Brook Schoenfield

@BrkSchoenfield

Master Security Architect . Author of Securing Systems. solely my opinions. The Internet: an ongoing experiment in a global commons.

Montana, USA
brookschoenfield.com
Vrijeme pridruživanja: ožujak 2012.
17 fotografija ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @BrkSchoenfield

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @BrkSchoenfield

  1. 27. sij

    Nice summary: “You don’t need to classify a threat accurately or precisely to design a mitigation for it — and its mitigations that count most in the end”

    I just blogged about some practical tips for threat modelling. I'd be very interested to hear any thoughts - whether you agree or disagree!
    7 proslijeđenih tweetova 5 korisnika označava da im se sviđa
    Poništi
  2. 23. sij

    I cannot count the number of times I’ve encountered static credentials. It isn’t 1988. Today’s toolset easily finds these. Which means you’ve just given attackers access everywhere to whatever you thought was protected. Just. Don’t. Do. It.

    CVE-2019-16153 A hard-coded password vulnerability in the Fortinet FortiSIEM database component version 5.2.5 and below may allow attackers to access the device database via the use of static credentials.
    1 reply 4 korisnika označavaju da im se sviđa
    Poništi
  3. 23. sij

    Unsure what functionality (esp. security) is in that source code? have released a source analyzer to enumerate: (Thanks to for tweeting)

    2 proslijeđena tweeta 6 korisnika označava da im se sviđa
    Poništi
  4. 16. sij

    Hoist by my own petard: I lead Cisco Infosec’s 1st SaaS product security architecture programme. Linksys also. Configuring an ancient Linksys guest wifi router, the router refused my 7 character WPA2 password: must be 8! The person who required 8 worked with me. Ahem

    3 korisnika označavaju da im se sviđa
    Poništi
  5. proslijedio/la je Tweet
    13. sij

    As a thought exercise, before saying “The system is broken!,” instead consider that the system may be working exactly as designed. Instead genuinely ask yourself, “how that might be possible?” Doing so can be quite revealing.

    7 replies 7 proslijeđenih tweetova 32 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  6. proslijedio/la je Tweet
    11. sij

    If you're running AWS, you can automate checking your environment up against the top 20 controls with this guide by

    2 proslijeđena tweeta 3 korisnika označavaju da im se sviđa
    Poništi
  7. 13. sij

    Wanna be a great security architect? The practice of architecture is your foundation!

    4 proslijeđena tweeta 6 korisnika označava da im se sviđa
    Poništi
  8. proslijedio/la je Tweet
    9. sij

    Security culture is how developers act towards security decisions when no one is looking.

    A company's culture is how everyone acts when their managers aren't looking.
    1 reply 2 proslijeđena tweeta 7 korisnika označava da im se sviđa
    Poništi
  9. proslijedio/la je Tweet
    8. sij

    Your most important architecture decisions might be the ones you didn’t know you made.

    8 proslijeđenih tweetova 20 korisnika označava da im se sviđa
    Poništi
  10. 8. sij

    A key distinction:

    I often see n-day misframed as zero-day. That is, a zero-day is unknown to the vendor prior to being exploited and/or made public. Whereas n-day is known to the vendor (for n days), but unfixed prior to being exploited and/or made public.
    Prikaži ovu nit
    Poništi
  11. proslijedio/la je Tweet
    7. sij

    Thank you to all who attended my "Hands-On Threat Modeling Workshop" today 2020. It was the first time I walked through some tools in a workshop in a while and I hope it was helpful. Slides and examples here:

    1 proslijeđeni tweet 11 korisnika označava da im se sviđa
    Poništi
  12. 7. sij

    Just talked to & about EPSS. EPSS could become a game changer for harried Ops folks managing backlogs of . There’s a need for some dev to operationalize. I suggest folks take a look:

    5 proslijeđenih tweetova 3 korisnika označavaju da im se sviđa
    Poništi
  13. 6. sij

    Key secure design pattern:

    As pipelines get more complex and distributed, making the shift from a "push" to "pull" model makes so much sense. Lots of opportunity to limit attack surface using this model.
    1 proslijeđeni tweet 2 korisnika označavaju da im se sviđa
    Poništi
  14. 6. sij

    Where did this idea originate: security contribution measured by total CVE filed? That’s just dumb. Ignore anyone who asks for your CVEs. They demonstrate their misunderstanding of what it is that we do, how we measure it

    1 reply 3 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  15. 6. sij

    Counting CVE? What about all the incredibly skilled internal bug hunters? None of their findings which are often fixed before release will ever be assigned a CVE (and mustn’t).

    1 korisnik označava da mu se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  16. 6. sij

    Of course, bug hunters can also help to remove exploitable conditions in running software. Also useful.

    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  17. 6. sij

    Research must improve secure design patterns. As so wisely points out: design without critique cannot/will never improve.

    1 korisnik označava da mu se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  18. 6. sij

    The vast majority of CVE NEVER get exploited. Our’s is not a race to uncover potentially useful conditions. Period. I sincerely hope that total CVE is not a goal for researchers.

    3 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  19. 6. sij

    I might have missed the context? But assessing a person’s security usefulness based upon number of filed CVE? That’s a useless metric. Plus, such would discount the contributions of the vast majority of the industry.

    5 replies 1 proslijeđeni tweet 2 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    5. sij

    You can’t vouch for your own bug. You will always see it as the most beautiful bug that ever did bug. Doesn’t matter if you’re the one who does the thing, or even if you’re right. If it needs a vouch, recuse yourself. It’s ok. It’ll hold up on its own, or not. Learn either way.

    Hey professionals. What mistakes have you made over the course of your career that you would recommend newbies avoid? Please reply or RT.
    9 replies 31 proslijeđeni tweet 144 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi

@BrkSchoenfield još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·