LUKI NOTES

The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security (Wikipedia). In this post, I want to share the top 10 security threats published by OWASP. The list is regularly updated by OWASP, the following list is based on 2021 publication. Broken Access Control This security issue can be caused by many things such as violation of the least privilege principle, unprotected API endpoints, use of unique identifiers without permission checking, and so on. There are several threats related to broken access control. Insecure Direct Object Reference . It happens when an application provides direct access to objects based on user-supplied input. For example, after submitting a form, the endpoint returns an ID of the object being submitted while with that ID, a user can access the

 It is rain

Nowadays, many paid and free tools can help us make beautiful API documentation for our software projects. These are a few of them with an explanation of each advantage. RapiDoc This open-source tool can generate API documentation based on OpenAPI specifications. So, if you already use the Swagger tool to generate your documentation, you can use the configuration and generate a new documentation page instantly. To use RapiDoc, we can create an HTML file that includes the Javascript library provided by RapiDoc or we can include it in a Javascript framework like React and Vue. It is very customisable, we can add custom HTML or markdown in the generated documentation, apply a dark theme or custom style, create custom methods, and many more. It also supports in page console to try an API request. ReadMe It is a service that can transform static API documentation into interactive developer hubs. Developer hubs mean it can mon

Someone said, "Architecture is about anything important,  whatever it is." But, what software architecture really is. Four components construct a foundation of software architecture.   Structure It is more like an  architectural style such as monolithic, microservices, layered, etc. So, if an architect talks about microservice, for example, he just talks about the software structure he is building. Characteristic It defines the  success criteria of software such as reliability, scalability, security, availability, etc.   Decisions It defines the rules on how the software is constructed. For example, a decision in a software development project states that each service in a microservice system can only have full-access permission to its own database. When a certain element cannot fully follow the rule then it is called variance in the system.   Principles The difference between decision and principle is that principle is more about providing guidelines for the dev

DevSecOps stands for development, security, and operations. By its name, we can guess it is more like DevOps with the integration of security tools. The more formal definition, it is an approach to design and automate the integration of security at every phase of the software development lifecycle. This term became more popular when many cloud providers and code management tools started to use the name in many places on their platforms. As it integrates security tools in every phase of SDLC and automates the process, this approach can help developers catch vulnerabilities early. Besides it can help us to ensure that our project aligns with regulatory compliance from the beginning. This state can lead to cost-effective software delivery by reducing time to market and can help organizations build a security-aware culture. Security become a concern of more companies nowadays as the increasing of cyber incidents. Traditional DevOps may lack in a few aspects. First, in traditio

Wandering who is the first person can make a scar on Kenshin's face. It is unexpected.

As your software project grows, it may involve more contributors. If you build a platform that publishes APIs that can be consumed by the public, you may expect more users to use your platform. If you work on an internal project that involves many parties from several vendors, you may expect everyone can understand your project and collaborate well. In any scenario, effective documentation can help you achieve what you want. We should consider a  user-oriented design for our documentation which considers who will use our product and what goal our users pursue by reading the documentation. Sometimes, it can help us in developing the project itself by trying to see the project from a user perspective. These are types of common audiences and the information needed. Evaluators who examine whether the service or tool is useful. They need a high-level overview, a list of features, or expected benefits. New users who just learn the usage. Th

Terraform has become more mature and can help us in many scenarios in provisioning infrastructure. These are a few scenarios that might be quite common for us in day-to-day jobs. Take values from another state as a data source This might be used when we already maintain a base state, and then a few child configurations need to access certain values from the base state. First, define the data source with attributes for accessing another state data "terraform_remote_state" "SOME_NAME" { backend = "local" config = { path = "/path/to/another/terraform.tfstate" } } Then, we can pass the value into any resources. For example, we output a value into another output value. output "public_ip" { value = data.terraform_remote_state.SOME_NAME.outputs.public_ip } Redeploy a resource This might be useful when we find an error in our resource that requires us to redeploy the resource. terraform apply -replace=&quo