Tag: Security
How to report a security issue in an open source project
🔗 Building a Community Privacy Plan (#)
Really great guide. I love the community focus — so many of these security guides are individually-oriented, which limits their applicability to groups, especially volunteer groups.
Thinking About Risk: Sidebar #4: Quantitative Risk Revisited
Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk
Thinking About Risk: Sidebar #2: The Swiss Cheese Model
Thinking About Risk: Sidebar #1: "Exposure"
🔗 The 2025 journalist’s digital security checklist (#)
A pretty good checklist. Some things are tailored for the relatively-higher risk faced by journalists, but with some judicious “not applicable” application could be a good checklist for anyone.
Thinking About Risk: Mitigation
Thinking About Risk: An introduction to thinking about risk
Free digital security checkups for people/organizations concerned about the incoming US government
🔗 Phishing simulations - Rami's Wiki (#)
Round up of research and commentary on phishing sims
🔗 Prioritizing Detection Engineering (#)
Detection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…
🔗 Hierarchy of Controls | NIOSH | CDC (#)
Interesting framework for thinking about risk mitigation. Designed for workplace protection, but could be applied to lots of different risk scenarios. Compare with Magoo’s Five Factors, there are some similarities here.
🔗 Research: Simulated Phishing Tests Make Organizations Less Secure (#)
Actual study is here: https://arxiv.org/pdf/2112.07498.pdf
TIL: Stop storing credentials in plaintext part #624: gspread edition
Here’s how to safely store and use credentials for the Python gspread library, a Python API for Google Sheets.
Background: How To Keep A Secret, by Glyph The most relevant parts start around 15:00, but watch the whole thing, it’s great and worth your time.
Pre-requisites
Install keyring: pip install keyring
or equivalent.
Storing credentials
Create service account credentials as explained in the gspread docs. This ends with you having a JSON credentials file on your disk somewhere (unacceptable).
🔗 Don't use VPN services. (#)
This is the definitive “why you shuoldn’t use a VPN” article that I link every time the topic comes up.
🔗 @[email protected] on BitWarden's design (#)
Unfortunately, it appears Bitwarden may have coppied some of the pretty unfortunate design decisions from LastPass. I might have to revise my recommendation.
🔗 A blameless post-mortem of USA v. Joseph Sullivan | by Ryan McGeehan | Dec, 2022 | Medium (#)
Fucking excellent analysis of both the technical, legal, and policy failures at play here. Required reading.
Probably Are Gonna Need It: Application Security Edition
2021 DBIR Highlights
Hangar's Dumb Security Questionnaire
Articles for r2c: Bringing Security along on the CI/CD journey
Articles for r2c: Not all attacks are equal: understanding and preventing DoS in web applications
Articles for r2c: Preventing SQL Injection in Django
A bit of smart security design from Tiller
I’m trying out Tiller (a service that pulls financial transaction data into Google Sheets), and there’s a nifty bit of security design.
- Instead of its own authentication, you login via Google. This means Tiller doesn’t need to do any account management, and my account’s as secure as my Google account.
- Like all other services in this sector (Mint, Personal Capital, YNAB, etc), the actual data sync happens via Yodlee. Yodlee is… not great, but it’s at least not worse than what everyone else is doing. And, Tiller does the best they can by using Yodlee’s own credential flow, which means your bank login never hits Tiller’s servers.
- When you set up a sheet, instead of requesting access to Google Sheets, Tiller creates the sheet using a bot account, then shares it with you. This means Tiller only has access to the specific spreadsheets it manages, not your entire drive.
There’s always a bit of inherent risk in services like this, and I’m pleased to see that someone at Tiller clearly thought very carefully about the risk model, and designed things to be about as safe as it could be.
Don't include social engineering in penetration tests
I’m not a fan of including social engineering – spearphishing, calls to support tickets, office visits – as part of penetration tests. These activities are risky, and often involve borderline and outright inappropriate behavior. Further, they tend not to produce useful results.
I encourage you to explicitly forbid social engineering attacks in your pentest scopes. Instead, try simulating the kinds of compromises that social engineering attacks lead to, with an emphasis on detection and response. This provides much more satisfying and useful outcomes, without the risks that allowing social engineering introduces.
Ratchets & Levers
There are a couple of metaphors that tend to guide my thinking about the practice of security: ratchets and levers.
Ratchets
A ratchet is a kind of one-way gear, with angled teeth and a pawl that allows motion in one direction only. In the physical world we use ratchets to help lift or move heavy loads. Using a ratchet, we can overcome the massive inertia of a heavy object by breaking the movement down into small, easy, irreversible steps.
2016 DBIR Highlights
The 2016 edition of Verizon’s Data Breach Investigations Report is out, and as usual it’s compelling reading. The DBIR is one of the only sources of hard data about information security, which makes it a must-read for anyone trying to run a security program in a data-driven manner.
What follows are the bits that I found especially interesting, and a bit of my own commentary.
Internal threats are rare
[T]he Actors in breaches are predominantly external. While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house may be there are more folks outside it than there are inside it. [7]
I've joined Heroku
I’ve joined Heroku as their Director of Security.
Why?
I started as a Heroku skeptic. The first iterations of Platform-as-a-Service left me deeply underwhelmed. “Deploying web apps is hard,” I said, “there’s no way you can just abstract it away like that.”
I was wrong. Over the last few years I’ve gone from being a Heroku skeptic, to a user, to a fan, and now — an employee. Perhaps at some later point I’ll write a bit about how my thoughts evolved, but for now I’ll leave it at this: Heroku’s vision of a world where developers are empowered to deliver apps is one I support. Strongly.
FAQ: Untrusted users and HTML
An input form that takes raw HTML. It’s a pretty common thing to see in web apps these days: many comment forms allow HTML, or some subset thereof; many social-network-style applications allow end-users to enter HTML in their profiles; etc. Unfortunately, allowing untrusted users to enter raw HTML is incredibly dangerous; read up on XSS if you don’t know why.
So a common question that comes up in web developer circles deals with how best to “escape” user-entered HTML so that is safe for presentation. Though this seems easy, it’s actually incredibly difficult – see Whitelist, Don’t Blacklist for an introduction. I’ve literally seen hundreds of recipes for stripping unsafe HTML that are about as effective as a screen door on a submarine.
My "personal security" plan
My personal security plan
Prompted by recent reading on cryptography and computer security, I’ve been rethinking my pretty lax personal security plan. Right now I’m doing a number of pretty stupid things, including reusing just a couple passwords (“high” and “low” security), using browser/keychain password remembering too much, and storing important documents (tax returns, etc.) unencrypted.
A co-worker just had his laptop stolen, and I’ve realized just how screwed I could be if that happens to me.