Articles tagged with "Guidance"
Credit: Photo by Eric Prouzet
100,000 People Have Been Laid Off, What’s Next
A hiring manager and a recruiter’s guide to getting hired. This post is a collaboration between me, Joe Basirico, and one of the best tech recruiters in the industry, Ellen McGarrity. You can learn more about Joe on this website. Throughout you can read Ellen’s take, in her own words in blue text
Ellen has spent her 18-year career focused on recruiting in the software tech industry at both large (Microsoft, Amazon, Salesforce) and small (Tableau, Highspot) companies.
Read more >>
Credit: Patrick Tomasso @ Unsplash
AppSec Strategy for AWS Cloud SaaS
Purpose The purpose of this document is to outline an application security strategy and roadmap for AWS Cloud SaaS applications, covering both application security concerns as well as AWS specific infrastructure. This is a checklist style article to help start conversations and give you information to perform further research. I’ve referenced other white papers and further reading available for more information throughout.
Application Security An effective application security program will reduce security risk associated with code development while keeping disruption to the normal SDLC processes to a minimum.
Read more >>
Credit: Daniel McCullough @ Unsplash
System Design for Security
My background is as a developer and a security professional, so when I had to learn system design I approached it from that perspective. While I was familiar with many of these concepts, I decided that I had to learn it in depth and in earnest. Now that I know more, I’m convinced that every developer and every security professional should understand these concepts. For all of you who are like me and want to learn more, here’s an overview to help you think about system design, coming at it from a mindset of application security.
Read more >>
Credit: Barry Weatherall @ Unsplash
AppSec Vulnerability Cheatsheet
There are a number of places online where you can find details about application security vulnerabilities, but it is surprisingly hard to find a single location that provides a summary of all the most important vulnerabilities to be aware of.
While any high-risk vulnerability is worth fixing, It’s worth adding a layer of prioritization around the most common vulnerabilities that are being used in attacks and exploits.
The following statistics were reported by Contrast Security.
Read more >>
Credit: Joe Basirico
Phase One of Appsec Engineering: Awareness
This is part of a series Introduction Awareness (you are here) Enablement (coming soon) Enforcement (coming soon) Last week I published a post introducing three important phases of AppSec Engineering: Awareness, Enablement, and Enforcement. Over the next three posts I will dive into each of these topics to share best practices and guidelines you can roll out to optimize your security engineering practice.
In my experience, the best AppSec programs start with AppSec awareness training.
Read more >>
Credit: Joe Basirico
The Three Phases of Appsec Engineering
This is part of a series Introduction (you are here) Awareness Enablement (coming soon) Enforcement (coming soon) In order for an AppSec team to collaborate effectively with development teams they should think in three phases: Awareness, Enablement, and Enforcement. This month I’ll be dedicating an article to each. The focus of these articles will be on the critically important area of application security, focused on the roles involved in building software: developers (DevOps), testers, and architects.
Read more >>
Credit: Alan Bishop @ unsplash
Mini-Post: Stop Acting Like Phishers
There are two sides to preventing a successful phishing attack. The first side is focusing on the user; trying to train users to identify phishing attacks and to protect themselves from these types of attacks. Training is important, but there’s a responsibility on the company to act in a way that does not emulate common phishing techniques and set your users up for failure.
The second side of the successful phishing attack is the software and technology side.
Read more >>
Credit: Joe Basirico
Mini-Post: Reducing Vulnerability Classes to Near Zero Through Secure Defaults and Good Choices
“If you could wave a magic wand and do anything to reduce vulnerabilities, what would you do?”
Some common answers are things like training and education, forcing penetration testing, better tools, and smarter users, but none of these things really strike at the core of the issue. Where is the vulnerability garden? Where are those vulnerabilities planted? Can we make that soil hostile to vulnerabilities and rich for good coding practices?
Read more >>
Credit: Visual Cinnamon & NY Times
You Have an Obligation to Fight for Privacy
Note: The header image was created by Visual Cinnamon for The New York Times on an opinion piece on digital trackers.
By now everyone is familiar and desensitized to cookie popups that bombard us on our first visit to almost every. These cookie consent alerts are there for a reason, they are required by new legislation such as GDPR and the California CPA. This legislation has been introduced to try to protect consumers from boundless data collection policies , which is a laudable goal.
Read more >>
Credit: Pexels
How to Scale an Application Security Program - Part Two
In my last blog post, I wrote about what an application security program is and why it matters. In this post, I’ll cover what it takes to build and scale an effective application security program. I’ve seen many different ways that a well-intentioned program can fail to meet its objectives. While there may be many ways to fail, there are just a few key characteristics that lead to success.
The program must be:
Read more >>
Credit: Pexels
How to Scale an Application Security Program - Part One
In the late 1990s I worked on the security team for Internet Explorer. In fact, I was the first hire that Microsoft made in response to an influx of browser-based security vulnerabilities. I got to see what it looks like when a development team is bombarded by security problems that are serious enough to require a response and yet there’s no process to handle it. In the early days we would get at least one new vulnerability each week.
Read more >>
Credit: Kroll Historical Maps
A Traveler's Method of Learning Technology
My favorite thing about my career in security consulting has been the constant opportunity to learn new topics. Security weaves itself through every aspect of software, and software is everywhere. The phone in your pocket, the bluetooth chip in your headphones, your automobile, and the SCADA systems you rely upon every day execute millions of lines of code on your behalf. The idea that each of those systems gives me the opportunity to gain new knowledge is truly exciting.
Read more >>
Defense in Depth, What I Should Have Done to Save Myself From Dire Injury
I caught three of my fingers in a tablesaw this last weekend, which caused a severe hand injury, mangling my fingers, tearing off my fingernails, and breaking the bones. It was pretty terrible, but luckily the hand surgeon says I should have a complete recovery in a few months.
Me being me, this got me thinking about some of the things that I could’ve done to mitigate the injury before it happened.
Read more >>