needed in yoga, or in meditation.

Need to overcome an illness or injury?

Detach yourself from it. Distance yourself from the ‘constantly focusing on the symptoms’. Believe it or not – the symptoms will start fading away

Need to do well in an interview?

Detach yourself from whatever the outcome will be. See how differently you perform. When you are no longer thinking about all the negatives ‘darn – I REALLY need this job…etc.’, your whole body language (and verbal language) is different.

Summary – Detach from your troubles as well

Detachment from troubles feels great. Just distance yourself (visualize a HUGE GAP) between you and your troubles. Often times, the troubling event (in the real world) actually recedes!

The post Detachment, Riding a Bicycle, Infinite Inner Potential appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.