PinnedHow to DevSecOps — Part 3: The 3 Pillars of Sec in DevSecOpsExploring the 3 main tools to use when faced with a challenge putting Sec into DevSecOpsNov 1, 20212Nov 1, 20212
Published inInfoSec Write-upsHacking htmx applicationsWith the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this…Sep 24, 202354Sep 24, 202354
Your users are getting phished. Fight back!TLDR: our experience on phishing submission email accounts, and some other low cost solutions to get ahead of attackersJun 3, 20223Jun 3, 20223
Your users are getting phished. Now what?!TLDR: sharing some practical experience on end user phishing and what you can expect from basic ways of dealing with it.May 28, 2022May 28, 2022
Published inInfoSec Write-upsTesting EDRs for Linux — Things I wish I knew before getting startedThoughts on how to simplify your tests while keeping it real and a realistic, easy to expand initial access case.Mar 20, 2022352Mar 20, 2022352
How to DevSecOps — Part 4: the teamThis one goes out to the people building a DevSecOps security team and the ones planning to join one, explained from the perspective of…Nov 16, 2021Nov 16, 2021
The problem with CVEsSo this one goes out to the young DevOps, shift left automation folk. I don’t think any of this is going to be new if you are an OG…Nov 4, 20214Nov 4, 20214
How to DevSecOps — Part 2: the diagnosisUnderstanding the security challenges of product development and the superpowers that come with DevopsAug 1, 202110Aug 1, 202110
Published inNerd For TechHacking Rendertron and Puppeteer- What to expect if you put a browser on the internettldr: do not expose Rendertron! If you run headless browsers for things other than testing, design the infra expecting they will get owned.Jul 9, 202145Jul 9, 202145
How to DevSecOps — part 1: the frameWhen you find yourself over the phone, explaining something on a beach, it is a pretty good sign that you are better off typing it out at…Jul 8, 202111Jul 8, 202111
Testing docker CVE scanners. Part 2.5 — Exploiting CVE scannersTL;DR: Most CVE scanners are not defended against exploitation when running on untrusted code/docker images. Isolate them in your…Sep 2, 20201Sep 2, 20201
Testing Docker CVE Scanners. Part 3: Test It Yourself/ConclusionsIn Part 1 and Part 2 I looked at the false negatives and detection rates of Docker image CVE scanners. This time I’m sharing the…Aug 10, 2020Aug 10, 2020
Zoom: the curious case of reputational riskAs Covid hits, it is Zoom’s time to shine. Usage skyrockets and just at the time when the name itself is becoming a verb, it is being hit…Jun 4, 2020Jun 4, 2020
Testing docker CVE scanners. Part 2: How good is package detection?TLDR; Install important components through OS package manager, especially if you use Snyk, Clair, Trivy. Nothing detects cpp components…Apr 21, 20201Apr 21, 20201
Testing docker CVE scanners. Part 1: false negatives and what they mean for your securityTLDR You should not assume scanners find all important vulnerabilities; results depend on the way you install; fixing highs is not enoughApr 9, 20201Apr 9, 20201
Exploit local storage to permanently break apps using good old XSSI guess I’m not the only one who always gets the “okay but what’s the impact” question on reflected XSS findings, which is usually hard to…Jul 6, 20172Jul 6, 20172
Honey Everything — The Way Forward for SecurityAs a security consultant, I spend my time devising efficient protective measures — options that have the lowest impact on business…Apr 13, 2017Apr 13, 2017
