Lately we have seen a lot of focus on security in social media - professionals, companies, organizations trying to increase security awareness. A lot of the information out there is about "control" and "compliance". The downside of a risk management regime based on strict rules, controls and compliance measures has been demonstrated again and again … Continue reading How a desire for control can hurt your security performance
Are you planning to offer a SaaS product, perhaps combined with a mobile app or two? Many companies operating in this space will outsource development, often because they don't have the right in-house capacity or competence. In many cases the outsourcing adventure ends in tears. Let's first look at some common pitfalls before diving into … Continue reading How to manage risk and security when outsourcing development
tl;dr; SaaS apps often have poor security. Before deciding to use one do a quick security review. Read privacy statements, ask for security docs, and test authentication practices, crypto and console.log information leaks before deciding if you want to trust the app or not. This post gives you a handy checklist to breeze through your … Continue reading Do you consider security when buying a SaaS subscription?
Consider this: internet is down. Power is out. And the water in the tap is no longer safe to drink. The stores are basically out of groceries. And the banking sector is not working. No mobile payments. No credit cards accepted. And no ATM's are working. Scenarios like this may be dystopia but are perhaps … Continue reading When society breaks down: how do we respond?
Business continuity and emergency preparedness have become familiar concepts for many businesses - and having such risk management practices in place is expected in many industries. In spite of this, apart from software companies, inclusion of cybersecurity and preparing for handling of serious cyber attacks and security incidents is far from mature. Many businesses have … Continue reading How to build emergency preparedness for cybersecurity incidents
Container technologies are becoming a cornerstone of development and deployment in many software houses - including where I have my day job. Lately I've been creating a small web app with lots of vulnerabilities to use for security awareness training for developers (giving them target practice for typical web vulnerabilities). So I started thinking about … Continue reading Packaging a Node app for Docker – from Windows
Phishing is still the most common initial attack vector. Mass mailed spam is now taking cues from targeted campaigns, improving conversion rates through personalization and the use of seemingly authoritative content. Scammers are getting better at targeting. Sharpen your defenses today - including your awareness training!Here are some indicators that can help identify phishing: Sender: … Continue reading How to recognize a customized spear-phishing email