giant wall clouds
Secure Your Apache Server in 2024

Ensure the security of your Apache server with these comprehensive best practices for TLS configuration. By following these steps, you can earn an A+ rating on Qualys SSL Labs and protect your website from potential threats in the coming year.

Jan 2, 2024

Top Forensic article

Security Post-it #3 – Volatility Linux Profiles

AWS In this short security post-it, I explain how to generate Linux profiles for Volatility 2 and 3, using an ephemeral docker container.

Mar 15, 2021

Top Security article

Secure Your Nginx Server in 2024

Ensure the security of your Nginx server with these comprehensive best practices for TLS configuration. Achieving an A+ Rating on Qualys SSL Labs.

Jan 2, 2024

Leboncoin office

Two Effective Ways to Intercept Android App Traffic

May 5, 2023

Explore two comprehensive methods to extract Android app traffic: patching an APK using Objection and manual APK recompilation. This guide offers step-by-step instructions, including necessary commands and tools, to successfully set up a MITM proxy and analyze app traffic.

Read this article
Leboncoin office

Enhancing vulnerability prevention through human-based security measures

Apr 28, 2023

Drawing from first-hand experience, this article details the evolution and enhancement of human-based security measures at Leboncoin, offering insightful lessons from their journey to preemptively address vulnerabilities before coding even begins.

Read this article
Nicolas Beguier profile picture

L'interview sécurité : la cybersécurité et la sécurité Cloud chez leboncoin

Mar 30, 2023

Notre invité aujourd’hui est Nicolas Béguier, architecte sécurité chez leboncoin depuis 6 ans. Au cours de cet entretien, Nicolas partage avec nous sa vision du métier : le périmètre de l’architecte sécurité, son évolution face aux menaces changeantes, les outils, mais également les aspects humains de la mise en oeuvre d’une politique de sécurité.

Read this article
nginx shield hacker cover

Secure Your Nginx Server in 2023: Achieving an A+ Rating on Qualys SSL Labs

Jan 1st, 2023

Ensure the security of your Nginx server with these comprehensive best practices for TLS configuration. By following these steps, you can earn an A+ rating on Qualys SSL Labs and protect your website from potential threats in the coming year.

Read this article
man staring us, cybersecurity engineer

Les salaires en cybersecurité à Paris en 2023 : grille complète

Dec 29, 2022

Retrouvez dans cette grille les fourchettes de salaire par poste en cybersecurité à Paris en 2023, ainsi que les années d'expérience et qualifications requises. Comparez les salaires selon votre niveau d'expérience et votre formation dans le domaine de la cybersecurité.

Read this article
hacker whith shield

Protect Your Data: A Comparison of Symmetrical, Asymmetrical, and Hashing Encryption Methods

Dec 16, 2022

Confused about the different methods of data encryption? In this article, we compare symmetrical, asymmetrical, and hashing encryption and explore the pros and cons of each method. Learn how to choose the best option for protecting your data.

Read this article
shhgit gitleaks article cover

Code Security Showdown: shhgit vs. gitleaks

Dec 11, 2022

Discover the key features and differences between shhgit and gitleaks, two popular tools for detecting and preventing sensitive data leaks in your code. Learn which tool is best suited for your needs and how to effectively use it to secure your codebase.

Read this article
zero trust architecture cover

Zero Trust Architecture: A Comprehensive Guide to Improving Cybersecurity

Dec 10, 2022

Discover the essential principles of zero trust architecture and how to implement it in your organization.

Read this article
splc sdlc article cover

The SPLC vs. SDLC: Understanding the Differences and Why They Matter

Dec 10, 2022

Learn everything you need to know about the Secure Product LifeCycle (SPLC), including its phases, its differences with the Software Development LifeCycle (SDLC), and how to implement it in your own product development.

Read this article
security golang article cover

Security Post-it #7 – Software Security Testing for Golang

Nov 22, 2022

In this short security post-it, I explain how to secure your Golang code using open-source tools: SAST and SCA.

Read this article
security javascript article cover

Security Post-it #6 – Software Security Testing for JavaScript and TypeScript

Nov 3, 2022

In this short security post-it, I explain how to secure your JavaScript and TypeScript code using open-source tools: SAST and SCA.

Read this article
security secrets article cover

Security Post-it #5 – Looking for secrets

Oct 31, 2021

In this short security post-it, I explain how to look for secrets in files or outputs.

