🔗 Research: Simulated Phishing Tests Make Organizations Less Secure September 8th, 2023
Actual study is here: https://arxiv.org/pdf/2112.07498.pdf
TIL: Stop storing credentials in plaintext part #624: gspread edition August 18th, 2023
Here’s how to safely store and use credentials for the Python gspread library, a Python API for Google Sheets. Background: How To Keep A Secret, by Glyph The most relevant parts start around 15:00, but watch the whole thing, it’s great and worth your time. Pre-requisites Install keyring: pip install keyring or equivalent. Storing credentials Create service account credentials as explained in the gspread docs. This ends with you having a JSON credentials file on your disk somewhere (unacceptable).…
🔗 Don't use VPN services. January 25th, 2023
This is the definitive “why you shuoldn’t use a VPN” article that I link every time the topic comes up.
🔗 @[email protected] on BitWarden's design January 23rd, 2023
Unfortunately, it appears Bitwarden may have coppied some of the pretty unfortunate design decisions from LastPass. I might have to revise my recommendation.
🔗 A blameless post-mortem of USA v. Joseph Sullivan | by Ryan McGeehan | Dec, 2022 | Medium December 8th, 2022
Fucking excellent analysis of both the technical, legal, and policy failures at play here. Required reading.
Probably Are Gonna Need It: Application Security Edition July 8th, 2021
My list of “Probably Are Gonna Need It” security features for your web app – things that you should build up-front, not wait until you need them (when it’s already too late).
2021 DBIR Highlights May 18th, 2021
The 2021 edition of Verizon’s Data Breach Investigations Report (DBIR) is out. I read the DBIR every year; it’s one of the only analyses of real-world security failures that approaches any sort of scientific rigor. Here are some of the highlights from the 2021 edition, along with my commentary.
Hangar's Dumb Security Questionnaire January 15th, 2021
Over on the Hangar tech blog, I’ve posted our Dumb Security Questionnaire (the questions we ask vendors to evaluate their security maturity). All DSQs are dumb, but I think ours is a little less dumb. If not, at least it’s short.
Articles for r2c: Bringing Security along on the CI/CD journey January 11th, 2021
Practical ways to bridge the gap between AppSec and Engineering.
Articles for r2c: Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020
Denial-of-Service (DoS) vulnerabilities are common, but teams frequently disagree on how to treat them. The risk can be difficult to analyze: I’ve seen development teams argue for weeks over how to handle a DoS vector. This article tries to cut through those arguments. It provides a framework for engineering and application security teams to think about denial-of-service risk, breaks down DoS vulnerabilities into high-, medium-, and low-risk classes, and has recommendations for mitigations at each layer.
Articles for r2c: Preventing SQL Injection in Django May 15th, 2020
SQL Injection (SQLi) is one of the most dangerous classes of web vulnerabilities. Thankfully, it’s becoming increasingly rare — thanks mostly to increasing use of database abstraction layers like Django’s ORM — but where it occurs it can be devastating. This article will help you understand and prevent SQLi vulnerabilities in your Django apps.
A bit of smart security design from Tiller November 19th, 2018
I’m trying out Tiller (a service that pulls financial transaction data into Google Sheets), and there’s a nifty bit of security design. Instead of its own authentication, you login via Google. This means Tiller doesn’t need to do any account management, and my account’s as secure as my Google account. Like all other services in this sector (Mint, Personal Capital, YNAB, etc), the actual data sync happens via Yodlee. Yodlee is… not great, but it’s at least not worse than what everyone else is doing.…
Don't include social engineering in penetration tests June 27th, 2017
I’m not a fan of including social engineering – spearphishing, calls to support tickets, office visits – as part of penetration tests. These activities are risky, and often involve borderline and outright inappropriate behavior. Further, they tend not to produce useful results. I encourage you to explicitly forbid social engineering attacks in your pentest scopes. Instead, try simulating the kinds of compromises that social engineering attacks lead to, with an emphasis on detection and response.…
Ratchets & Levers May 19th, 2016
There are a couple of metaphors that tend to guide my thinking about the practice of security: ratchets and levers. Ratchets Dr. Schorsch, CC-BY-SA 3.0, via Wikimedia Commons A ratchet is a kind of one-way gear, with angled teeth and a pawl that allows motion in one direction only. In the physical world we use ratchets to help lift or move heavy loads. Using a ratchet, we can overcome the massive inertia of a heavy object by breaking the movement down into small, easy, irreversible steps.…
2016 DBIR Highlights April 27th, 2016
The 2016 edition of Verizon’s Data Breach Investigations Report is out, and as usual it’s compelling reading. The DBIR is one of the only sources of hard data about information security, which makes it a must-read for anyone trying to run a security program in a data-driven manner. What follows are the bits that I found especially interesting, and a bit of my own commentary. Internal threats are rare [T]he Actors in breaches are predominantly external.…
I've joined Heroku May 13th, 2013
I’ve joined Heroku as their Director of Security. Why? I started as a Heroku skeptic. The first iterations of Platform-as-a-Service left me deeply underwhelmed. “Deploying web apps is hard,” I said, “there’s no way you can just abstract it away like that.” I was wrong. Over the last few years I’ve gone from being a Heroku skeptic, to a user, to a fan, and now — an employee. Perhaps at some later point I’ll write a bit about how my thoughts evolved, but for now I’ll leave it at this: Heroku’s vision of a world where developers are empowered to deliver apps is one I support.…
FAQ: Untrusted users and HTML February 24th, 2009
An input form that takes raw HTML. It’s a pretty common thing to see in web apps these days: many comment forms allow HTML, or some subset thereof; many social-network-style applications allow end-users to enter HTML in their profiles; etc. Unfortunately, allowing untrusted users to enter raw HTML is incredibly dangerous; read up on XSS if you don’t know why. So a common question that comes up in web developer circles deals with how best to “escape” user-entered HTML so that is safe for presentation.…
My "personal security" plan August 31st, 2007
My personal security plan Prompted by recent reading on cryptography and computer security, I’ve been rethinking my pretty lax personal security plan. Right now I’m doing a number of pretty stupid things, including reusing just a couple passwords (“high” and “low” security), using browser/keychain password remembering too much, and storing important documents (tax returns, etc.) unencrypted. A co-worker just had his laptop stolen, and I’ve realized just how screwed I could be if that happens to me.…