Blog

Thinking About Secrets Read More
October 19, 2017 -

Introduction We have two types of projects that often uncover secrets being shared in ways that aren’t well thought through. During code review, it is actually rare that we do not find some sort of secret.  Maybe a database password or maybe an ssh key.  Sometimes, it is AWS credentials.  We’ve even built our own […]

Read More
Security Breaches Popular Media Coverage of Software and Formal Methods Read More
October 15, 2017 -

It is interesting … in the wake of Equifax and other recent news, The Atlantic has published several articles about software: Saving the World From Code The Banality of the Equifax Breach I say it is interesting because I am completely torn about both of them.  On the one hand, they are correct.  The Equifax […]

Read More
Equifax: What’s the Score Read More
September 18, 2017 -

Introduction Late last week (around 9/15/2017) it was reported that the CIO and CSO at Equifax “resigned”.  Equifax stock is down by around 30%.  The FTC is launching an investigation and findings and settlements are likely to be in the $100’s of millions or more.  Clearly there are going to be short and medium term impact […]

Read More
Security Breaches Mitigating the Vulnerability Widely Thought to Have Caused the Equifax Breach Read More
September 12, 2017 -

The recent Equifax data breach may have exposed Personally Identifiable Information (PII) on over 143 millions Americans. It appears that this breach was caused by a Struts vulnerability – which allows a remote user to run code on a site. This vulnerability would be categorized under #9 of the OWASP Top 10 list of the Most Critical […]

Read More
Security Policies Rebooted Read More
August 15, 2017 -

Here’s a deep dark secret:  I don’t particularly like security policy.  I don’t always follow policy.  Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them? […]

Read More
Incubator: Canary Data Read More
August 7, 2017 -

Incubator At Jemurai, we have started incubating products.  We love security consulting and the engineering we do there, but there is something amazing about building a product.  In particular, I constantly crave the experience of pushing the limit and trying something new and a little different.  I’m even embracing marketing and failing fast.  So each […]

Read More
Developer Resource Glue 0.9.4 and Scout2 Read More
July 29, 2017 -

We spend a fair amount of time building and using OWASP Glue to improve security automation at clients.  The idea is generally to make it easy to run tools from CI/CD (eg.  Jenkins) and collect results in JIRA.  In a way, Glue is like ThreadFix or other frameworks that collect results from different tools.  Recently, […]

Read More
Developer Resource Signal, Audit and Logging – Introduction Read More
July 6, 2017 -

At clients, we work to make sure the best information is available to: Debug an application Track what happens in an application Produce security signal for monitoring Often, developers or security folks think of these as overlapping.  We hear: “We’re using Log4J wrapped with SLF4J, it seems really redundant to do anything else.” In practice, […]

Read More
Application Security Automate All The Things Read More
June 28, 2017 -

Today I gave a talk at a company’s internal security conference about automation.  The slides are on speakerdeck.  A video is on Vimeo. The point of the talk was threefold: Explain where automation works well and examples of where we use it with OWASP Glue Explain newish cool automation like cloud analysis and pre-audit preparation […]

Read More
The 10 OWASP Commandments Read More
May 15, 2017 -

Here at Jemurai, we have at least a few Hamilton fans.  OK, I might be the biggest … but I’m definitely not alone. At our quarterly meeting in early April, we were talking about our window of opportunity and “not throwing away our shot”, and somehow we started talking about “The Ten Duel Commandments” song and […]

Read More
Menu
Menu
© 2019-2022 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram