Blog

Jemurai's Digital Stream of Consciousness

Oops! A discussion about priorities and risk

Risk February 05, 2019

This post is about a case where we didn’t follow our own advice or industry best practices and it bit us. But then interesting other things ensued and we learned some things.

Read More
A Trello Template for AppSec Program Projects

Security Appsec program January 30, 2019

Read More
Announcing SecuritySignal.io

Security January 24, 2019

We are pleased to announce our initial work on Security Signal.

Read More
What is an AppSec Program

Security Appsec program January 23, 2019

Most companies that we work with are building software. That’s not a surprise because that’s our niche. Yet a surprising number of those companies don’t know about application security programs. Even companies with sophisticated security teams often struggle with application security and don’t take a programmatic approach to it. Why? Because it is really hard and requires knowledge of how application development and SDLC’s work. In this post, I’ll talk about some of the high level parts of successful AppSec Programs we’ve seen.

Read More
Implementing Authorization Properly

Application security Engineering January 16, 2019

Almost every time we do a penetration test or code review, we find problems with authorization. Sometimes we call these horizontal or vertical privilege escalation. Sometimes we call it instance based restriction gaps or function based restriction gaps. Ultimately, many applications fail to implement clear restrictions on who can do what. This post attempts to revisit these types of findings, explain a bit about how we test for them and talk about some standard ways of addressing them.

Read More
JASP Check Deep Dive: Redshift

Cloud security Jasp November 30, 2018

Redshift is Amazon’s data warehousing solution. Here’s how they describe it on its promo page:

Read More
Don't rely on X-XSS-Protection to protect you from XSS

Security November 28, 2018

The X-XSS-Protection header only helps protect against certain reflected XSS attacks. It does nothing for stored XSS attacks. Don’t rely on it to protect your site from XSS!

Read More
JASP Check Deep Dive: S3

Cloud security Jasp November 08, 2018

It is very common to find Amazon S3 buckets misconfigured. We found one in a pen test this week.

Read More
JASP Meta: November 2018 Edition

Jasp Startup November 06, 2018

Building JASP has been a really interesting experience for all of us at Jemurai. This post captures some of what I think we’re seeing and learning right now.

Read More
JASP Check Deep Dive: ECR

Application security Cloud security Jasp October 31, 2018

As we build JASP, we’re brainstorming and learning about security (so far, primarily in AWS). This is the first in a series of “Check Deep Dive” posts that talk about things we are checking for in JASP. It seems like an interesting area to share information. Incidentally, we’re also going to post more meta posts about the Jemurai and JASP journey.

Read More

← Newer posts 2 of 7 Older posts →

Blog

Want to stay up to date with the lastest from Jemurai?