During the course of my career I have had the opportunity to be exposed to a variety of leadership styles and have also adopted a style one of my own. After college, I was hired by Oscar Mayer into their Engineering Management Development Program. This six month program provided close… Continue reading
There is an important difference between “identification” and “authentication.” Identification is how a particular object (such as a person, a device, or a program) is referenced. The name badge worn by doctors and nurses in a hospital is a good example. Because of the way that identities are used to… Continue reading
A PCI Service Provider is a “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed… Continue reading
The /var/log/wtmp file in a Linux system contains data about past user logins. An attacker may want to modify this file as one of the steps they take in covering their track. One may also want to modify utmp or btmp as well. This same technique can be used. The… Continue reading
Ever want to visit a website but don’t trust it enough to use your personal/work computer? What you need is a temporary system that is totally isolated from anything sensitive. Why not use a cloud-based virtual machine, such as offered by Amazon Web Services Elastic Compute Cloud? Here is how… Continue reading
Amazon Web Services has made it easy to implement encryption-at-rest for S3 buckets, but older S3 buckets may have predated this feature enhancement. If you have a large number of buckets, this could be a tedious thing to check via the console. Here is a simple one-liner to check all… Continue reading
Last week (9/7/2017), Equifax announced that on July 29 they discovered that an exploited web application vulnerability was being used to access a trove of consumer information for the previous 2 ½ months, until discovery. Various news outlets, such as the New York Post are starting to report that the… Continue reading
Sharing this slide because it illustrates the business value of integrating application security testing at the front of the Systems Development Life Cycle. (Slide courtesy of Veracode, Inc.)
From a compliance perspective, organizations need to have a hardening standard derived from an authoritative source with solid engineering-based reasons of why we depart from any of the recommendations. Most organizations use the Center for Internet Security (CIS) Hardening Benchmarks because that choice is easy to defend. The CIS benchmarks… Continue reading
When working on Linux it is often very helpful to review the commands that you have entered. For example, you may want to paste some of the commands into a script or may want to recreate the steps to solve the problem you were working on. Here is how I… Continue reading