Welcome to the 5th episode of our Security Culture Campaign! On today’s show Matt Konda talks Patching. Patching is the process of updating software.

The takeaway is: we need to patch our systems even though we think it is a pain. This is a foundational but surprisingly difficult thing to take care of.

We recommend:

Turn on auto updates for everything on endpoints (laptops, phones)

Patch at least monthly in general

Be ready to apply a critical patch in 24-48 hours

Track cases where you can’t and resolve them

Read more on the blog.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the 4th episode of our Security Culture Campaign! On today’s show Matt Konda talks Gift Card Scams. This topic is less technical and more social engineering focused, but it is relevant to developers and general audiences alike.

Click here for the associated YouTube video.

The takeaway is - any time you are asked to use a gift card, or, for that matter to do anything “urgently” - you should think twice or three times.

It also means that as we build systems, we should be cognizant of what is reasonable to ask for from a user and design systems and processes that are robust to social engineering without putting undo onus on the user.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the third episode of our Security Culture Campaign! On today’s show Matt Konda talks Injection, which is a serious class of vulnerability that can happen in any language.

Click here for the associated YouTube video.

Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation.

As developers, we need to apply appropriate controls. Strict input validation is always recommended but in addition we need to do one or more of the following to prevent injection in various parts of our apps:

Parameterize queries

Decouple user input from real file system paths

Use shell encoding

Injection resources include:

The OWASP Top 10: #1 Injection

Sqlmap

Metasploit

Query Parameterization Cheat Sheet

Testing for Command Injection

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the second episode of our Security Culture Campaign! On today’s show Matt Konda introduces OWASP.

Click here for the associated YouTube video.

OWASP resources include:

The Top 10

ASVS

Testing Guides

Proactive Controls

Glue, Dependency Check, Amass, ZAP and DefectDojo

Conferences like Global AppSec, AppSec California, etc.

Local chapter meetings

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Welcome to the first episode of our Security Culture Campaign! On today’s show Matt Konda introduces the campaign and why we’re doing it.

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series will be a stream of topical content intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Of course, really making security part of an organizational culture means a lot more than just having content and giving some cycles to security.

It means that:

When developers say they need time to work on security, they get it

There is broad tool support

Questions and issues are treated as opportunities for improvement

Testing is automated and encouraged

Stakeholders understand how the systems might be misused

People are continually learning

It typically takes ongoing effort over a period of time and relationship building as well.

We hope that the content here will be a part of helping dev teams to build a security positive culture.

Welcome to the third episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss cybersecurity for small to medium sized companies and startups.

Topics:

Most small companies are not doing anything for security. Why not?

Benefits of implementing security early on.

Actions small companies could start doing now to improve security posture.

Affordable and free security resources for startups and SMBs.

Resources:

Authy

securityprogram.io

Google Phishing Quiz

Bitwarden

KeePass Password Manager

MFA Details For Google

MFA Details for 0365

Welcome to the second episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss “pushing left”.

Quick kudos to:

Josh Corman / James Wickett for Rugged and Rugged DevOps

Mark Miller / Shannon Leitz / Matt Tesauro for DevSecOps

Tanya Janca for “Pushing Left”

Topics:

What does pushing left even mean?

Technical and non-technical parts of pushing left

Does pushing left apply to companies that aren’t building things?

How do we push left on internal projects?

Resources:

Cost to Fix Bugs During Each SDLC Phase

Security in the SDLC

Integrating Software Assurance Into the SDLC

Understanding and Controlling Software Cost

Rugged Devops

Pushing Left, Like a Boss

Welcome to the first episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss being a developer and product manager in the cybersecurity field, what we’ve learned building security tools, what small businesses should be doing for security and more.

Topics:

What is it like to be a developer and product manager in the security field?

Why are we building securityprogram.io? What’s been hard?

What is NIST 800-53?

What is multi-factor authentication?

Resources:

securityprogram.io

Jemurai

NIST 800-53

Auth0

MFA Details For Google

MFA Details for 0365