In the latest video of our Security Culture series we talk about passwords and password managers. You can also listen in on our podcast. Password Problems The first thing to know is that weak passwords are often the easiest way to get access to information. People: Choose really simple passwords, like password or abcd1234 When […]
Over the past two months we’ve been hearing a lot of buzz about CMMC, both with active customers and security partners. In this post, we will talk about our initial high level reaction to the significant new standard. We’re doing a webinar on March 4 at 1:00 PM CST with a customer, CalcuQuote, to talk […]
In the latest video of our Security Culture series we talk about testing for authorization. You can also listen in on our podcast. Authorization Authorization is the idea that a user can only do what they should be able to based on their role. It is synonymous with access control. Consider the case of a […]
In the latest video of our Security Culture series we talk about handling secrets. You can also listen in on our podcast. What Is a Secret What is a secret? In this context, a secret could be any of the following: A database password An SSH Key A private key An API Key An AWS […]
In the latest video of our Security Culture series we talk about static analysis. You can also listen in on our podcast. There are a lot of static analysis tools out there. The simplest might be eslint, for which there are even security rulesets - the docs for which have some handy illustrations for the […]
In the latest video of our Security Culture series we talk about why patching is so important. Patching is the process of updating software. This applies to laptops, phones and servers. It even applies to services running on our servers, like web servers or database servers. It can also refer to the libraries we use […]
In the latest video of our Security Culture series we give a quick summary of 3 gift card scams we’ve seen recently. This topic is less technical and more social engineering focused, but it is relevant to developers and general audiences alike. In the first scam, I got an email from someone I know. It […]
Dependency management has become a very important part of insuring the security of your applications. We’ve written about it many times in the past and even highlighted some horror stories from the Node community where it’s not uncommon for a single project to have hundreds or thousands of dependencies developed and maintained by a variety […]
In the latest video of our Security Culture series we give a 2 minute overview of Injection, which is a serious class of vulnerability that can happen in any language. Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation. As […]
We often do code review for companies. Code review is a great control whether or not you are running SAST or other tools, and we look for different things depending on the circumstances. Sometimes the review identifies gaps in authorization that tools can’t find anyway. Other times the language (eg. Clojure or Elixir) is poorly […]
