For the past few years, my dad has been encouraging me to turn on two-factor authentication (2FA) on any service that offers it. Having grown up in the social media age, I felt his requests were unwarranted. I know social media inside and out (and I have a master’s degree to prove it). I have […]
One of the major reasons organizations adopt DevOps practices is to accelerate delivery of software to production. This includes deploying more frequently and reducing lead time. However, many organizations fail to include quality components in their practices. This leads to organizations delivering code faster, but unfortunately, that code is just poor. Continuous deployment without quality […]
By now, most Americans have heard of the breach of over 143 million (and counting) U.S. consumer’s financial data to hackers earlier this month. A well-published vulnerability in Apache Struts (CVE-2017-5638) was not patched for months in Equifax applications. This vulnerability was readily available to hackers and exploited against critical systems holding data such as […]
When people think of DevSecOps the first thing that comes to mind is automation. A strong DevSecOps environment should employ tools that automate the following: Continuous Integration, Continuous Delivery, Continuous Testing, Continuous Deployment, and Continuous Monitoring. While automation is certainly important, it’s just as important (if not more important) to build the mindset that “everyone […]
I am currently working on implementing Single Sign-On (SSO) for the entire Coveros domain. This project required me to implement a process to add current Coveros employees into our FreeIPA server as well as account for any future employees that will be onboarded. In order to deal with this problem, a script was written which […]
For decades, software security organizations and those that assure security have built processes and procedures around waterfall software development practices. This has often led to security testing being “bolted on” at the end of the process. In addition, many organizations have seen the rise of mindless information security assurance, whereby engineers avoid assessing, understanding, or […]
In my last two posts, I talked about different options for securing your network traffic, and how to setup a machine to pass network traffic through. As promised, this last post in the series will walk you through some of the more complex steps in configuring the last 3 options. Please note, that each of these […]
In a previous post I outlined a bunch of ideas for keeping your internet usage private. Towards the end of the post, I indicated that I would provide follow-ups for setting up the configurations outlined. Well, this is the first of those posts. There were three examples that I had saved for working through. Each […]
DISCLAIMER: Only perform security testing on applications which you have explicit permission to do so. Also, this post shows features for Burp Suite Professional, as the Macros and scanning features are not available without a license. In the previous blog post, I detailed configuring Burp Suite for usage in security testing. Please reference the material […]
DISCLAIMER: Only perform security testing on applications which you have explicit permission to do so. Also, this post shows features for Burp Suite Professional. Specifically, the macros and scanning are not available without a license. In the previous blog post, I detailed configuring Burp Suite for usage in security testing. Please reference the material in […]
