In Not Insecure, a Security Developer and a Product Manager discuss a range of security topics, including general industry trends, prioritizing security features in products, SMB and startup security, and technical security questions.
Welcome to the 15th episode of our Security Culture Campaign! On today’s show Matt Konda discusses Zoom Security. We wrote a longread blog post about Zoom security earlier this week; but given the attention around Zoom and all the questions we have gotten from customers, we wanted to put a quick culture video/podcast together for it as well. There are a couple of concerns. Protecting data … the bottom line on Zoom is that you can’t assume that it is secure between you and your meeting guests. Therefore, you shouldn’t use Zoom for protected or regulated information. Security issues … Zoom has had a number of embarrasingly bad security issues. Many software companies will have those. We think Zoom will have more. All of this being said, for meetings that aren’t about security critical information, we use Zoom because it continues to be the most reliable service we have used. We are looking for alternatives with better security profiles, but … well we’re still looking. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 14th episode of our Security Culture Campaign! On today’s show Matt Konda discusses OWASP Juice Shop. The OWASP Juice Shop is an amazing resource for both developers and folks working in application security(or those interested in learning application security!). It is easy to run. You can run it in Heroku at the click of a button. Or you can build from source or run in a Docker container. Remember that it is a vulnerable application though! Once you have it running, you can use an open book Pwning OWASP Juice Shopto learn more about the exercises or setting it up for training. The platform includes a ton of challenges from SQL Injection, to XSS to Privilege Escalation and Business Logic Abuse. Many of the challenges can be completed with just browser developer tools! Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 13th episode of our Security Culture Campaign! On today’s show Matt Konda discusses least privilege. Least Privilege is at first glance obvious and self defining. It means only giving users the access they actually need to perform a particular task in a system. On its face, it seems like you would never give users more privileges than they need so it should be something we do by default all the time. Examples where we apply least privilege include: Google Drive - who should be able to read, comment and edit on which drives and documents? AWS - what services does a given application need? Our custom code - what do the roles and privilege models look like? In practice, applying least privilege can be difficult for a couple of reasons. Learn more on the blog Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 12th episode of our Security Culture Campaign! On today’s show Matt Konda discusses adversaries and some of the things they might be thinking about as they come at you in the real world. For example, adversaries are engaging in spam campaigns targeting all of the folks who’ve suddenly found themselves working from home. I recently received a spam email message about a delivery confirmation for a “WiFi Extender” that I had supposedly purchased from Amazon for $250 with a $50 delivery charge. Just seeing the email made me angry - I would never pay $50 for delivery, I’m a PRIME member darn it! - and I almost clicked through. Then I realized that was the intent: I was being baited into taking an action. I never bought the extender from Amazon in the first place! Of course, on closer inspection, the email wasn’t from Amazon nor was the order link to the Amazon website. This brief podcast talks about how an adversary might use anger, fear, or even jealousy in a time of heightened emotions to get you to do something you wouldn’t otherwise do. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 11th episode of our Security Culture Campaign! On today’s show Matt Konda discusses remote work and security. We put together a checklist for securing your remote work environment that you can download and use across your teams. The highlights are: Secure your home network. Use WPA2, a complex password and don’t share it with everyone. Phishing is always something to watch for, but expect more of it and for coronavirus related tricks Use 9.9.9.9 as your DNS provider Have a room that closes with storage that locks and keep any company private information locked up Don’t share your computer with your family, relatives or friends Make sure your laptop is encrypted (BitLocker or FileVault for most people) Update your operating system and programs frequently. Favor automatic updates if possible. Use antivirus. Use approved file sharing and communications (eg. Drive and Slack or OneDrive and Teams) Check out the corresponding blog post to learn more. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 10th episode of our Security Culture Campaign! On today’s show Matt Konda talks vulnerable dependencies. When we build software, we use lots of libraries that we didn’t write. They could be open source, they could be commercial, they could even be framework code provided by a big company as part of a platform. In any case, we have lots of code running in, over, under and around the code we actually write. If there is a problem in any of that surrounding code, it can affect the security of the software we are writing. Check out the corresponding blog post to learn more. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 9th episode of our Security Culture Campaign! On today’s show Matt Konda talks passwords and password managers. The first thing to know is that weak passwords are often the easiest way to get access to information. People: Choose really simple passwords, like password or abcd1234 When special characters are required, tend to use something like P@ssword1 Use surprisingly easy to guess formats like CompanyYear! Reuse passwords across different websites When we do pen testing, guessing passwords is a surprisingly effective way to get access to a system! We’ve worked with clients where we’ve seen an adversary running a botnet with 100,000 computers slowly but consistently testing passwords one by one gleaned from, for example, the billion user Yahoo! data breach. So this is very real. Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 8th episode of our Security Culture Campaign! On today’s show Matt Konda talks testing for Authorization. Authorization is the idea that a user can only do what they should be able to based on their role. It is synonymous with access control. Consider the case of a consulting firm with: Consultants that record time and submit timesheets (Let’s say Joe and Brian are consultants) Managers who approve timesheets (Let’s say Matt is a manager) There are several types of authorization that need to be implemented in a typical time tracking system. We need vertical access control implemented to prevent a consultant from approving their own timesheet. We need horizontal access control or instance based access control to prevent Joe from seeing, modifying or submitting Brian’s timesheet. Unfortunately, in all my years as a developer, I often observed that we needed to apply security to search functions and admin functions but not necessarily update, delete and view functions on an instance - because we thought it would someehow be very difficult to create a fake request. I believe this issue is common in real world applications. We certainly see it in many pen tests. Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 7th episode of our Security Culture Campaign! On today’s show Matt Konda talks Secrets. A secret is anything that is used in a running system as a way to prove that you are who you say you are. A secret could be: Database Password SSH Key Private Key API Key AWS Secret User’s Password In this episode you’ll learn how to find and protect Secrets. Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 6th episode of our Security Culture Campaign! On today’s show Matt Konda talks Static Analysis. There are a lot of static analysis tools out there. The simplest might be eslint , for which there are even security rulesets - the docs for which have some handy illustrations for the types of things these tools can find. We recommend: Using a linter locally in your code editor if applicable - but only if applicable Using a static analysis tool in your CI/CD pipeline - if it finds useful things Assuming you may need to spend time tuning the tool to get the results you want Start with free tools and build the process and habit, then consider using commercial tools Augment static analysis with code review Consider an assisted code review strategy Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 5th episode of our Security Culture Campaign! On today’s show Matt Konda talks Patching. Patching is the process of updating software. The takeaway is: we need to patch our systems even though we think it is a pain. This is a foundational but surprisingly difficult thing to take care of. We recommend: Turn on auto updates for everything on endpoints (laptops, phones) Patch at least monthly in general Be ready to apply a critical patch in 24-48 hours Track cases where you can’t and resolve them Read more on the blog. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the 4th episode of our Security Culture Campaign! On today’s show Matt Konda talks Gift Card Scams. This topic is less technical and more social engineering focused, but it is relevant to developers and general audiences alike. Click here for the associated YouTube video. The takeaway is - any time you are asked to use a gift card, or, for that matter to do anything “urgently” - you should think twice or three times. It also means that as we build systems, we should be cognizant of what is reasonable to ask for from a user and design systems and processes that are robust to social engineering without putting undo onus on the user. The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the third episode of our Security Culture Campaign! On today’s show Matt Konda talks Injection, which is a serious class of vulnerability that can happen in any language. Click here for the associated YouTube video. Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation. As developers, we need to apply appropriate controls. Strict input validation is always recommended but in addition we need to do one or more of the following to prevent injection in various parts of our apps: Parameterize queries Decouple user input from real file system paths Use shell encoding Injection resources include: The OWASP Top 10: #1 Injection Sqlmap Metasploit Query Parameterization Cheat Sheet Testing for Command Injection The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the second episode of our Security Culture Campaign! On today’s show Matt Konda introduces OWASP. Click here for the associated YouTube video. OWASP resources include: The Top 10 ASVS Testing Guides Proactive Controls Glue, Dependency Check, Amass, ZAP and DefectDojo Conferences like Global AppSec, AppSec California, etc. Local chapter meetings The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Click here to request a topic.
Welcome to the first episode of our Security Culture Campaign! On today’s show Matt Konda introduces the campaign and why we’re doing it. Click here for the associated YouTube video. The Jemurai Security Culture Campaign Series will be a stream of topical content intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts. Of course, really making security part of an organizational culture means a lot more than just having content and giving some cycles to security. It means that: When developers say they need time to work on security, they get it There is broad tool support Questions and issues are treated as opportunities for improvement Testing is automated and encouraged Stakeholders understand how the systems might be misused People are continually learning It typically takes ongoing effort over a period of time and relationship building as well. We hope that the content here will be a part of helping dev teams to build a security positive culture.
Welcome to the third episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss cybersecurity for small to medium sized companies and startups. Topics: Most small companies are not doing anything for security. Why not? Benefits of implementing security early on. Actions small companies could start doing now to improve security posture. Affordable and free security resources for startups and SMBs. Resources: Authy securityprogram.io Google Phishing Quiz Bitwarden KeePass Password Manager MFA Details For Google MFA Details for 0365
Welcome to the second episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss “pushing left”. Quick kudos to: Josh Corman / James Wickett for Rugged and Rugged DevOps Mark Miller / Shannon Leitz / Matt Tesauro for DevSecOps Tanya Janca for “Pushing Left” Topics: What does pushing left even mean? Technical and non-technical parts of pushing left Does pushing left apply to companies that aren’t building things? How do we push left on internal projects? Resources: Cost to Fix Bugs During Each SDLC Phase Security in the SDLC Integrating Software Assurance Into the SDLC Understanding and Controlling Software Cost Rugged Devops Pushing Left, Like a Boss
Welcome to the first episode of Not Insecure! On today’s show Matt Konda, Joe Kerby and Keely Caldwell discuss being a developer and product manager in the cybersecurity field, what we’ve learned building security tools, what small businesses should be doing for security and more. Topics: What is it like to be a developer and product manager in the security field? Why are we building securityprogram.io? What’s been hard? What is NIST 800-53? What is multi-factor authentication? Resources: securityprogram.io Jemurai NIST 800-53 Auth0 MFA Details For Google MFA Details for 0365
© 2020-2025 Ivy Podcast Discovery LLC
