The problem There is a common bad practice of storing sensitive variables in code. Quite often it leads to secret leakage. By secrets I mean — API tokens, SSH keys, private keys and others. Some careless developers hardcore them and push it into common repository. In result the secret can be…

Sometimes we need to develop security requirements for some abstract web application. Yeah, unfortunately, we don’t always know the whole feature request list in advance. Web designers prefer to work according to a waterfall model, but it may not always be possible. A technically skilled client is a rare case…

The MITRE ATT&CK framework is a very convenient way to cover all possible threats. This knowledge base splits all attack vectors into two levels — adversary tactics and techniques. At the beginning, it could overwhelm you by many terms and details. ATT&CK Matrix is very formal. So, a direct mitigation…

Spoiler — this will be non technical, business-oriented content. Fraud is the sore spot for ecommerce. This cannot be eradicated completely and sometimes business just has to admit these losses. At the same time, a cost-effective anti-fraud solution is being sought. Companies evaluate the efficiency of different products and decide…

Intro There are dozens of resources on the Internet which cover protection against denial-of-service attacks. I don’t want to repeat them again and give the definition. This attack type has been known for decades. No sense to retalk old commonly known stuff. So, is it really necessary to create another one…

If you have a one simple ecommerce website with a limited set of goods, then it could be meaningless to worry about Radar rules adjustment. Default ML engine works quite well. But in many other cases you need to pay attention to some common fraud cases and ways to mitigate…