OWASP Application Security Verification Standard 3.0.1 – Arabic Version

In collaboration with my friend Ismail (http://sharepoint4arab.blogspot.com/),  we translated OWASP Application Security Verification Standard 3.0.1 to Arabic language in order to increase the security awareness in application development between Arab people.

You can find the link in the following:

https://github.com/OWASP/ASVS/commit/c80337b005ab6e71fc8a2e2c083744f725ad57f5

https://github.com/OWASP/ASVS/

Advertisements

Points to consider before create Cost Plan for Cloud computing resources

Before create Cost Plan or Bill of Materials, the below points will guide you to get efficient solution or cost whether you are using AWS or Azure cloud computing resources.

Using the right resources help you to meet the client requirements, save money and get less operations, errors, less security vulnerabilities …

Untitled.png

  • Meet business objectives and the budget (be specific)
  • Know if the workload or legacy applications is supported in cloud
  • Consider non-functionality requirements like High availability or maintainability
  • Consider security requirements and compliance
  • Know the cloud deployment models (Public or Hybrid)
  • Review cloud provider pricing pages and calculators
  • Consider support price
  • Go with Serverless and managed resources first and if they are not applicable then go with IaaS
  • Consume free tier and resources as much as you can
  • Cost based on hours and usage
  • Enable alarm on bills and stop unused resources (even if it’s for hours)
  • Review your design, review your deployment, review ongoing projects
  • Determine the baseline and watch the exception behaviors
  • Know the required environments (staging, production …)
  • Know if the license is provided by the customer or cloud provider
  • Pricing is estimated (expected) because it’s based on provided information, always go with maximums
  • Provision just in time, start small and then elastic your resources
  • Keep old billing files for tracing and tracking
  • Know about the cloud resources usage (on demand, reserved or spot resources)
  • Use when possible the cheapest region if the network latency is not an issue
  • Know what is free and cost resources
  • New generation of virtual instances is cheaper
  • Use the right resource size (don’t go bigger or smaller)
  • Consider optimization features like Caching or CDN which reduce the consuming cost
  • Consider Lifecyle or Retention policy for resources
  • Automate the scaling and shrinking process of resources
  • Consider consolidating accounts
  • Consider Backup solutions and storage and don’t keep them in one datacenter
  • Know cloud services limitations
  • Review Trusted advisor or center
  • Seek for discount or credit especially when you have big profile project
  • Know the refund policy, currency conversion

My security contribution in Technology Quality Forum in Jeddah

I participated in Technology Quality Forum as speaker for one of my favorite topic which is “Quality in Cyber Security Awareness” in Jeddah, KSA.

9f2af3e5-e728-410f-b1a5-7fa3af985ebc-large.jpeg

For the presentation link:

Also I want to thanks Dr. عايض العمري (President of the Saudi Council for Quality) and brother Nebal Anaim (Organizer) for the Honored.

Beforegolive.com

before

BeforeGoLive.com is simply a collection of best practices and recommendations that help IT community to improve their applications and environments and to maximize non-functionality requirements to the best. Our goals are to minimize the impact of operations and products, and to foster responsible environmental leadership. We’re dedicated to creating successes for everyone and making a difference in our communities around the world.

This contribution was built with the help of my friends (Ismail , Kasim and Riad) and we will be happy to get feedback or suggestions in this email info@beforegolive.com

 

Updated – Maximizing SharePoint Security whitepaper 1.1

I updated Maximizing SharePoint Security whitepaper with the following changes:

  • Add CIS SharePoint benchmark
  • Add link for more security headers like HTTP Public Key Pinning and others
  • Add more security controls in SharePoint configurations
  • Fix Search Crawl Rules

You can download the document from this URL https://gallery.technet.microsoft.com/Maximizing-SharePoint-cf7f7efc

 

httpOnly attribute and Out of the box SharePoint workflow

HTTPOnlyCookies attribute is a good security control but if you enable it in SharePoint it will prevent or cause an error when you are creating out of the box SharePoint workflows.

Error :

“Application error when access /_layouts/15/CstWrkflIP.aspx, Error=Value cannot be null. ….”

Fix:

Remove this attribute httpOnlyCookies=”true” from web.config and accept the risk or extend the SharePoint web application and only remove it from internal access website.

SharePoint Server 2016 Security

SharePoint Server 2016 and Office Online Server support TLS 1.2 connection encryption by default so you can disable all old protocols safely.

Workflow Manager supports SSL 3.0 (It’s recommended to disable it) and  TLS 1.0 but it can communicate with SharePoint through TLS 1.2

https://technet.microsoft.com/en-us/library/mt757255(v=office.16).aspx

https://technet.microsoft.com/en-us/library/mt346121(v=office.16).aspx#encrypted

New features in SharePoint 2016

Learn about the most important new features in SharePoint Server 2016 as following :

MinRole

It is a set of predefined server roles, newly introduced in SharePoint Server 2016. SharePoint will automatically configure the services based on the server’s role. The performance of the farm is optimized based on that topology

https://technet.microsoft.com/en-us/library/mt346114(v=office.16).aspx

https://technet.microsoft.com/en-us/library/mt667910(v=office.16).aspx

SharePoint Add-ins

The name “apps for SharePoint” is changing to “SharePoint Add-ins”.

SharePoint Add-ins are self-contained extensions of SharePoint websites that you create, and that run without custom code on the SharePoint server

https://msdn.microsoft.com/en-us/library/office/fp179930.aspx

Zero-Downtime Patching

To patch a server in a SharePoint Server 2016 farm by using Zero Downtime Patching

https://technet.microsoft.com/EN-US/library/mt767550(v=office.16).aspx

https://blogs.technet.microsoft.com/stefan_gossner/2016/04/29/sharepoint-2016-zero-downtime-patching-demystified/

Fast Site Collection Creation

Fast Site Collection Creation is a new capability in SharePoint Server 2016 IT Preview that improves Site Collection creation performance by reducing Feature activation overhead

https://blogs.technet.microsoft.com/wbaer/2015/08/26/fast-site-collection-creation-in-sharepoint-server-2016-it-preview/

Project Server 2016 installer is fully integrated into SharePoint 2016

The Project Server 2016 installer is fully integrated into SharePoint 2016—a separate installer no longer needs to be run on each server in the farm

https://blogs.office.com/2016/03/16/project-server-2016-rtm-is-now-available/

Finally , check this link for more details about new and improved features in SharePoint Server 2016

https://technet.microsoft.com/en-us/library/mt346121(v=office.16).aspx

 

Office Online Server (OOS)

Do you remember Office Web Apps in SharePoint 2013 , Microsoft changed its name to Office Online Server but it doesn’t mean this is not on premises.

As Office web apps , You can View and Create/Edit (need a license) the following documents types:

  • Word
  • PowerPoint
  • Excel
  • OneNote

This product is not only for SharePoint , you can use it with other Microsoft products like exchange , Skype , .. and that’s why it needs a separate server.

Also it provides your search preview feature and mandatory for SharePoint 2016 BI.

For more information https://blogs.office.com/2016/05/04/office-online-server-now-available/