Tag: security
How to report a security issue in an open source project March 27th, 2025
So you’ve found a security issue in an open source project – or maybe just a weird problem that you think might be a security problem. What should you do next?
🔗 Building a Community Privacy Plan February 19th, 2025
Really great guide. I love the community focus — so many of these security guides are individually-oriented, which limits their applicability to groups, especially volunteer groups.
Thinking About Risk: Sidebar #4: Quantitative Risk Revisited January 28th, 2025
In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.
Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk January 17th, 2025
When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!
Thinking About Risk: Sidebar #2: The Swiss Cheese Model January 16th, 2025
In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.
Thinking About Risk: Sidebar #1: "Exposure" January 15th, 2025
Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?
🔗 The 2025 journalist’s digital security checklist December 11th, 2024
A pretty good checklist. Some things are tailored for the relatively-higher risk faced by journalists, but with some judicious “not applicable” application could be a good checklist for anyone.
Thinking About Risk: Mitigation December 10th, 2024
So you’ve identified a risk — now what do you do about it? Here’s a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.
Thinking About Risk: An introduction to thinking about risk December 4th, 2024
Welcome to a new series about how to think about risk. This series is a crash course, a high-level introduction to the most important concepts and risk frameworks. It’s intended for people who encounter risk from time to time and need some basic tools, but don’t want to make a deep study of it. My hope is that it’ll help you better analyze risk when it comes up for you, and also make it easier to navigate conversations with risk professionals.
Free digital security checkups for people/organizations concerned about the incoming US government November 11th, 2024
If you — as an individual or a group — are re-assessing your digital security posture in light of the US election results, I’m available to help. I’m offering free digital security check-ups to anyone who feels like they need it now.
🔗 Phishing simulations - Rami's Wiki October 22nd, 2024
Round up of research and commentary on phishing sims
🔗 Prioritizing Detection Engineering October 12th, 2024
Detection Engineering is a concept that has emerged in the detection space. It acknowledges the complexity of a detection stack and the…
🔗 Hierarchy of Controls | NIOSH | CDC March 20th, 2024
Interesting framework for thinking about risk mitigation. Designed for workplace protection, but could be applied to lots of different risk scenarios. Compare with Magoo’s Five Factors, there are some similarities here.
🔗 Research: Simulated Phishing Tests Make Organizations Less Secure September 8th, 2023
Actual study is here: https://arxiv.org/pdf/2112.07498.pdf
TIL: Stop storing credentials in plaintext part #624: gspread edition August 18th, 2023
Here’s how to safely store and use credentials for the Python gspread library, a Python API for Google Sheets. Background: How To Keep A Secret, by Glyph The most relevant parts start around 15:00, but watch the whole thing, it’s great and worth your time. Pre-requisites Install keyring: pip install keyring or equivalent. Storing credentials Create service account credentials as explained in the gspread docs. This ends with you having a JSON credentials file on your disk somewhere (unacceptable).…
🔗 Don't use VPN services. January 25th, 2023
This is the definitive “why you shuoldn’t use a VPN” article that I link every time the topic comes up.
🔗 @[email protected] on BitWarden's design January 23rd, 2023
Unfortunately, it appears Bitwarden may have coppied some of the pretty unfortunate design decisions from LastPass. I might have to revise my recommendation.
🔗 A blameless post-mortem of USA v. Joseph Sullivan | by Ryan McGeehan | Dec, 2022 | Medium December 8th, 2022
Fucking excellent analysis of both the technical, legal, and policy failures at play here. Required reading.
Probably Are Gonna Need It: Application Security Edition July 8th, 2021
My list of “Probably Are Gonna Need It” security features for your web app – things that you should build up-front, not wait until you need them (when it’s already too late).
2021 DBIR Highlights May 18th, 2021
The 2021 edition of Verizon’s Data Breach Investigations Report (DBIR) is out. I read the DBIR every year; it’s one of the only analyses of real-world security failures that approaches any sort of scientific rigor. Here are some of the highlights from the 2021 edition, along with my commentary.
Hangar's Dumb Security Questionnaire January 15th, 2021
WHen I worked for Hangar, I developed our own Dumb Security Questionnaire (the questions we ask vendors to evaluate their security maturity). All DSQs are dumb, but I think ours is a little less dumb. If not, at least it’s short.
