Every company tells you they take security seriously. Some even take it very seriously. But do they? I started to think about this because of a recent Slack bug. I think there are a lot of interesting things we can look at to decide if a company is taking security seriously or if the companyContinue reading “We take security seriously, VERY SRSLY!”
Category Archives: SecurityBlog
2020 CWE Top 25 I mean 10 or maybe 4.5
A few days ago I ran across this report from MITRE. It’s titled “2020 CWE Top 25 Most Dangerous Software Weaknesses”. I found the report lacking the sort of details I was hoping for, so I’m going rogue and adding those details myself because it’s a topic I care about and I like seeing conclusions.Continue reading “2020 CWE Top 25 I mean 10 or maybe 4.5”
The ineffective CISO
I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reportingContinue reading “The ineffective CISO”
Broken vulnerability severities
This blog post originally started out as a way to point out why the NVD CVSS scores are usually wrong. One of the amazing things about having easy access to data is you can ask a lot of questions, questions you didn’t even know you had, and find answers right away. If you haven’t readContinue reading “Broken vulnerability severities”
Who are the experts
These are certainly strange times we are living in. None of us will ever forget what’s happening and we will all retell stories for the rest of our days. Many of us asked “tell me about the depression grandma”, similar questions will be asked of us someday. The whirlwind of confusion and chaos got meContinue reading “Who are the experts”
Part 6: What do we do now?
Well, we’ve made it to the end. What started out as a short blog post ended up being 7 posts long. If you made it this far I commend you for your mental fortitude. I’m going to sum everything up with these 4 takeaways. Understand the problem we want to solve Push back on scannerContinue reading “Part 6: What do we do now?”
Part 5: Which of these security problems do I need to care about?
If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. Or not, I mean, whatever. I’ve spent the last few posts going over the challenges of security scanners. I think the most important takeaway is we need to temper our expectations. EvenContinue reading “Part 5: Which of these security problems do I need to care about?”
Part 4: Application scanning
We’ve already discussed the perils of code and composition scanning. If you’ve not already read those, you should go back to the beginning. Now we’re going to discuss application scanning. The basic idea here is we have a scanner that interacts with a running application and looks for bugs. The other two scanners run againstContinue reading “Part 4: Application scanning”
Part 3: Composition scanning
If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. In this post we’re going to talk about a newer type of scanner called a composition scanner. The idea here is when you build an application today it’s never just what youContinue reading “Part 3: Composition scanning”
Part 2: Scanning the code
If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. The first type of scanner we’re going to cover are source code scanners. It seems fitting to start at the bottom with the code that drives everything. Every software project has sourceContinue reading “Part 2: Scanning the code”