Blog

Cybersecurity Programs Supporting Remote Work Securely Read More
March 16, 2022 -

On Friday we wrote a blog post that talked about remote work and security from a workers perspective. We included a checklist. In this post, we want to develop that idea and talk about it more generally from a company and IT strategy perspective. We’ll start with some pictures to illustrate some of the issues. […]

Read More
Security Hires Your First Security Hire Read More
May 13, 2020 -

We often talk with companies that are thinking about hiring an FTE to help them with security. This post covers some of our thoughts and experiences in this area. As with many areas of security, there is no one size fits all approach that works here, but there are some pitfalls and ways to make […]

Read More
Developer Resource Why Developers Matter For Security Read More
November 7, 2019 -

This post talks about the critical importance of actively engaging software developers in security activities and presents a few timely real world examples where this was not done sufficiently and companies paid the price. Robinhood Gold The first example this week is from Robinhood. Robinhood is a low cost trading platform. It turns out that […]

Read More
Developer Resource Don’t rely on X-XSS-Protection to protect you from XSS Read More
November 28, 2018 -

The X-XSS-Protection header only helps protect against certain reflected XSS attacks. It does nothing for stored XSS attacks. Don’t rely on it to protect your site from XSS! What it can do: Block reflected XSS attacks Reflected XSS occurs when a malicious query parameter in a page’s URL is rendered unsanitized on the page. The […]

Read More
Developer Resource Security Culture - Introducing OWASP Read More
January 8, 2022 -

In the latest video of our Security Culture series we give a 2 minute overview of OWASP.org, an amazing resource for developers. OWASP Resources OWASP resources include: The Top 10 ASVS Testing Guides Proactive Controls Glue, Dependency Check, Amass, ZAP and DefectDojo Conferences like Global AppSec, AppSec California, etc. Local chapter meetings

Read More
Incident Response Log4J Security Issue Read More
December 15, 2021 -

This post is a quick summary around the Log4J security issues happening in December 2021. It includes a summary, a video, a PDF of slides we presented and extensive references. The TL;DR is: update Log4J to 2.16.0 and keep watching for subsequent updates. The 10,000 Foot View Summary of The Issue Log4J is a widely […]

Read More
Security Automation Pipeline Security Automation Read More
August 11, 2021 -

This post talks about how we approach security automation in BitBucket Pipelines. It also introduces some new open source tools we built and use in the process. Security In Pipelines We’ve written before about using GitHub Actions and provided an Action friendly “workflow” with our Crush tool. At a high level, Pipelines and Actions just […]

Read More
Cloud Security Cloud Security Auditing With Steampipe Read More
June 25, 2021 -

This post talks about how we use different tools to accomplish different tasks in a cloud security context, zooming in on Steampipe as a tool that should make it very easy to prepare for and meet audit requirements. Cloud Security Auditing There are a couple of different things that we think of when we think […]

Read More
Incident Response Email from a Security Researcher Read More
February 23, 2021 -

Yesterday, for the Nth time, a client had a “security researcher” send an email about a “high-impact” security vulnerability. I’ve crafted this response a few times so I figured I would blog about it. Email from a Security Researcher So here’s the email: Hi <name>, I'm <"researcher" name>, a penetration tester, and I have found […]

Read More
Incident Response Epic Security Failure and Risk Read More
December 17, 2020 -

All I could do was facepalm after somebody pointed me to an article about how Microsoft unleashed a death star on hackers … "Microsoft unleashes 'Death Star' on SolarWinds hackers in extraordinary response to breach" GeekWire Article Let’s talk about failure. Start with Sympathy Look, its a bad situation. Lots of IT and Security folks are […]

Read More
Risk Management Risk and Threat Modeling with Mind Maps Read More
November 10, 2020 -

In security we talk a lot about understanding risk. That informs the advice we give and decisions we make. A tool I like to use for brainstorming about risk is a threat model in the form of a mind map. It is a simple starting point for thinking about threats. In this post, we’ll talk […]

Read More
Security Trends Lets Talk About Blockchain Read More
October 28, 2020 -

Let’s talk about Blockchain. I think many people in the security world are already appropriately skeptical of all of the “let’s use blockchain for this” trends, but in this post we wanted to dig into it a bit and talk about why not to use blockchain. What Is Blockchain Blockchain isn’t just one thing really, […]

Read More
Security Trends Crush Github Action Read More
October 20, 2020 -

Everyone is talking about pushing left. I feel like I’ve been talking about Agile Security since like 2010. Whatever we’re going to call it, the idea is that we want to be able to do our work earlier in the development process where developers can touch and feel it. Its not all about tools Although […]

Read More
1 2 3 11
Menu
Menu
© 2019-2022 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram