Blog
Filtering on: Security
-
Your First Security Hire
We often talk with companies that are thinking about hiring an FTE to help them with security. This post covers some of our thoughts and experiences in this area. As with many areas of security, there is no one size fits all approach that works here, but there are some pitfalls and ways to make it work more smoothly. Here’s the TLDR; use a tool like securityprogram.io to do the program part and hire someone that does DevOps.
-
App Meta Security Information
When we implement security programs, we often advise clients to build an inventory of their applications. There are a lot of things we can do when we know what our inventory is. We can do this right in the available tools developers are already using. This post covers one way to do this.
-
Zoom Security Reality Check
Zoom has been in the news a lot lately. In this post, we try to put the Zoom security situation in perspective. This is a longread™ with a short section at the front for those that just want the takeaways.
-
Dependency Management — A nightmare scenario
Dependency management has become a very important part of insuring the security of your applications. We’ve written about it many times in the past and even highlighted some horror stories from the Node community where it’s not uncommon for a single project to have hundreds or thousands of dependencies developed and maintained by a variety of sources. We as a community have adopted tools (such as central repositories of security advisories) and processes like semantic versioning to help reduce the burden of maintaining an application with large numbers of external dependencies. In this post we describe a situation in which what should be a harmless and routine update of external dependencies resulted in a horizontal privilege escalation.
-
Security Code Review Tool - CRUSH
We often do code review for companies. Code review is a great control whether or not you are running SAST or other tools, and we look for different things depending on the circumstances. Sometimes the review identifies gaps in authorization that tools can’t find anyway. Other times the language (eg. Clojure or Elixir) is poorly covered by tools, and clients want assurances that the code is being written securely.
-
Clojure Security and Signal
Security November 27, 2019As a developer focused consultancy, we thrive in situations where we work in new languages or try new or different things related to building apps. So when we had a chance to do some deeper security work with Clojure and specifically with Pedastal apps, we jumped at the chance.
-
Why Developers Matter For Security
Security November 07, 2019This post talks about the critical importance of actively engaging software developers in security activities and presents a few timely real world examples where this was not done sufficiently and companies paid the price.
-
October securityprogram.io Update
Our team has been crushing it on our https://securityprogram.io platform. We’re building neat features, and our customers are getting a lot out of it. I’m hoping we can release some of the case studies we’re working on soon! This post describes some of the recent advances in the tool.
-
Ransomware 101
We’ve seen a number of small and larger companies in our network targeted by ransomware in recent weeks so it seemed worth diving into some detail to talk about this topic - which I believe is a clear and present danger for companies of all sizes, including Jemurai!
-
Cloud Security In Real Life
We’re doing a fair number of cloud security assessments. This post will talk a bit about what we have found and some common ideas that seem to apply across them.
-
September securityprogram.io Update
As many of you know, we’ve been working hard on our security platform at https://securityprogram.io. This post provides a periodic update around what is going on with the product.
-
Using Github Pull Request Templates and Checks to Implement Security Checklists
This blog post will show one way to build security checklists into your code review and pull request flows in GitHub.
-
Ginkgo for BDD Infrastructure Security Testing
Recently I’ve been working on a series of unit tests in Ginkgo (a popular BDD testing framework for Golang) and thought it might make for an interesting point of reference.
-
The Not Insecure Podcast
Folks on the Jemurai team recently started a podcast in which they talk about security, and some of the challenges of building a secure security product! We thought it would be clever to call it Not Insecure.
-
Vendor Management
This post talks about the do’s and don’ts of implementing a vendor management program.
-
Jemurai and OSS
Today we added a section to our website to highlight open source software that we have been working on.
-
Update on SecurityProgram.io
In late March we announced our new offering securityprogram.io. In this post we want to provide an update around what we’ve been working on through May and how it works.
-
User Auditing with GAA
If you read the story about Samsung exposing SmartThings and AWS keys in code, which I came across through a Philippe De Ryck twitter post this AM, you might wonder how on earth those repositories came to be public. It turns out, that’s not that uncommon - and we wrote an open source tool to help clients work through this issue. This post introduces the tool and approach.
-
Encrypting Large Files
We have a client that is doing interesting data science that depends on processing very large files (100GB) that are also transferred between parties.
-
Package managers
Over the past few weeks we’ve been talking a lot internally at Jemurai about how package managers and the code repositories we use (often what people think of as open source) affect our security.
-
Announcing securityprogram.io
At Jemurai, we do a lot of custom projects building and breaking things and helping teams build more secure code.
-
Exploring CloudTrail
We had a customer ask us to dig for some indicators of compromise in their AWS account. We are already using our JASP tool to help them to check security configurations in general, so we took the opportunity to formalize some of what we’re doing into a tool which we plan to open source once we clean it up. This post presents some of the types of things that are challenging to just check in JASP and how we’re thinking about the tool.
-
Sharing Files with S3 Safely
It seems to me like back in the day, all the companies we worked with shared files with FTP. Remember FTP? A surprising number of enterprise integrations patters depended on FTP and eventually SFTP.
-
Managing Dependencies
A common question came up again this week working with a developer (and friend) at a partner that does custom software development.
-
A Trello Template for AppSec Program Projects
-
Announcing SecuritySignal.io
Security January 24, 2019We are pleased to announce our initial work on Security Signal.
-
What is an AppSec Program
Most companies that we work with are building software. That’s not a surprise because that’s our niche. Yet a surprising number of those companies don’t know about application security programs. Even companies with sophisticated security teams often struggle with application security and don’t take a programmatic approach to it. Why? Because it is really hard and requires knowledge of how application development and SDLC’s work. In this post, I’ll talk about some of the high level parts of successful AppSec Programs we’ve seen.
-
Don't rely on X-XSS-Protection to protect you from XSS
Security November 28, 2018The X-XSS-Protection header only helps protect against certain reflected XSS attacks. It does nothing for stored XSS attacks. Don’t rely on it to protect your site from XSS!
-
Security in the SDCL (Reboot)
Today I was looking back for my blog posts about security in the SDLC from 2012-2016 and I realized that I had never migrated them forward to the new website when we updated. Whoops! So … in this post I want to recap in some detail what I’ve learned about security in the SDLC.
-
Predictions Sure To Go Wrong for 2017
Security December 22, 2016I don’t have much time to listen to Sports Radio anymore, but I used to love to listen to Mike & Mike on ESPN Radio. They had a segment called Predictions, Sure to Go Wrong which was clearly their way of having fun making predictions while making fun of themselves and admitting they really had a strong likelihood of being wrong. In that spirit, I offer these predictions for 2017.
Want to stay up to date with the lastest from Jemurai?
Sign up for our monthly newsletter!