Not Insecure

Welcome to the 15th episode of our Security Culture Campaign! On today’s show Matt Konda discusses Zoom Security. We wrote a longread blog post about Zoom security earlier this week; but given the attention around Zoom and all the questions we have gotten from customers, we wanted to put a quick culture video/podcast together for it as well. There are a couple of concerns. Protecting data … the bottom line on Zoom is that you can’t assume that it is secure between you and your meeting...

Welcome to the 14th episode of our Security Culture Campaign! On today’s show Matt Konda discusses OWASP Juice Shop. The OWASP Juice Shop is an amazing resource for both developers and folks working in application security(or those interested in learning application security!). It is easy to run. You can run it in Heroku at the click of a button. Or you can build from source or run in a Docker container. Remember that it is a vulnerable application though! Once you have it running, you can...

Welcome to the 13th episode of our Security Culture Campaign! On today’s show Matt Konda discusses least privilege. Least Privilege is at first glance obvious and self defining. It means only giving users the access they actually need to perform a particular task in a system. On its face, it seems like you would never give users more privileges than they need so it should be something we do by default all the time. Examples where we apply least privilege include: In practice, applying...

Welcome to the 12th episode of our Security Culture Campaign! On today’s show Matt Konda discusses adversaries and some of the things they might be thinking about as they come at you in the real world. For example, adversaries are engaging in spam campaigns targeting all of the folks who’ve suddenly found themselves working from home. I recently received a spam email message about a delivery confirmation for a “WiFi Extender” that I had supposedly purchased from Amazon for $250 with a $50...

Welcome to the 11th episode of our Security Culture Campaign! On today’s show Matt Konda discusses remote work and security. We put together a checklist for securing your remote work environment that you can download and use across your teams. The highlights are: Check out the corresponding blog post to learn more. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers...

Welcome to the 10th episode of our Security Culture Campaign! On today’s show Matt Konda talks vulnerable dependencies. When we build software, we use lots of libraries that we didn’t write. They could be open source, they could be commercial, they could even be framework code provided by a big company as part of a platform. In any case, we have lots of code running in, over, under and around the code we actually write. If there is a problem in any of that surrounding code, it can affect...

Welcome to the 9th episode of our Security Culture Campaign! On today’s show Matt Konda talks passwords and password managers. The first thing to know is that weak passwords are often the easiest way to get access to information. People: When we do pen testing, guessing passwords is a surprisingly effective way to get access to a system! We’ve worked with clients where we’ve seen an adversary running a botnet with 100,000 computers slowly but consistently testing passwords one by one...

Welcome to the 8th episode of our Security Culture Campaign! On today’s show Matt Konda talks testing for Authorization. Authorization is the idea that a user can only do what they should be able to based on their role. It is synonymous with access control. Consider the case of a consulting firm with: There are several types of authorization that need to be implemented in a typical time tracking system. We need vertical access control implemented to prevent a consultant from approving...

Welcome to the 7th episode of our Security Culture Campaign! On today’s show Matt Konda talks Secrets. A secret is anything that is used in a running system as a way to prove that you are who you say you are. A secret could be: In this episode you’ll learn how to find and protect Secrets. Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers...

Welcome to the 6th episode of our Security Culture Campaign! On today’s show Matt Konda talks Static Analysis. There are a lot of static analysis tools out there. The simplest might be eslint , for which there are even security rulesets - the docs for which have some handy illustrations for the types of things these tools can find. We recommend: Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content...

Welcome to the 5th episode of our Security Culture Campaign! On today’s show Matt Konda talks Patching. Patching is the process of updating software. The takeaway is: we need to patch our systems even though we think it is a pain. This is a foundational but surprisingly difficult thing to take care of. We recommend: Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday...

Welcome to the 4th episode of our Security Culture Campaign! On today’s show Matt Konda talks Gift Card Scams. This topic is less technical and more social engineering focused, but it is relevant to developers and general audiences alike. Click here for the associated YouTube video. The takeaway is - any time you are asked to use a gift card, or, for that matter to do anything “urgently” - you should think twice or three times. It also means that as we build systems, we should be...

Welcome to the third episode of our Security Culture Campaign! On today’s show Matt Konda talks Injection, which is a serious class of vulnerability that can happen in any language. Click here for the associated YouTube video. Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation. As developers, we need to apply appropriate controls. Strict input validation is always recommended but in addition we need to do...

Welcome to the second episode of our Security Culture Campaign! On today’s show Matt Konda introduces OWASP. Click here for the associated YouTube video. OWASP resources include: The Top 10ASVSTesting GuidesProactive ControlsGlueDependency CheckAmassZAPDefectDojoConferencesGlobal AppSecAppSec CaliforniaLocal chapter meetings The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular...

Welcome to the first episode of our Security Culture Campaign! On today’s show Matt Konda introduces the campaign and why we’re doing it. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series will be a stream of topical content intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Of course, really making security part of an organizational culture means a lot...

Welcome to the third episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss cybersecurity for small to medium sized companies and startups. Topics: Resources: Authysecurityprogram.ioGoogle Phishing QuizBitwardenKeePass Password ManagerMFA Details For GoogleMFA Details for 0365

Welcome to the second episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss “pushing left”. Quick kudos to: Topics: Resources: Cost to Fix Bugs During Each SDLC PhaseSecurity in the SDLCIntegrating Software Assurance Into the SDLCUnderstanding and Controlling Software CostRugged DevopsPushing Left, Like a Boss

Welcome to the first episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss being a developer and product manager in the cybersecurity field, what we’ve learned building security tools, what small businesses should be doing for security and more. Topics: Resources: securityprogram.ioJemuraiNIST 800-53Auth0MFA Details For GoogleMFA Details for 0365