Blog

Its been an exhilarating few weeks.  I had to remind myself to take a breath and blog today. What’s new-ish is that, we have a core team working on a new platform for security automation.  It extends the work we’ve done with Glue and other ideas taken from a great sample of client consulting engagements.  […]

Several times in the last few weeks we have looked at applications that have significant issues with “impersonation” features.  What is impersonation? an act of pretending to be another person for the purpose of entertainment or fraud.  (From Google.) In practice, impersonation is a feature that is commonly implemented to allow Customer Support to “see […]

I recently got asked about best practices for dependency management by an old colleague.  In response, I wrote the following which I realized might be useful to a broader audience. So … things like github’s new notification on this have been automated via platforms like CodeClimate or via Jenkins internally at dev shops for a […]

I have gone to great lengths to strictly separate my OWASP activities from my Jemurai activities in an effort to honor the open and non-commercial aspects of OWASP to which I have committed so much volunteer time and energy. Today I want to cross the streams for a very specific reason, not to promote Jemurai […]

We work with companies building security programs a lot. Across all aspects of the program, the word inventory is a term that seems to have a surprisingly high level of general awareness but a surprisingly low level of common definition. in·ven·to·ry     ˈinvənˌtôrē/ noun 1. a complete list of items such as property, goods in stock, […]

Here’s an interesting slightly different spin on the otherwise tired “Open Source” vs. “Closed Source” being more secure debate! The topic is inspired by a conversation with a client that is using a whole slew of old open source libraries.  They know they need to update those libraries, but it is very difficult because they […]

Something that is really hard about application security is that it isn’t something you can just point a tool at and be finished at some point in time.  It is always going to take ongoing work.  I like to use the analogy of a garden.  Both the plants in the garden and the conditions around them change […]

In keeping with an all too popular industry practice of producing year end Top 10 lists, at Jemurai we developed a Top 5.5 Application Security Trends for 2018.  It is obviously meant to be a little bit fun, given the “Top 5.5” title, but we tried to capture what we think are significant important things […]

I’ve seen policies from lots of companies big and small.  Generally, I’m a techie engineer so I don’t love policy.  I’ve also seen a fair number of companies that clearly don’t follow their policy.  I’ve also seen companies that get certifications like SOC2 and ISO that are meaningless because they systematically lie and their auditors […]

More often than I’d care to say, I work on projects where a client has a vulnerability spreadsheet to rule them all.  They’re using the spreadsheet to track all of the open items that were found across all of their projects with different tools and pentests. One initial interesting point is that these companies don’t […]