Photo by ZSun Fu on Unsplash

“Is a web app secure just because I use a JWT?”

That is a question I had when I first learned about them.

Learning is important.

I was impressed with how well designed were JWT, OIDC, SAML, and modern Identity Provider (IdP) solutions. The quality of the design I read about in the Request for Comments (RFCs) was impressive. Yet even after reading the RFCs and watching tutorials, something was still nagging at me.

Test assumptions and concerns.

One day I decided to log into one web application and copied the JWT using the Chrome developer tools.

I went to…

Photo by Dima Pechurin on Unsplash

Cybersecurity, in its essence, is pretty simple: identify risks and mitigate them. Identifying risks is finding weaknesses that leave you vulnerable. This anecdote will explain what I mean.

Replacing a doorknob.

I needed to replace a doorknob. We had been living in our home with the original locks. I was concerned the previous owner may have kept a copy of the key and might want to enter our premises uninvited.

I performed a risk assessment.

I bought a new doorknob manufactured from a reputable brand, and that looked pretty. I trusted this brand to provide more than adequate protection. …

Photo by Christina @ on Unsplash

This post will teach you how to write to high-level business people.

Over ten years ago I enrolled into an MBA where I learned how to write to high-level business people. I have refining what I learned since then. I am sharing what I have learned to save you the cost of an MBA and over a decade of practice.

Leaders are busy. Get to the point.

Bosses, supervisors, directors, and CXOs are busy with many responsibilities. We should aim to take up less of their time and give them actionable information to make decisions faster.

Leaders should read your message and get all the necessary information…

Photo by Kelly Sikkema on Unsplash

We can support a school, a religious organization, and any non-profit by simply doing what we already do: browsing the web. Imagine that every time we do anything on a web browser, we support our favorite non-profits. We can achieve it through cryptocurrencies.

How it works

We probably spend at least one to two hours using a web browser for personal reasons. Some of us probably use a web browser six to eight hours a day for work reasons. Even if we can earn five cents per hour when using a browser, we can donate at least $1 per month. …

Photo by Food Photographer | Jennifer Pallian on Unsplash

In my previous article, we explored how to use cookies in Postman to store your secrets. Depending on your security requirements, you may need to use cryptography. This is where CryptoJS can help.

Script to Generate an Encrypted Secret

We can use a local Node.js script with the CryptoJS library to encrypt the secret. The example below shows how we will encrypt an API key.

const CryptoJS = require('crypto-js');
const { API_KEY: apiKey, SECRET_KEY: secretKey } = process.env;
const encryptedText = CryptoJS.AES.encrypt(apiKey, secretKey).toString();
console.log('encryptedText:', encryptedText);

We set the API key and secret key (used to encrypt the API key) as environment variables. …

Photo by Dmitry Ratushny on Unsplash

The Serverless Framework support numerous plugins — and they are great! They save so much time in deploying our serverless applications. Why reinvent the wheel? This convenience comes with a downside: not all plugins are written securely. We must choose our plugins wisely, which means we should inspect the source code.

What are Serverless Framework plugins?

The Serverless Framework allow us to use plugins (or create one) that hook into the lifecycle events during the deploy process. We can hook into the “before:deploy:deploy” event to setup files and variables before the deploy begins. We can hook into the “deploy:finalize” hook to save some information about…

Photo by Stephen Phillips - on Unsplash

The days of having one email address are over. We are putting all our eggs in one basket by having one address. If someone hacks that account, we could be in big trouble.

Guessing An Email Address

Guessing an email address can be easy. We can guess an email address by trying any of the following:


What is the chance you have this email address?

Social Media Accounts

We often post too much information on social media accounts. We post our name, location, recent activity, links, and more. Someone can use this information to deduce information. They can guess an email address, figure out…

Photo by William Iven on Unsplash

A few friends and I chat about stocks, share ideas, and encourage each other. A few months ago, I realized we needed some automation to help us find winners. I chose to use a serverless solution to build this system.

There are many good stocks and finding them takes time. We can find them by reading articles, using stock tools, getting tips from Twitter, and many other ways. With so many ways to find stock candidates, we needed to define the process.

Finding a Screener

We decided was a good source to start our automation. One of our team members is a…

When I started working with the Serverless Framework I was curious about the security aspect. Previously, I was an information assurance (IA) engineer working on cybersecurity for US government military systems and I had become accustomed to using well-defined processes and requirements as an IA engineer.

The systems we were securing were part of a vast network of other systems with strict IA requirements. The threats seemed limited; and implementing Cybersecurity, in many cases, was following a list of checklists and requirements. But, Cybersecurity in the world of serverless development was a new frontier.

The more I worked with serverless…

Do your serverless deployments go like this?

It’s so easy to quickly deploy serverless resources. Because of this, we should follow best practices to protect our resources, applications, and cloud service provider accounts. Here are some best practices for you to consider.

1. Keep Functions Small

A serverless function should perform a specific function. Similar to a function or method in any code should do one thing (e.g., increment a counter, transform data, etc.), a serverless function show perform a logical function. For example, you would create one serverless function for validating a login, another for validating a login session, another for deactivating a login session. …

Miguel A. Calles MBA

Miguel is the author of the “Serverless Security” book, and a cybersecurity engineer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store