Implement "security.txt" to advocate responsible vuln. disclosures

Rishi Narang
 (622 words)
After discussing CAA record in DNS to whitelist your certificate authorities in my previous article, do you know it’s a matter of time that someone finds an issue with your web-presence, website or any front-facing application? If they do, what do you expect them to do? Keep it under the wrap, or disclose it to you “responsibly”? This article is for you if you advocate the responsible disclosure; else, you have to do catch up with reality (I shall come back to you later!

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

Rishi Narang
 (877 words)
It’s been a long time since I audited someone’s DNS file but recently while checking a client’s DNS configuration I was surprised that the CAA records were set randomly “so to speak”. I discussed with the administrator and was surprised to see that he has no clue of CAA, how it works and why is it so important to enable it correctly. That made me wonder, how many of us actually know that; and how can it be a savior if someone attempts to get SSL certificate for your domain.

DevSecOps is coming! Don't be afraid of change

Rishi Narang
 (589 words)
There has been a lot of buzz about the relationship between Security and DevOps as if we are debating their happy companionship. To me they are soulmates, and DevSecOps is a workable, scalable, and quantifiable fact unlike the big button if applied wisely. What is DevOps? The development cycle has undergone considerable changes in last few years. Customers and clients have evolving requirements and the market demands speed, and quality. The relationship between developers and operations have grown much closer to address this change.

Jump Air-gap, Low Level C&C

Rishi Narang
 (408 words)
The threat landscape is very dynamic, and new threat vectors are exploiting vulnerabilities for fun and profit. The whitehat security community is having a race against time with their counterparts. And, often the companies are becoming a target to spear phishing, APT and bots. Some institutions like financial sector, insurance sector, defense etc. have strong regulations to protect the perimeter. But, often these sectors have people working on their modern laptops with different adaptors - Wifi and Bluetooth.

Don't aid spammers with LinkedIN Open Network. LION or Sheep

Rishi Narang
 (953 words)
It’s 21st century, the year 2014 and we are still on ground zero talking about spam emails and attacks like spear phishing. No matter how stringent your controls are, how much you have invest in your “defense in depth” approach, a single human being of your firm clicking a link on an unsolicited email can crumble your empire. This is not at all melodramatic as it sounds. It is for real, is scary and sad.