Let's be clear about Certificate Pinning. It IS extremely useful. It IS valid, if you follow 1 rule, and are operating in 2 use case scenarios. It's simple; The 1 rule is that YOU control the CA for the pin. If you don't control the CA, you've essentially circumvented the
Domain Validated (DV) Certificates may be growing in popularity since the browsers ceased showing the organisation name along with a green padlock, but the visual change is not material to the security characteristic associated with Extended Validation (EV) Certificates. When the visual changes occurred the mainstream non-technical or the uneducated
HawkAuth [https://github.com/mozilla/hawk/] protocol is widely adopted by Firefox Accounts and appears in Postman in a very short list of supported API authentication methods which indicates HawkAuth is vastly more popular than you might first expect. HawkAuth protocol history The origins of HawkAuth appears to be with
Where zero-trust might exist 1. Scenarios that have no data 2. Scenarios with data that are never connected to power Why? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity? Digital identity is the
About a year ago I was just getting involved with the CSA Working Group [https://cloudsecurityalliance.org/research/contribute/] for CCM version 4 when I came across the OWASP CSA Project [https://wiki.owasp.org/index.php/Category:OWASP_CSA_Project] and went on a little adventure to learn more
Applying private routing to AWS management APIs is hard. AWS S3 has had some poor press coverage, but to Amazon's credit it has always been subject to authentication by default and not leaked any customer data.
For those unfamiliar with Cybersecurity team colors, there are Blue Teams which are the defenders, and there are Red Teams who are simulating attackers with the goal to prove a circumvention of these defences. There are a few other colors too, the only other well known one is _Purple Team_
EDIT: 2020-08-01 SHA-1 Windows content to be retired [https://techcommunity.microsoft.com/t5/windows-it-pro-blog/sha-1-windows-content-to-be-retired-august-3-2020/ba-p/1544373] in 2 days. Amazon is in an ever decreasing group of cryptography ignorant providers. EDIT: 2020-08-07 China believes TLS 1.3 privacy (hidden identity, not to be confused with confidentiality of data) is
You have to understand that TLS by-design is intended to have all data read by anyone without any authorisation checks. Don't just take my word for it. In the words of Nate Lawson; (cryptographer and software engineer who has contributed to the protocols since SSL3.0) > Data within the session
A look into the suitability of AWS KMS and CloudHSM for use with workloads in-scope of PCI DSS. Who owns my encryption key in AWS? By owning we might think of ownership as who has potential to access the key to decrypt the data. I like to think of ownership
The Australian Government's controversial encryption bill passed the Senate [https://www.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944] last month and will undoubtedly be law soon. The bill proposes three key powers; A technical assistance request (TAR): Police ask a company to "voluntarily" help, such as give technical details about
> Detect as a means to defend The idea of this attack is to identify old dependencies with known exploits. Even some of the most secure clients, that have excellent patching practices, are still vulnerable years after they assume they patched a vulnerability. Many of the competent website developers are now
White box Commonly used by organisations after a black box pentest to validate controls, or as an assurance to the business for audit purposes. A white box pentest is prescriptive in nature and is the only type of pentest that provides an attestation of compliance. What to provide Preparing for
Information Security is a broad reaching area of concern for your business. In the enterprise world a large component of this is part of their GRC efforts which can be over-whelming for a smaller organisation. > Governance, Risk, and Compliance One commonality between enterprise and startups is the reliance on vendors.
Over the years I've been tasked to implement controls as a developer or self-assess and design controls that meet the requirements of contractual, compliance, regulatory, and legislative obligations. One of the continuing misconceptions I've seen is most business believe (and often publicly claim) a vendors security and compliance attestations will
The Australian Cyber Security Centre (ACSC) has developed The Essential Eight which are mitigation strategies that organisation's can use to produce a modern risk profile and response plan for todays cyber threats. My post will help you align these best practices to your solution as a baseline making it much
The General Data Protection Regulation (GDPR) guidance in this post is experience based and your own response should be reviewed by a law counselor. I'm no lawyer, and many who are do not have subject matter experience (yet), so a balanced approach is playing it safe in these early days.
GDPR comes into effect in May 2018 and one of the buzz phrases you might have heard is > the right to be forgotten But there is much more you need to know and the effects are far reaching beyond Europe. What Assessments are needed? Data protection impact assessments (DPIAs) or
A look at Business Continuity Management (BCM); The process that is responsible for Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) using Business Impact Analysis (BIA) enabling Operational Resilience through HA and DR principles
Information to help you deal with Privacy risk, When to assess Privacy, Breach Notification, Recommended Controls, and Resources.
As I am currently studying to sit the CISSP exam in 2018 and because I've taken over 25,000 words in notes so far I thought I'd share what I have so that others might be able to study a bit easier. The relevant CISSP material is difficult to search
Let the threat actors take your data. Data breaches are bad, they will happen to you — count on it. Education is more valuable then technology.
You’ve heard that your password has already been compromised by LinkedIn, Yahoo, Vodafone, Sony, Minecraft, and Snapchat to name a few of the more then 200 [https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches] breaches I know about, but do you know that the Password Managers you put trust in for all
