Introduction We have two types of projects that often uncover secrets being shared in ways that aren’t well thought through. During code review, it is actually rare that we do not find some sort of secret. Maybe a database password or maybe an ssh key. Sometimes, it is AWS credentials. We’ve even built our own […]
It is interesting … in the wake of Equifax and other recent news, The Atlantic has published several articles about software: Saving the World From Code The Banality of the Equifax Breach I say it is interesting because I am completely torn about both of them. On the one hand, they are correct. The Equifax […]
Introduction Late last week (around 9/15/2017) it was reported that the CIO and CSO at Equifax “resigned”. Equifax stock is down by around 30%. The FTC is launching an investigation and findings and settlements are likely to be in the $100’s of millions or more. Clearly there are going to be short and medium term impact […]
The recent Equifax data breach may have exposed Personally Identifiable Information (PII) on over 143 millions Americans. It appears that this breach was caused by a Struts vulnerability – which allows a remote user to run code on a site. This vulnerability would be categorized under #9 of the OWASP Top 10 list of the Most Critical […]
Here’s a deep dark secret: I don’t particularly like security policy. I don’t always follow policy. Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them? […]
Incubator At Jemurai, we have started incubating products. We love security consulting and the engineering we do there, but there is something amazing about building a product. In particular, I constantly crave the experience of pushing the limit and trying something new and a little different. I’m even embracing marketing and failing fast. So each […]
We spend a fair amount of time building and using OWASP Glue to improve security automation at clients. The idea is generally to make it easy to run tools from CI/CD (eg. Jenkins) and collect results in JIRA. In a way, Glue is like ThreadFix or other frameworks that collect results from different tools. Recently, […]
At clients, we work to make sure the best information is available to: Debug an application Track what happens in an application Produce security signal for monitoring Often, developers or security folks think of these as overlapping. We hear: “We’re using Log4J wrapped with SLF4J, it seems really redundant to do anything else.” In practice, […]
Today I gave a talk at a company’s internal security conference about automation. The slides are on speakerdeck. A video is on Vimeo. The point of the talk was threefold: Explain where automation works well and examples of where we use it with OWASP Glue Explain newish cool automation like cloud analysis and pre-audit preparation […]
Here at Jemurai, we have at least a few Hamilton fans. OK, I might be the biggest … but I’m definitely not alone. At our quarterly meeting in early April, we were talking about our window of opportunity and “not throwing away our shot”, and somehow we started talking about “The Ten Duel Commandments” song and […]
Labs
