Social Network For Security Executives: Network, Learn & Collaborate
80/20 rule (also known as Pareto Principle) is one of the most beautiful rules which helped me to achieve as well as fail. In most of the cases where I went wrong it finally turned out to be figuring out the “right few”. This is probably one of the most elusive rules. It is easy to understand but extremely difficult to practice.
#1: Know yourself before your enemy does.
I remember in a recent conference the speaker asked the audience…
ContinueAdded by bikash on February 20, 2016 at 2:30pm — No Comments
Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool at iViZ. Where it did…
ContinueAdded by bikash on February 20, 2016 at 2:30pm — No Comments
Bug bounty programs are quite common these days with several of the biggest names in the industry have launched various avatars of the program. I have been asked by a few security managers and managements about should they launch a bug bounty program. Definitely bug bounty program has the advantage of crowd sourcing. However an organization should be mature and prepared enough to launch such a program. Here are some questions which shall tell you if you are prepared or not. You are ready…
ContinueAdded by bikash on February 20, 2016 at 2:30pm — No Comments
From our experience of helping organizations in building their ‘Vulnerability Management’ program, we feel that one of the major challenge the security manager/management faces does not always know the reality on the grounds. Obviously the management is extremely busy and has got too many priorities. It is natural to get into managing whirlwinds. So, I wanted to define a few questions which can help you to find out how robust is your application security management program? Not just that, by…
ContinueAdded by bikash on February 20, 2016 at 2:30pm — No Comments
There is a plethora of web application scanner ; every one of which claims to be better than the other. It is indeed a challenge to differentiate between them. We need to benchmark the application scanner against hard facts and not marketing claims. Below are some of the most critical metrics against which you would like to benchmark web application scanner.
False Positives…
ContinueAdded by bikash on February 20, 2016 at 2:30pm — No Comments
We have heard a lot about secure SDLC (Software Development Life Cycle). So, what next? Everything transforms with time and now is the time for Secure SDLC to be transformed. Secure SDLC is probably going to get metamorphosed into Secure Dev-Ops.
What is Dev-Ops?
Dev-Ops is a software development methodology which focuses on the communication, communication and integration of Developers and IT managers. In short it is an integration…
ContinueAdded by bikash on February 20, 2016 at 2:30pm — No Comments
Choosing the right Application Security Testing Service Provider is not always an easy task. By asking the right questions and knowing what answers to look for, you can conduct the thorough evaluation of the various vendors available in the market and make the most intelligent choice for your business.There are numerous options like buying tools, using cloud based testing providers or the traditional consultants. I have discussed making the right choice in another blog.…
ContinueAdded by bikash on February 20, 2016 at 2:00pm — No Comments
Application Security has emerged over years both as a market as well as a technology. Some of the key drivers had been the explosion in the number of applications (web and mobile), attacks moving to the application layer and the compliance needs. Following are the key Application Security Trends which we believe the industry will observe during the year…
ContinueAdded by bikash on February 20, 2016 at 1:30pm — No Comments
I have seen several organizations trying to adopt secure SDLC and failing badly towards the beginning. One of the biggest reason is they try to use “Big Bang Approach”. Yeah, there are several consultants who will push you to go for a big project use the classical waterfall model to adopt secure SDLC. But that’s asking too much. Changing the habits of a group is not very easy.
Typically there is a big push back and depending on how determined you are and the amount of…
ContinueAdded by bikash on February 20, 2016 at 12:30pm — No Comments
It is very important to properly define the right Information Security Metrics for an organization to estimate the security structure and to communicate it efficiently to the Board level executives.There is a growing interest from the Board and the CEO to understand the information security posture of the company. Many…
ContinueAdded by bikash on December 2, 2015 at 9:00pm — 2 Comments
Defcon is the time when I have no business meetings and am quite disconnected with the world. A good time to immerse myself in my own thoughts. Last week during Defcon @ Las Vegas, I was thinking on how difficult it is build a secure system. We get amazed by hacking various stuff but is lot more amazing to think how tough it is to build a secure system.
"Halting problem" makes it practically impossible to build a secure…
ContinueAdded by bikash on August 14, 2014 at 9:30am — No Comments
Just had a hectic week at Defcon and Blackhat. Defcon is the largest gathering of hackers (and those interested in hacking) in the world. In the 22nd edition of the event there were nearly 15000 people from across the world who visited Vegas for Defcon.
