Collaborate Disseminate
Websockets don’t support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. However, if we create these JWT tokens with… Continue reading Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?
I am aware through hearsay of the threats exposed by certain digital assets. For example, not only should a password be kept secret, but it should not be re-used. Having the scenario unpacked for me, I now understand that password re-use i… Continue reading Is there a foundational threat model for families/domestic users?
I really like macapps.link as it helps me to quickly install a bunch of software after a fresh install. However, it doesn’t have the transparency such Windows alternatives, like ninite or winget have.
Continue reading As a security engineer would you be okay recommending macapps.link?
I am studying some published papers that demonstrate how I can a secure file system been implemented with the assistance of Intel SGX.
However, in each one of these papers, the threat model is not clearly defined. I know that SGX prevents … Continue reading File System with SGX assistance threat model
Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge […]
The post Vulnerability management, its impact and threat modeling methodologies appeared first on Security Intelligence.
Continue reading Vulnerability management, its impact and threat modeling methodologies
As you know, using machine learning we can detect malware.
We can use dynamic analysis based on WinAPI function calls and their arguments.
But what about static analysis using machine learning? In this case, we can parse Portable Executabl… Continue reading Static malware analysis using machine learning
We use the STRIDE Threat model in our company to figure out software flaws. Now we need to asses a Process. This Process (or workflow) is not only composed of software. It has human interaction, machine interaction and so on (it’s complex)… Continue reading Threat modeling on a process/workflow
I know STRIDE (from Microsoft) stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
How did Loren Kohnfelder and Prakrit Garg deduce these six threats (neither five nor seven t… Continue reading Why does threat model STRIDE only have six threat categories?
Adam Shostack, the author of “Threat Modeling: Designing for Security”, and the co-author of “The New School of Information Security”, recently launched his new book – “Threats: What Every Engineer Should Learn From Star Wars”. In this Help Net S… Continue reading Introducing the book – Threats: What Every Engineer Should Learn From Star Wars
I recently stayed at a hotel where outbound SSH traffic (and seemingly only SSH traffic) was blocked on the guest WiFi network, and I’m trying to figure out what security-based rationale they might have had for this policy. Unfortunately, … Continue reading What would be the security rationale for a hotel blocking only SSH traffic?