Starting Up Security
Starting Up Security was not written in order. In 2018 these essays were organized and structured as you see it now.

These were written for security teams of varying size and maturity that are looking for direction or opinions on how to get started, or grow.

The eponymous article is a prescriptive starting point that works in the spirit of a maturity model. This section contains links to other high level guidance as well.

The Risk Management section writes about more intentional, quantitative approaches to a security program. Working from scratch, you’ll organize risks into scenarios, build consensus, and roadmap your work. These are highly opinionated.

Anecdotes about team structure and the role of a security team and individual are laced throughout my essays. However, the more specific writings will go into Organization.

The most writing I have is around Incident Response. Often these are based on my personal experiences during or following an incident.

I make it a priority to write about incidents that are public that have valuable lessons. These can be found in Post-mortem review.
resources  training  InfoSec  for_newbies 
16 days ago
Kap - Capture your screen
Capture your screen
An open-source screen recorder built with web technology.
mac  screencap_to_gif  gif  screencap 
21 days ago
STARTTLS Everywhere
Secure your email server with STARTTLS Everywhere! Your email service can be insecure in numerous different ways. The service below performs a quick check of your email server's security configuration, including whether STARTTLS is supported, and whether it may qualify for the STARTTLS Policy List.
eff  tls  Email 
21 days ago
Comments of FTC’s Bureau of Consumer Protection on IOT Safety/Security to CPSC
FTC Staff Written Comments on The Internet of Things and Consumer Product Hazards
cpsc  ftc  iot  InfoSec  product_liability 
23 days ago
*OS Internals: - Welcome!
Volume I - User Mode - Available, v1.0.5
Volume III - Security & Insecurity is available, v1.5.2
ios  book  mac  osx  InfoSec 
24 days ago
Security Tools for AWS · GitHub
Security Tools for AWS
I often get asked which tools are good to use for securing your AWS infrastructure so I figured I'd write a short listof some useful Security Tools for the AWS Cloud Infrastructure.