Read this article
xss in style article cover

Security Post-it #4 – XSS yes, but with <style> !

May 11, 2021

In this short security post-it, I explain how exploit XSS with the inline style.

Read this article
volatility linux profiles article cover

Security Post-it #3 – Volatility Linux Profiles

Mar 15, 2021

In this short security post-it, I explain how to generate Linux profiles for Volatility 2 and 3, using an ephemeral docker container.

Read this article
volatility x gimp article cover

Security Post-it #2 – Volatility x Gimp

Mar 08, 2021

Short Security Post-it about using Gimp to observe a process memory dump, with Volatility.

Read this article
aws-tower article cover

AWS Tower

Jan 06, 2021

AWS Tower has been developed by security engineers, for security engineers. Even without AWS knowledge you can still easily see the security issues or other information like DNS records, allowed IP addresses or opened ports.

Read this article
nginx security article cover

Nginx : Security configuration tips

Jan 04, 2021

This article is going to give you some advices to improve the security of you web server Nginx. Several criteria are taken into account: system security, SSL/TLS security and data security.

Read this article
SAST article cover

Static Application Security Testing

Jul 28, 2020

How we scan our applications for vulnerabilities at leboncoin.

Read this article
koajs security article cover

KoaJS Security Tips

Dec 30, 2019

In this article, I explain how to use KoaJS in a production environment, avoiding the vulnerabilities induced by the default configuration, and a tool to test your own website.

Read this article
security post-it 1 article cover

Security Post-it #1 – SHA-1 is broken, not HMAC

Dec 13, 2019

In this first Security Post-it, I explain how SHA-1 can be broken and why it has no impact on the robustness of HMAC.

Read this article
ssh comparison article cover

Comparison of the SSH Key Algorithms

Sep 23, 2018

This story is about comparing the main algorithms use to generate an SSH key, describe their weaknesses and place them on the Moore Law.

Read this article
varnish performance article cover

3 Tips to Boost the Performance of your Varnish Cache

Sep 16, 2018

This story presents three tips to increase the High availability and Scalability of your Varnish cluster, and increase Speed as well:

  • Sharded caching
  • Dynamic backend resolution
  • Browser optimization
Read this article
instacart machine learning article cover

Instacart Market Basket Analysis

Sep 07, 2018

In this competition organised by Kaggle and Instacart, Constance Beguier (Morel) and I had a dataset containing customer's orders over time. The goal was to predict which products will be in a user's next order. The dataset was anonymized and contained a sample of over 3 million grocery orders from more than 200,000 Instacart users.

Read this article
apache security article cover

Apache : Security configuration tips

Sep 05, 2018

This article is going to give you some advices to improve the security of you web server Apache. Several criteria are taken into account: system security, SSL/TLS security and data security.

Read this article
kaggle axe machine learning article cover

Reconnaissance de type de conduite

Sep 05, 2018

Par le biais de Kaggle, AXA nous a fourni un ensemble de données de plus de 50 000 voyages de pilotes anonymes. De nombreux paramètres furent à prendre en compte comme la durée des voyages, l’intensité des accélérations ou des freinages. Ces caractéristiques se combinent pour former un profil global qui rend potentiellement chaque pilote unique.
Pour cette compétition, nous devions trouver un classifieur capable de distinguer si un voyage a été conduit par un conducteur donné.

Read this article
postfix exploit article cover

Tentative d'exploit Postfix

Sep 05, 2018

Postfix n’implémente pas SASL de lui-même, ce qui veut dire que les fichiers de configuration vont appartenir à Postfix et à un logiciel tiers (dans notre cas Cyrus SASL).
Je vais vous montrer l’exploit que j’ai tenté au travers de cette partie, sur les versions ci-dessous :

  • OS : Ubuntu 10.04 (04/2010)
  • Postfix : 2.8.1 (22/02/2011)
  • Cyrus SASL: 2.1.23 (04/10/2014)
  • CVE: 2011–1720 (13/05/2011)
Read this article
cassh article cover

CASSH: SSH Key Signing Tool

Jan 09, 2018

As SRE, one of our missions is to prevent intrusions in our infrastructure. How can authentication security be increased without penalising thousands of engineers working on the platform?
A classic way to authenticate with SSH is to use a pair of keys. Then you can deploy each public key on every server and add your custom flavor.
In fact there are quite a few unused functionalities in OpenSSH, such as signed certificates, which greatly increase both security and reliability.

Read this article