This. so much this.
(Source)
June 20, 2019
May 20, 2019
DevSecOps intro
A couple of resources I found interesting lately:
- Pretty good introduction to DevSecOps, in the first half hour of this video.
- Short article on why we want to shift security left.
And a few thoughts and quotes I stole..ehm..gathered from people that are smarter than me:
- Teams that are doing peer reviews for all their code, are usually doing real devops (this was used to distinguish real devops against just using devopsie tools and calling it a day. DevOps is not just about tools!).
- Every time I do an architecture review (from a security perspective), I should ask myself: how do I make sure that next time I don't need to perform this? Automate it or teach a developer to do it, because security engineers can't scale to all the dev teams of any company.
- If we have embrace CI/CD, there is no option for a security gate/audit/review. Everything has to be automated, short-circled and repeatable!
March 31, 2019
Phishing is "improving"
This reddit thread warns us that in case we get a call claiming to be from our bank or other organization, we should not give out any of our private info, but request that we end the call and call them back on a verified official number, even if the call we received originates from it.
The reason is that the traditional calling system is vulnerable to number spoofing, so caller ID cannot be trusted. So, this is one more thing to remember, on top of SMS being easy to intercept.
Good luck explaining thisattack & defense to elderly laymen 😨.
The reason is that the traditional calling system is vulnerable to number spoofing, so caller ID cannot be trusted. So, this is one more thing to remember, on top of SMS being easy to intercept.
Good luck explaining thisattack & defense to elderly laymen 😨.
March 20, 2019
Meta: Management and employee retention
A few articles that I like, explaining how employee motivation works.
Great for all managers, pretty interesting for the rest of us.
- must-read: Why your employees are losing motivation,
- should-read: A bit over-sensational, but this guy is right, remove the toxic people from your company!
- could-read: A view of a millennial, catching some important points nicely (although I don't agree with everything).
November 18, 2018
DevSecCon London 2018 takeaways
I recently visited DevSecCon London 2018 and kept notes of my takeaways. Read about them in this Google Doc and feel free to comment on it.
November 6, 2018
IoT security
Here's the best recent article/opinion I've read on IoT security, written by Bruce Schneier.
It touches upon the market dynamics and covers the inevitable government regulation.
Very well put! Highly recommended read.
It touches upon the market dynamics and covers the inevitable government regulation.
Very well put! Highly recommended read.
September 12, 2018
Handy tool to check CSP
https://blog.thomasorlita.cz/vulns/google-csp-evaluator/
Useful to defenders and attackers (bug bounty hunters?) alike.
Useful to defenders and attackers (bug bounty hunters?) alike.
Subscribe to:
Comments (Atom)