Collaborate Disseminate
Manual security testing services and automated AppSec tools have their place in DevOps. Knowing which to use will make your security efforts more effective.
The post Manual security testing services vs. automated AppSec tools: Which to use? appeared… Continue reading Manual security testing services vs. automated AppSec tools: Which to use?
Is it possible to input an application/system into MTMT and be given STRIDE security threats automatically? If not, what are some tools/resources to speed up the process of investigating 100s of enterprise applications/systems?
Continue reading Automation of STRIDE and Microsoft Threat Modeling Tool (MTMT)?
We are running a virtual private cloud, in other words a vendor-hosted intranet. (In this case the vendor is AWS, but it could be Azure, Digital Ocean…) The intranet does not have public-facing access. We connect from local machines on h… Continue reading What threats are mitigated by encrypted VPC connections?
Cybersecurity threats are rising fast, leading enterprises that build applications to look more closely at security measures built on precautionary principles, including threat modeling, which has become core to ensuring applications can withstand fut… Continue reading Threat Modeling in the Age of Automation
Security Compass published the results of a report designed to provide a better understanding of the current state of threat modeling in mid-sized, $100M to $999M and large sized, $1B + enterprises, with a specific focus on the challenges organizations… Continue reading 79% of organizations identify threat modeling as a top priority in 2021
Organizations need to rethink their approach to threat modeling or risk losing its value as a key defense in their cybersecurity arsenals. The traditional approaches to threat modeling can be very effective, but they don’t scale well enough in th… Continue reading Threat modeling needs a reset
MITRE Engenuity has released ATT&CK Workbench, an open source tool that allows organizations to customize their local instance of the MITRE ATT&CK database of cyber adversary behavior. The tool allows users to add notes, and create new or ext… Continue reading New tool allows organizations to customize their ATT&CK database
Yeah, it depends. A good answer would provide some reflections on this. I have two concrete scenarios in mind, in two concrete (and I believe common) contexts. Context 1. At home, you’re the only one with access to the computer. Context 2,… Continue reading How bad is it to store credentials in clear text on disk and in memory?
I want to create a threat model to guide a security-oriented review on a project. I found the OWASP Threat Dragon and would like to do it in that, but from the documentation and example I am unsure how to use the elements provided.
The dia… Continue reading Actors and processes in threat models
The SolarWinds compromise in December 2020 and the ensuing investigation into their build services put a spotlight on supply chain attacks. This has generated a renewed interest by organizations to reevaluate their supply chain security posture, lest t… Continue reading 3 areas of implicitly trusted infrastructure that can lead to supply chain compromises