This list is not intended be something completely exhaustive, more so provide a good launching pad for someone as they dig into AWS and want to make it secure from the start.
aws  infosec  cloud_computing  security_best_practices 
4 weeks ago
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 Adopted on 25 May 2018
"Before the adoption of the GDPR, the Article 29 Working Party established that certification could play an important role in the accountability framework for data protection. In order for certification to provide reliable evidence of data protection compliance, clear rules setting forth requirements for the provision of certification should be in place...."
gdpr  certification 
5 weeks ago
C-Suite Communication: What Your CEO Respects and Wants
Tell me what I don’t already know.” Your average C-suite audience has years of accumulated knowledge and experience, and access to vast volumes of information about the business. We often see presenters wasting precious moments reviewing facts and data that the C-suite already understands or assumes as the baseline. This quickly communicates a lack of insight on the part of the presenter, and loses the audience. Instead of lingering over familiar areas, focus on what’s around the corner, what’s new, or what surprises may be in store. Remember, you bring a unique vantage point to the discussion, so don’t hesitate to leverage that with your senior audiences.
“Tell me what I need to do.” C-suite leaders also share their frustration when a speaker is reluctant to take a stand. Even at senior levels, it is not uncommon for those engaging with the C-suite to hesitate to rock the boat, and the desire to please can overtake the situation. While at times it is certainly appropriate to stay neutral and offer options or choices, it is also true that senior leaders seek answers and a clear perspective to help run the business. Being able to move beyond the tactical execution role of a “pleaser” to the strategic role of executive peer requires bringing recommendations about outcomes and benefits to the table. As one client said, “It is not enough to share your point of view on what the data means or provide options. You are the expert. What do you recommend?”
c_suite_communications  business  infosec 
8 weeks ago
Predict Which Security Flaws Will be Exploited, Patch Those Bugs | Decipher
Research firm Cyentia Institute and security company Kenna Security analyzed existing vulnerabily information and found that most remediation methods are just as effective as a strategy where vulnerabilities are selected randomly.
patching  strategy  risk  cybersecurity  vulnerabilities 
9 weeks ago
DPI-2018 Panel - Dress to Hack: Beyond the Hoodie
Technical women face many challenges in dressing for their jobs. Some concerns are shared with other professional women, and some are unique to women in technical roles. Do senior business leaders underestimate you if you are dressed casually? Are your technical contributions taken seriously if you dress up? Our panel will draw upon our own unique experiences across different job roles to discuss these common questions. How we dress depends on what we do, who we interact with, and what we are trying to accomplish. We faced different expectations in our work environments and handled the challenges differently, but we all had to balance fashion and professionalism, manage clothing budgets, and make decisions to ensure our clothing didn’t interfere with our jobs. Our panel can discuss how our approaches differed for managers and individual contributors. We hope to share our insights and provide guidance on dressing professionally in the workplace.
diana  defcon  dress_to_hack 
10 weeks ago
Moving Fast and Securing Things – Several People Are Coding
With all of this in mind, we created goSDL, a tool that brings all these concepts together, enabling our developers to produce secure features at high output with low friction. The tool (which you can find here: https://github.com/slackhq/goSDL) is a web application that guides anyone involved with a new feature, like developers or PMs, through questions and checklists to improve the security posture of whatever they’re working on. The name is derived from the process of initiating a feature review — a developer uses a slash command in Slack, ‘/go sdl’, to begin the SDL process.
security  sdlc  secure_development  slack 
10 weeks ago
Q&A: Lawyer behind Hannity revelation at Cohen hearing speaks - Columbia Journalism Review
I pointed out that most of the seats in the room were occupied by members of the press, and I wrapped up by quoting Chief Justice Burger in Richmond Newspapers v. Virginia. The judge eventually ordered Mr. Cohen’s attorneys to reveal the client’s name. That’s when we had a truly Perry Mason moment: The attorney said it was Hannity, and there was a collective and audible gasp in the room. I’ve been practicing law for a long time, and I’ve never seen anything like that. Electronic devices are generally prohibited in the court, too, so five or 10 reporters rushed from the room to get that news out as soon as possible. It was like a scene from an old-time movie.
law  legal_tech 
april 2018
CTF Tidbits: Part 1 — Steganography – FourOctets – Medium
I have been asked by a few folks what tools I use for CTF’s. What I use all depends on what the CTF is. There are all sorts of CTFs for all facets of infosec, Forensics, Steganography, Boot2Root, Reversing, Incident response, Web, Crypto, and some can have multiple components involving the things mentioned above and require numerous flags to move forward in the CTF. All of these components need different sets of tools to get the flag. This is part one of the CTF tidbits series and I will more than likely add additional stuff to this in the next few days.
april 2018
Unleashing an Ultimate XSS Polyglot · 0xSobky/HackVault Wiki
When it comes to testing for cross-site scripting vulnerabilities (a.k.a. XSS), you’re generally faced with a variety of injection contexts where each of which requires you to alter your injection payload so it suites the specific context at hand. This can be too tedious and time consuming in most cases, but luckily, XSS polyglots can come in handy here to save us a lot of time and effort.

What is an XSS polyglot?
An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form.
xss  reference 
april 2018
« earlier      
4th_amendment 5th_amendment ad_networks ad_tracking adserved_malware advertising amazon android apartment api apple apps articles aws backdoor bookmarks_bar books border botnet botnet_takedown bug bug_bounty business calea cellphones cfaa chilling china chocolate chrome cloud_computing communications_security compelled_decryption computer_crime computer_security contract coordination copyright crypto cs ctf culture cyber cybercrime cybersecurity d_and_o_lawsuit data data_breach data_protection data_security dc defcon dessert development dfir disclosure diy downloads economics education eff email encryption etsy exercise exploit facebook faceid fb fbi feature feedly first_amendment fisa fitness food for forensics franchise front_page ft ftc fuzzing gdpr general gf google hack hacking health household how_to https ifttt infosec instagram ios iot iphone javascript juniper kindle later law learning legal legal_tech letterpress liability location mac malvertising malware microsoft mobile music national_security_letters network networking news nist nj_restaurants nsa nsls nyc older open_source oscon2012 osx performance photography popular post privacy privacy_harm product_liability programming project_zero public_speaking publishing python quilt ransomware raspberry_pi read recently recipes reference responsible_disclosure reverse_engineering risk saved science search seattle security security_research security_testing selenium sewing software software_&_tools software_product_liability software_testing_and_quality ssl stagefright surveillance target tech technology testing tips tls top tort tracking training transparency_reports travel tsa tumblr tutorial tutorials tweet twitter uncategorized unix unlock unlocking usb usb_hacking vendor vicarious_liability video vulnerabilities vulnerability vulnerability_disclosure warrant warrant_canary wassenaar web webappsec windows wiretap wyndham xss zero_day

Copy this bookmark: