In order to reduce the risk to our applications, we must start hiring resources that come in with some level of secure development knowledge. As a matter of fact, it shouldn't even be thought of as security knowledge, but just good development knowledge. Job Description The first question that pops up is around writing job descriptions. How much "security" should be in a job description for a developer role? Does it change from entry level engineer to a senior level engineer? I think there … [Read more...] about Tips for hiring developers with security experience
When we think about HTTP vs. HTTPS, we often focus on the risk to sensitive information. HTTP transmits our data in clear-text, while HTTPS encrypts the data to stop people from snooping. But that is not all that HTTPS does. What about tampering? One of the other key aspects of HTTPS is to protect our communication with the server from tampering. In this case, we would be concerned with someone being able to manipulate the responses that are sent back to the user's browser. While no sensitive … [Read more...] about HTTPS Isn’t Just For Sensitive Info
Everyone has heard of the Colonial pipeline attack that happened a while back. The company that provides fuel across the East coast shut down that fuel supply due to ransomware on their systems. This sparked a huge push for ICS security. It got a lot of people talking about critical infrastructure and how the world will end with a single cyber attack. I don't disagree that these systems are at risk or that they shouldn't be secured. This is something that we should be focusing on in general to … [Read more...] about How critical is your app in your customer’s process?
The hardest part of anything we do is typically just actually starting it. How many things have you thought about doing, but were not sure on how to proceed? What is that first step? We know we have to do something, but what? This is no different when we think about application security and a secure development program. We have to start it. It is absolutely a necessity for any development program. So what should we do? It is important to understand that security doesn't happen overnight. There … [Read more...] about 3 Tips to get your secure development program started
The last few years the biggest buzzword was shifting left. You have seen it everywhere. The concept is pretty simple when you think about the evolution of application security. We started out with a huge focus on penetration testing and providing a report back to the development team. The majority of organizations didn't have application security teams, and if they did, they were usually pretty small and limited in function. This method of app security was easy because it was in a time where … [Read more...] about Don’t Shift Left, Expand
I think all of us are aware of what phishing is. It is basically the use of an email to target a victim. This is a form of social engineering where the attacker wants to get something from the target. The two most common attacks with this are: - Download or open an attachment that is malicious. - Click a link that redirects the user to a malicious site. This often leads to trying to trick the user into entering their credentials. There is a fairly new tactic that is becoming more popular that … [Read more...] about Phishing With QR Codes?