Tend Your Digital Garden Read More
January 25, 2018 -

Something that is really hard about application security is that it isn’t something you can just point a tool at and be finished at some point in time.  It is always going to take ongoing work.  I like to use the analogy of a garden.  Both the plants in the garden and the conditions around them change […]

Read More
Top 5.5 AppSec Predictions Sure To Go Wrong Read More
January 18, 2018 -

In keeping with an all too popular industry practice of producing year end Top 10 lists, at Jemurai we developed a Top 5.5 Application Security Trends for 2018.  It is obviously meant to be a little bit fun, given the “Top 5.5” title, but we tried to capture what we think are significant important things […]

Read More
Turns Out Policy in Markdown in Github Works! Read More
January 12, 2018 -

I’ve seen policies from lots of companies big and small.  Generally, I’m a techie engineer so I don’t love policy.  I’ve also seen a fair number of companies that clearly don’t follow their policy.  I’ve also seen companies that get certifications like SOC2 and ISO that are meaningless because they systematically lie and their auditors […]

Read More
Your Vulnerability Spreadsheet Says More Than You Think Read More
January 9, 2018 -

More often than I’d care to say, I work on projects where a client has a vulnerability spreadsheet to rule them all.  They’re using the spreadsheet to track all of the open items that were found across all of their projects with different tools and pentests. One initial interesting point is that these companies don’t […]

Read More
Thinking About Secrets Read More
October 19, 2017 -

Introduction We have two types of projects that often uncover secrets being shared in ways that aren’t well thought through. During code review, it is actually rare that we do not find some sort of secret.  Maybe a database password or maybe an ssh key.  Sometimes, it is AWS credentials.  We’ve even built our own […]

Read More
Popular Media Coverage of Software and Formal Methods Read More
October 15, 2017 -

It is interesting … in the wake of Equifax and other recent news, The Atlantic has published several articles about software: Saving the World From Code The Banality of the Equifax Breach I say it is interesting because I am completely torn about both of them.  On the one hand, they are correct.  The Equifax […]

Read More
Equifax: What’s the Score Read More
September 18, 2017 -

Introduction Late last week (around 9/15/2017) it was reported that the CIO and CSO at Equifax “resigned”.  Equifax stock is down by around 30%.  The FTC is launching an investigation and findings and settlements are likely to be in the $100’s of millions or more.  Clearly there are going to be short and medium term impact […]

Read More
Mitigating the Vulnerability Widely Thought to Have Caused the Equifax Breach Read More
September 12, 2017 -

The recent Equifax data breach may have exposed Personally Identifiable Information (PII) on over 143 millions Americans. It appears that this breach was caused by a Struts vulnerability – which allows a remote user to run code on a site. This vulnerability would be categorized under #9 of the OWASP Top 10 list of the Most Critical […]

Read More
Security Policies Rebooted Read More
August 15, 2017 -

Here’s a deep dark secret:  I don’t particularly like security policy.  I don’t always follow policy.  Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them? […]

Read More
Incubator: Canary Data Read More
August 7, 2017 -

Incubator At Jemurai, we have started incubating products.  We love security consulting and the engineering we do there, but there is something amazing about building a product.  In particular, I constantly crave the experience of pushing the limit and trying something new and a little different.  I’m even embracing marketing and failing fast.  So each […]

Read More
© 2019-2023 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram