Something that is really hard about application security is that it isn’t something you can just point a tool at and be finished at some point in time. It is always going to take ongoing work. I like to use the analogy of a garden. Both the plants in the garden and the conditions around them change […]
In keeping with an all too popular industry practice of producing year end Top 10 lists, at Jemurai we developed a Top 5.5 Application Security Trends for 2018. It is obviously meant to be a little bit fun, given the “Top 5.5” title, but we tried to capture what we think are significant important things […]
I’ve seen policies from lots of companies big and small. Generally, I’m a techie engineer so I don’t love policy. I’ve also seen a fair number of companies that clearly don’t follow their policy. I’ve also seen companies that get certifications like SOC2 and ISO that are meaningless because they systematically lie and their auditors […]
More often than I’d care to say, I work on projects where a client has a vulnerability spreadsheet to rule them all. They’re using the spreadsheet to track all of the open items that were found across all of their projects with different tools and pentests. One initial interesting point is that these companies don’t […]
Introduction We have two types of projects that often uncover secrets being shared in ways that aren’t well thought through. During code review, it is actually rare that we do not find some sort of secret. Maybe a database password or maybe an ssh key. Sometimes, it is AWS credentials. We’ve even built our own […]
It is interesting … in the wake of Equifax and other recent news, The Atlantic has published several articles about software: Saving the World From Code The Banality of the Equifax Breach I say it is interesting because I am completely torn about both of them. On the one hand, they are correct. The Equifax […]
Introduction Late last week (around 9/15/2017) it was reported that the CIO and CSO at Equifax “resigned”. Equifax stock is down by around 30%. The FTC is launching an investigation and findings and settlements are likely to be in the $100’s of millions or more. Clearly there are going to be short and medium term impact […]
The recent Equifax data breach may have exposed Personally Identifiable Information (PII) on over 143 millions Americans. It appears that this breach was caused by a Struts vulnerability – which allows a remote user to run code on a site. This vulnerability would be categorized under #9 of the OWASP Top 10 list of the Most Critical […]
Here’s a deep dark secret: I don’t particularly like security policy. I don’t always follow policy. Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them? […]
Incubator At Jemurai, we have started incubating products. We love security consulting and the engineering we do there, but there is something amazing about building a product. In particular, I constantly crave the experience of pushing the limit and trying something new and a little different. I’m even embracing marketing and failing fast. So each […]
