6 RESULTS IN TAG "policy":

Implement "security.txt" to advocate responsible vuln. disclosures

After discussing CAA record in DNS to whitelist your certificate authorities in my previous article, do you know it's a matter of time that someone finds an issue with your web-presence, website or any front-facing application? If they do, what do you expect them to do? Keep it under the wrap, or disclose it to you "responsibly"? This article is for you if you advocate the responsible disclosure; else, you have to do catch up with reality (I shall come back to you later!). Now, while we are on responsible disclosure, the "well-behaved" hackers or security...
Read More

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

It's been a long time since I audited someone's DNS file but recently while checking a client's DNS configuration I was surprised that the CAA records were set randomly "so to speak". I discussed with the administrator and was surprised to see that he has no clue of CAA, how it works and why is it so important to enable it correctly. That made me wonder, how many of us actually know that; and how can it be a savior if someone attempts to get SSL certificate for your domain. What is CAA? CAA or Certificate Authority Authorization...
Read More

An Interview by Timecamp on Data Protection

A few months back I was featured in an interview on Data Protection Tips with Timecamp. Only a handful of questions but they are well articultated for any organisation which is proactive & wants to address security in corporations, and their employees' & customers responsibilities. -- How do you evaluate people's awareness regarding the need to protect their private data? This is an exciting question as we have often faced challenges during data protection training on how to evaluate with certainty that a person understood the importance of data security & is not just mugging for the test. Enterprise Security...
Read More

Don't be a security snob. Support your business team!

There have been many a times that access controls have been discussed in the meetings related to web development. With an interconnected world of APIs it is very important to understand the authentication of these end-points. One of the best approach I always vouch for is mutual authentication on SSL certificates (or 2 way SSL). Most of the times it is viable but it fails when either of party couldn't support it (hence not mutual). So, what to do when the business can't implement your "security requirement"? The role of security is not to hinder the business, but...
Read More

Digital Authentication and Password Rules by NIST

Passwords are important and it's no secret that we are bad in finding complex passwords during sign-up processes. The initial idea of OneID, or OAuth is not doing very well for the common user, and therefore people are registering on 100s of websites - commercial, social networks, banks etc. without managing well with password complexities. While the tools to crack 8-10 characters passwords are speeding up the process, people are still resenting to keep passwords more than 6 characters long with minimum complexity. Digital authentication is all around us and is exponentially accelerating with the advent of IOT devices. All...
Read More

Employers investing in Social media Policy

While the topic may sound too dramatic, but this may soon shape into a legal IP rights (ref: Intellectual Property) issue in coming times. Over the last few years, there has been a constant change in the firm’s outlook about our personal cyber life. Some firms I know have been very aggressive in putting a strict policy upfront, at the time of joining. We are pushing our social IQ, and increasingly becoming more vocal sitting behind a device connected to internet. I believe with fast paced social media expansion, two things are converging very rapidly – your personal opinion and...
Read More