LabsHow to make sure you get your money's worth for a penetration test - what to ask for, how to tell a great vendor from a scan factory.
How to make sure you get your money's worth for a penetration test - what to ask for, how to tell a great vendor from a scan factory.
The other day we were giving developers security training around server side request forgery (SSRF). We see this all of the time now (see this great and detailed post by our team on SSRF in Real Life). It can be shockingly damaging. In any case, during the training the developers brought up a very interesting […]
We recently updated the Jemurai website, modeling it after the new securityprogram.io website which we really like (shout out to our web design friends at sweetandfizzy.com who did so much more than help with the design the site). As we did that, we realized we needed to try to be clearer about what we do, […]
On Friday we wrote a blog post that talked about remote work and security from a workers perspective. We included a checklist. In this post, we want to develop that idea and talk about it more generally from a company and IT strategy perspective. We’ll start with some pictures to illustrate some of the issues. […]
In the latest video of our Security Culture series we give a 2 minute overview of OWASP.org, an amazing resource for developers. OWASP Resources OWASP resources include: The Top 10 ASVS Testing Guides Proactive Controls Glue, Dependency Check, Amass, ZAP and DefectDojo Conferences like Global AppSec, AppSec California, etc. Local chapter meetings
This post is a quick summary around the Log4J security issues happening in December 2021. It includes a summary, a video, a PDF of slides we presented and extensive references. The TL;DR is: update Log4J to 2.16.0 and keep watching for subsequent updates. The 10,000 Foot View Summary of The Issue Log4J is a widely […]
This post talks about how we approach security automation in BitBucket Pipelines. It also introduces some new open source tools we built and use in the process. Security In Pipelines We’ve written before about using GitHub Actions and provided an Action friendly “workflow” with our Crush tool. At a high level, Pipelines and Actions just […]
This post talks about how we use different tools to accomplish different tasks in a cloud security context, zooming in on Steampipe as a tool that should make it very easy to prepare for and meet audit requirements. Cloud Security Auditing There are a couple of different things that we think of when we think […]
Yesterday, for the Nth time, a client had a “security researcher” send an email about a “high-impact” security vulnerability. I’ve crafted this response a few times so I figured I would blog about it. Email from a Security Researcher So here’s the email: Hi <name>, I'm <"researcher" name>, a penetration tester, and I have found […]
All I could do was facepalm after somebody pointed me to an article about how Microsoft unleashed a death star on hackers … "Microsoft unleashes 'Death Star' on SolarWinds hackers in extraordinary response to breach" GeekWire Article Let’s talk about failure. Start with Sympathy Look, its a bad situation. Lots of IT and Security folks are […]