I had been visiting both of these events for last several years. I believe I am more…
ContinueAdded by bikash on August 13, 2014 at 12:00pm — No Comments
During the last few penetration testing conducted for certain organizations, we have discovered a surprising fact that almost all the SIEM implementation had gaps on the implementation levels. For example, in certain cases, SIEM did not even detect at all when the internal network was conducted with rigorous penetration testing.…
Added by bikash on May 2, 2014 at 12:30am — No Comments
We use security products to secure our systems and our businesses. However, the very security products we use, can themselves have vulnerabilities which can leave us susceptible to attacks. We conducted a study recently to understand the vulnerability trends in security products.Read further to know more on what we discovered this time around.
How was the research conducted?
We started off with some survey on the internet to find something closely related to…
ContinueAdded by bikash on May 24, 2013 at 1:00pm — No Comments
1. Run Time Application Security Protection (RASP)
Today applications mostly rely on external protection like IPS (Intrusion Prevention Systems), WAF (Web Application Firewall)etc and there is a great scope for a lot of these security features being built into the application so that it can protect itself during run time.
RASP is an integral part of an application run time environment and can be implemented as an extension of the…
ContinueAdded by bikash on May 14, 2013 at 6:30pm — No Comments
A common question is why should we get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by outside companies with no bias and partiality to anyone or anything within your organization. Another reason to hire a security testing company is that one may find it difficult to hire and retain Penetration…
ContinueAdded by bikash on May 14, 2013 at 6:00pm — No Comments
What is SAST?
SAST or Static Application Security Testing is the process of testing the source code, binary or byte code of an application. In SAST you do not need a running system.
What is DAST?
DAST or Dynamic Application Security Testing is the process of testing an application during its running state. In…
ContinueAdded by bikash on May 14, 2013 at 4:00pm — No Comments
Safe Penetration Testing – 3 Myths and the Facts behind them
Penetration testing vendors will often make promises and assurances that they can test your Web Applications safely and comprehensively in your production environment. So when performing Penetration Testing of a Web Application that is hosted in a Production Environment you need to consider the following myths and facts which can directly or indirectly end up causing you…
ContinueAdded by bikash on May 14, 2013 at 3:30pm — No Comments
APT (Advanced Persistent Threats) is the talk of the town. There is too much of noise and confusion. Everybody wants to make money. Quite a few uses FUD (Fear Uncertainty and Doubt) to sell their products. I wanted to highlight the APT secrets which vendors don't tell (well mostly).
There is no single solution for APT
APT is a like a war. No single solution is good enough. You cannot have a solution to your APT problem.…
ContinueAdded by bikash on April 20, 2013 at 10:30am — No Comments
Static Application Security Testing (SAST)
SAST or Static Application Security Testing is the process of testing the source code, binary or byte code of an application. In SAST you do not need a running system.
Pros
• SAST can pin point the code where the flaw is.
• you can detect vulnerabilities before it is deployed:…
ContinueAdded by bikash on April 17, 2013 at 9:30pm — No Comments
Started by Maheshkumar Vagadiya Jul 30, 2020. 0 Replies 0 Likes
Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue
Started by CISO Platform. Last reply by Yogesh Nov 19, 2020. 2 Replies 0 Likes
(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue
Started by CISO Platform. Last reply by ANAND SHRIMALI May 20, 2020. 4 Replies 0 Likes
(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue
Started by CISO Platform. Last reply by Bhushan Deo Mar 20, 2020. 12 Replies 0 Likes
(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue
Tags: #COVID19
# Manageengine Adaudit Plus -vs- Netwrix Auditor
# Rapid7 Nexpose -vs- Tenable Network Security Nessus
# Algosec Firewall Analyzer -vs- Tufin Orchestration Suite
# Hp Arcsight Siem Solutionarcsight Express -vs- Splunk Enterprise Splunk Cloud Splunk Light
# Cisco Meraki Mx Appliances -vs- Fortinet Fortigate
# Cloud Access Security Broker
# Distributed Denial of Service
# Network Advanced Threat Protection
Follow us
© 2021 Created by CISO Platform.
Powered by
Badges | Report an Issue | Privacy Policy | Terms of Service