HEADLINES

ARTICLES

interviewjobsearchmistakestutorial

Interview Tips: You're in the interview room. Now what?

In my last blog post on Interview Tips: Prepare well before you take off, I reckon the facts you need to be sure off, before you reach the door of your next firm, or pick the call that will decide your next lap. Now, this blog post will focus on things to do during the interview, things that can make or break your attempt. It is imperative to prepare well for what do you want, what does the company do, and where you see yourself in few years. If this sounds new to you; please take a look at my...
Read More
interviewjobsearchmistakestutorial

Interview Tips: Prepare well before you take off!

I have been working in Information Security domain long enough to understand what is it about, and where most the candidates I interview fumble. So, if you have a technical skill-set, out-of-box thinking and the passion to work, you have an excellent chance to be hired. This article will help you to avoid common mistakes and make you present yourself better & sharper. Now, this blog post shall be covered in 3 parts - five common "preparation headsup" for the interview, five common points where you might stumble during your job meeting, and finally, some interview myths to...
Read More
securityagiledevopssdlc

DevSecOps is coming! Don't be afraid of change.

There has been a lot of buzz about the relationship between Security and DevOps as if we are debating their happy companionship. To me they are soulmates, and DevSecOps is a workable, scalable, and quantifiable fact unlike the big button if applied wisely. What is DevOps? The development cycle has undergone considerable changes in last few years. Customers and clients have evolving requirements and the market demands speed, and quality. The relationship between developers and operations have grown much closer to address this change. IT infrastructure has evolved in parallel to cater to quick timelines, and release cycles. The old...
Read More
securityawarenesspolicyprivacy

An Interview by Timecamp on Data Protection

A few months back I was featured in an interview on Data Protection Tips with Timecamp. Only a handful of questions but they are well articultated for any organisation which is proactive & wants to address security in corporations, and their employees' & customers responsibilities. -- How do you evaluate people's awareness regarding the need to protect their private data? This is an exciting question as we have often faced challenges during data protection training on how to evaluate with certainty that a person understood the importance of data security & is not just mugging for the test. Enterprise Security...
Read More
securityowaspdevelopmentpolicy

Don't be a security snob. Support your business team!

There have been many a times that access controls have been discussed in the meetings related to web development. With an interconnected world of APIs it is very important to understand the authentication of these end-points. One of the best approach I always vouch for is mutual authentication on SSL certificates (or 2 way SSL). Most of the times it is viable but it fails when either of party couldn't support it (hence not mutual). So, what to do when the business can't implement your "security requirement"? The role of security is not to hinder the business, but...
Read More
securitypentestcyberattackowaspvulnerability

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing the bugs. So, let me tell you - This is not good! The security products are well suited to protect from something "unknown" or...
Read More
owaspvulnerabilitypatchzerodaysecurity

I know I haven't patched yet, and there's a zero-day knocking at my door

Patching is important, but let's agree it takes time. It takes time to test & validate the patch in your environment, check the application compatibility with the software and the underlying services. And then, one fine day, an adversary just hacks your server due to this un-patched code while you are testing it. It breaks my heart and I wonder "what can be done in the delta period while the team is testing the patch"? Adversary on the other hand is busy either reversing the patch, or using a zero-day to attack the systems! I mean once a...
Read More
vulnerabilitydisclosurephishing

You are safe! ROPEMAKER is nothing but a ruse

In last couple of days my security feed exploded with mention of ROPEMAKER (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) and my first reaction was "wow! someone broke the email, and that too post delivery. #WTF". I immediately opened the source i.e. the blogpost that Mimecast has posted explaining the issue. Frankly on first read, it was a disappointment! I think most of the people that are talking about it like a new, big fancy issue to panic about, do not understand the complete picture. Disclaimer: This post is not to offense Mimecast, or in...
Read More