2016 DBIR Highlights April 27th, 2016
The 2016 edition of Verizon’s Data Breach Investigations Report is out, and as usual it’s compelling reading. The DBIR is one of the only sources of hard data about information security, which makes it a must-read for anyone trying to run a security program in a data-driven manner. What follows are the bits that I found especially interesting, and a bit of my own commentary. Internal threats are rare [T]he Actors in breaches are predominantly external.…
Ratchets & Levers May 19th, 2016
There are a couple of metaphors that tend to guide my thinking about the practice of security: ratchets and levers. Ratchets Dr. Schorsch, CC-BY-SA 3.0, via Wikimedia Commons A ratchet is a kind of one-way gear, with angled teeth and a pawl that allows motion in one direction only. In the physical world we use ratchets to help lift or move heavy loads. Using a ratchet, we can overcome the massive inertia of a heavy object by breaking the movement down into small, easy, irreversible steps.…
Articles for r2c: Preventing SQL Injection in Django May 15th, 2020
SQL Injection (SQLi) is one of the most dangerous classes of web vulnerabilities. Thankfully, it’s becoming increasingly rare — thanks mostly to increasing use of database abstraction layers like Django’s ORM — but where it occurs it can be devastating. This article will help you understand and prevent SQLi vulnerabilities in your Django apps.
Articles for r2c: Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020
Denial-of-Service (DoS) vulnerabilities are common, but teams frequently disagree on how to treat them. The risk can be difficult to analyze: I’ve seen development teams argue for weeks over how to handle a DoS vector. This article tries to cut through those arguments. It provides a framework for engineering and application security teams to think about denial-of-service risk, breaks down DoS vulnerabilities into high-, medium-, and low-risk classes, and has recommendations for mitigations at each layer.
Articles for r2c: Bringing Security along on the CI/CD journey January 11th, 2021
Practical ways to bridge the gap between AppSec and Engineering.
Hangar's Dumb Security Questionnaire January 15th, 2021
Over on the Hangar tech blog, I’ve posted our Dumb Security Questionnaire (the questions we ask vendors to evaluate their security maturity). All DSQs are dumb, but I think ours is a little less dumb. If not, at least it’s short.
2021 DBIR Highlights May 18th, 2021
The 2021 edition of Verizon’s Data Breach Investigations Report (DBIR) is out. I read the DBIR every year; it’s one of the only analyses of real-world security failures that approaches any sort of scientific rigor. Here are some of the highlights from the 2021 edition, along with my commentary.
Probably Are Gonna Need It: Application Security Edition July 8th, 2021
My list of “Probably Are Gonna Need It” security features for your web app – things that you should build up-front, not wait until you need them (when it’s already too late).