| Work | https://hexius.com |
| Owner | https://hackfest.ca |
| Podcast | https://securite.fm |
| https://www.linkedin.com/in/patrickrmathieu/ | |
| @pathetiq |
Let's talk about how to innovate in cybersecurity and how to make product that doesn't required the end user to have security knowledge
My latest article here: https://securityautopsy.com/transforming-cybersecurity/
We don’t lack cybersecurity ideas. We lack companies hiring juniors and products that are secure by default. These two problems are connected, and until we fix both, we’ll keep talking about a skills shortage while making it impossible to build a secure society.
Gosh been a while I posted here.
Well, here's my latest article: "Fraud & Application Security: Ignoring each other is costing your business !"
Fraud is one of the most overlooked areas in cybersecurity, often caused by insecure design and weak controls. At DoorDash I saw how easily people abuse normal features to make money. Fixing this isn’t just shifting left; it requires real collaboration between security and fraud teams.
https://securityautopsy.com/fraud-application-security-ignoring-each-other-is-costing-your-business/
Hey all, registration to Hackfest Social Engineering CTF for October is open!
Make sure to participate: https://www.eventbrite.ca/e/hackfest-social-engineering-ctf-2024-tickets-879912440797
What makes for a good intrusion / pentest report? 🚫 Sadly, it’s not what is contained within this TrustedSec blog. 🚫
If you want to provide REAL value to your customer by producing a report that is actually usable within their business, here is a quick guide on what to include:
- Risk Rating: Always include an official CVSS/EPSS/etc score and URL along with a description on why the specific impact metric levels were chosen. Ensure that the risk is contextualized to the specific risk of the business and application you are testing. Generic risk descriptions are useless!
- Risk Description: Contextualize the risk to the business, system or application. Generic language copied from OWASP/PortSwigger/Etc are not relevant, and do not help the business understand the TRUE risk.
- Steps to Reproduce: Perhaps one of the most critical aspects of the report are the steps to reproduce the finding. Oftentimes, these reports are shared with Engineers who then have to go and implement the recommended fix. Their ability to reproduce the finding helps them to understand the risk, and use contextual knowledge to understand how this may be impacting other aspects of the system or application.
- Remediation Steps: Contextualized recommendations are vital to the organization, and should be as detailed as possible. Remember, most of the time it is Engineers implementing the fix, not security professionals. Also, if more than one valid recommendation exists, include them!
Unfortunately, TrustedSec’s blog shows a lot of what is wrong with the penetration testing industry. Providing no more value than running a scanner, and producing a report on their branded template.
At the end of the day, a customer will not see the number of hours spent behind the scenes doing the work required to produce a penetration test. The value to their organization comes from a report that is actionable. Reports like those shown in TrustedSec’s blog provide no more value than simply checking the box on what is likely an annually required test for most organizations.
#infosec #cybersecurity #pentest #reports #pentestreport #hacking #pentesting #intrusion
Mini Guide: Selecting a cybersecurity vendor for SMBs
Cybersecurity is now common and a requirement for all organizations to secure themselves and their data, both company and clients. For SMBs that's usually highly complex. They do not have the knowledge, nor the resources to correctly chose cybersecurity vendors or to fully understand the reports they will receive from their work. And sadly, we live in a world where sales and marketing prevail.
This mini guide will help SMBs leadership and employees to evaluate what they are being sold and how to make a better choice regarding cybersecurity vendors services or tooling. It is hard for anyone outside of cybersecurity to validate the quality or even if the vendors aren't selling you snake oil.
_This guide is intended to all business owners, decision makers, analysts, _sysadmins or any other person in a role of decision to acquire a cybersecurity _software or service from a cybersecurity vendor.
Whatever a vendor is selling you, a firewall, a managed services (ex: Security Operation Center, SIEM, etc.), a SaaS (Software as a service) or even a security test (intrusion test, security assessment, etc.), these next few steps will help you! You will be able to confirm if they are an experienced company and team, if they are only reselling a security product, or if they are the right fit for you.
Before diving into the mini-guide, you really need to understand the most important rule in information security/cybersecurity...
There is NO magic solution nor magic product that will solve your security. None! Nada! Niyet! Aucune! You cannot buy something to be fully secure. This will never happen.
No software, product or concept will make your organization secure, none!
Security is about processes and humans and it's always a work in progress. It's the same as doing any administration work in your company: you don't pay your taxes once and stop, it's year after years. Buying a software or a SaaS won't make you secure. It's how you configure it and how you use it (the processes) that will make you secure in the long term.
The main thing about buying a software or service whatever it is, is to have employees that will own the processes surrounding that new tool or service. The processes and playbooks will describe how to use it and overtime will be improved to follow the business needs. Buying and shelving a tool will not make you secure like the tool was supposed to help you be.
Main steps to validate a security vendor
1. Does the vendor have any employees with a security title in the company?
- Look at their LinkedIn page.
- Go to the "People" tab.
- Search for "security", "cybersecurity", "infosec", "hacking", "red team".
- If the results are inconclusive, they might just be a reseller or they are in the business without knowledge. Don't use this vendor.
- If the result is less than a 10 security employees per 100 regular employees. They are usually under budgeted or have a really young team and are at the beginning of their team.
- Make sure to look at the experience of all security employees to validate that they aren't new in the industry. You are looking for at least 5 to 10 years of experience in average. Juniors are fine obviously, but they need multiple seniors for support.
- Make sure they have a manager/director of the security team and security employees. VP, CSO, CISO, Head of security, etc.
2. Validate the company reputation
- Is the company giving talks to security conferences around the world or locally? (not sponsor shows - not a place where you pay to talk)
- Is the company have any public reports or documentation to review to validate what their work looks like?
- Does the company have public security tools on GitHub or other online repositories?
- Reach out to previous clients to ask their thoughts
- Reach out to local security communities (non-profit, local conference, etc.) to gather objective inputs from experts in the domain.
3. If the vendor says that their solution will fix all your security issues... skip that vendor or find how they can integrate into your security controls. Remember no solution fixes everything.
4. If the vendor says that you don't need anything else for your security, no other vendor or process... skip that vendor
5. If the vendor doesn't offer you help to establish your processes to run their tool or services... skip that vendor
6. If they have a few people working in the company, all with a few years of security experience, they explain to you how the tool works (training), which process should be in build and that there's no relation to the fact that this is a magic solution you are on a good track and should continue to work with this vendor! Congrats!
Common sense
All in all, it's common sense, but weirdly, we trust companies by default. It's not because a company exists that they have the experience nor do they have the knowledge to help you.
Hoping your research in a security vendor will be easier in the future.
And if you found this interesting, let me know!
#cybersecurity #smbs #infosec #guide #miniguide
You know what makes me laugh but not really? Seeing some head of security and CISO roles positions that are open for more than 1 to 3 years because they ONLY wants people to be on-site or ask/force people to relocate.
But more importantly, it shows that these compagnies which many are FINTECH or have lots of sensitive data doesn't care at all about security and are ignorant or simply negligent! (sic)
All tech companies needs to start embracing remote work. There's NO reason to force hybrid or on-site work when you work in tech, absolutely zero ... oups except if the board made a bad investment and rented/bought an office and didn't have any vision about remote work that is now more than 10 years into the making.
#remotework #remoteteammanagement #remotejobs #infosec #hybridwork #onsitework #onsitepositions #hybridpositions