Articles for r2c: Bringing Security along on the CI/CD journey January 11th, 2021
Practical ways to bridge the gap between AppSec and Engineering.
Articles for r2c: Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020
Denial-of-Service (DoS) vulnerabilities are common, but teams frequently disagree on how to treat them. The risk can be difficult to analyze: I’ve seen development teams argue for weeks over how to handle a DoS vector. This article tries to cut through those arguments. It provides a framework for engineering and application security teams to think about denial-of-service risk, breaks down DoS vulnerabilities into high-, medium-, and low-risk classes, and has recommendations for mitigations at each layer.
Articles for r2c: Preventing SQL Injection in Django May 15th, 2020
SQL Injection (SQLi) is one of the most dangerous classes of web vulnerabilities. Thankfully, it’s becoming increasingly rare — thanks mostly to increasing use of database abstraction layers like Django’s ORM — but where it occurs it can be devastating. This article will help you understand and prevent SQLi vulnerabilities in your Django apps.
A bit of smart security design from Tiller November 19th, 2018
I’m trying out Tiller (a service that pulls financial transaction data into Google Sheets), and there’s a nifty bit of security design. Instead of its own authentication, you login via Google. This means Tiller doesn’t need to do any account management, and my account’s as secure as my Google account. Like all other services in this sector (Mint, Personal Capital, YNAB, etc), the actual data sync happens via Yodlee. Yodlee is… not great, but it’s at least not worse than what everyone else is doing.…
Don't include social engineering in penetration tests June 27th, 2017
I’m not a fan of including social engineering – spearphishing, calls to support tickets, office visits – as part of penetration tests. These activities are risky, and often involve borderline and outright inappropriate behavior. Further, they tend not to produce useful results. I encourage you to explicitly forbid social engineering attacks in your pentest scopes. Instead, try simulating the kinds of compromises that social engineering attacks lead to, with an emphasis on detection and response.…
Ratchets & Levers May 19th, 2016
There are a couple of metaphors that tend to guide my thinking about the practice of security: ratchets and levers. Ratchets Dr. Schorsch, CC-BY-SA 3.0, via Wikimedia Commons A ratchet is a kind of one-way gear, with angled teeth and a pawl that allows motion in one direction only. In the physical world we use ratchets to help lift or move heavy loads. Using a ratchet, we can overcome the massive inertia of a heavy object by breaking the movement down into small, easy, irreversible steps.…
2016 DBIR Highlights April 27th, 2016
The 2016 edition of Verizon’s Data Breach Investigations Report is out, and as usual it’s compelling reading. The DBIR is one of the only sources of hard data about information security, which makes it a must-read for anyone trying to run a security program in a data-driven manner. What follows are the bits that I found especially interesting, and a bit of my own commentary. Internal threats are rare [T]he Actors in breaches are predominantly external.…
I've joined Heroku May 13th, 2013
I’ve joined Heroku as their Director of Security. Why? I started as a Heroku skeptic. The first iterations of Platform-as-a-Service left me deeply underwhelmed. “Deploying web apps is hard,” I said, “there’s no way you can just abstract it away like that.” I was wrong. Over the last few years I’ve gone from being a Heroku skeptic, to a user, to a fan, and now — an employee. Perhaps at some later point I’ll write a bit about how my thoughts evolved, but for now I’ll leave it at this: Heroku’s vision of a world where developers are empowered to deliver apps is one I support.…
FAQ: Untrusted users and HTML February 24th, 2009
An input form that takes raw HTML. It’s a pretty common thing to see in web apps these days: many comment forms allow HTML, or some subset thereof; many social-network-style applications allow end-users to enter HTML in their profiles; etc. Unfortunately, allowing untrusted users to enter raw HTML is incredibly dangerous; read up on XSS if you don’t know why. So a common question that comes up in web developer circles deals with how best to “escape” user-entered HTML so that is safe for presentation.…
My "personal security" plan August 31st, 2007
My personal security plan Prompted by recent reading on cryptography and computer security, I’ve been rethinking my pretty lax personal security plan. Right now I’m doing a number of pretty stupid things, including reusing just a couple passwords (“high” and “low” security), using browser/keychain password remembering too much, and storing important documents (tax returns, etc.) unencrypted. A co-worker just had his laptop stolen, and I’ve realized just how screwed I could be if that happens to me.…