DEFCON 2020 Live Notes

I'm taking some time to attend DEFCON virtually this year. I'll be posting notes from talks, Q&A, and maybe even take aways from "hallway" conversations I have here throughout the weekend. I tend to focus mostly on webappsec, cloud security, and interesting exploits, but there are some interesting

Secrets Management for Developers

One thing that comes up frequently in security is how to deal with application secrets. There are many methods for managing secrets, from hard coding into source code to using a credential manager to environment variables. In this post, I'll go through some Do's and Don'ts for managing secrets securely,

Government Surveillance of Protestors

Governments around the world continue to ramp up surveillance of protests and civil unrest. Here, I have tried to collect the governmental use of technologies to monitor and disrupt movements in repressive and democratic countries alike. Modern anti-protester tactics include many things: cell phone monitoring, communications disruptions, social media blocking,

Why is This Website Port Scanning me?

Recently, I was tipped off about certain sites performing localhost port scans against visitors, presumably as part of a user fingerprinting and tracking or bot detection. This didn't sit well with me, so I went about investigating the practice, and it seems many sites are port scanning visitors for dubious

My Favorite InfoSec Learning Resources

I am always learning new things about security, and sometimes mentor junior team members on where they can learn new skills. I find that a successful practitioner is one who not only spends time understanding the security concerns, tools, and skill sets, but also the underlying technologies to be protected

Advanced AWS Security Architecture

Most articles on AWS security rightfully spend a lot of time talking about the basics, such as setting up minimized IAM roles, encrypting data, and basic monitoring. It is more difficult to find guidance and specific implementation recommendations on advanced, automated security configurations. In this series of articles, I will

Deploying Docker Securely

Docker is a fantastic piece of technology for teams. Some time ago, I published a series of articles on building a docker security program, which covers doing a threat assessment, image static and runtime analysis, and overall container patching and maintenance. I was asked recently about deployment security, which was