Jemurai's Digital Stream of Consciousness

  • Exploring CloudTrail

    Security Cloud security

    We had a customer ask us to dig for some indicators of compromise in their AWS account. We are already using our JASP tool to help them to check security configurations in general, so we took the opportunity to formalize some of what we’re doing into a tool which we plan to open source once we clean it up. This post presents some of the types of things that are challenging to just check in JASP and how we’re thinking about the tool.

  • Sharing Files with S3 Safely

    Security Cloud security

    It seems to me like back in the day, all the companies we worked with shared files with FTP. Remember FTP? A surprising number of enterprise integrations patters depended on FTP and eventually SFTP.

  • Managing Dependencies

    Security Appsec program

    A common question came up again this week working with a developer (and friend) at a partner that does custom software development.

  • Oops! A discussion about priorities and risk


    This post is about a case where we didn’t follow our own advice or industry best practices and it bit us. But then interesting other things ensued and we learned some things.

  • A Trello Template for AppSec Program Projects

    Security Appsec program


  • Announcing


    We are pleased to announce our initial work on Security Signal.

  • What is an AppSec Program

    Security Appsec program

    Most companies that we work with are building software. That’s not a surprise because that’s our niche. Yet a surprising number of those companies don’t know about application security programs. Even companies with sophisticated security teams often struggle with application security and don’t take a programmatic approach to it. Why? Because it is really hard and requires knowledge of how application development and SDLC’s work. In this post, I’ll talk about some of the high level parts of successful AppSec Programs we’ve seen.

  • Implementing Authorization Properly

    Almost every time we do a penetration test or code review, we find problems with authorization.  Sometimes we call these horizontal or vertical privilege escalation.  Sometimes we call it instance based restriction gaps or function based restriction gaps.  Ultimately, many applications fail to implement clear restrictions on who can do what.  This post attempts to revisit these types of findings, explain a bit about how we test for them and talk about some standard ways of addressing them.

  • JASP Check Deep Dive: Redshift

    Cloud security Jasp

    Redshift is Amazon’s data warehousing solution.  Here’s how they describe it on its promo page:

  • Don't rely on X-XSS-Protection to protect you from XSS


    The X-XSS-Protection header only helps protect against certain reflected XSS attacks. It does nothing for stored XSS attacks. Don’t rely on it to protect your site from XSS!

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!