Sign in Subscribe

Archive

A collection of 38 issues

Latest

Dynamic Security Scanning in a CI: ZAP Scanning with Jenkins.

Today, I will walk through configuring a daily DAST scan against an application, using Jenkins and ZAP. The process can be used similarly with any DAST scanner, depending on how the specific scanner is setup. This is the second part of a series. In part one [https://nullsweep.com/creating-a-secure-pipeline-jenkins-with-sonarqube-and-dependencycheck/

Creating a Secure Pipeline: Jenkins with SonarQube and DependencyCheck

In my last post, I talked about integrating security tools with an agile process [https://nullsweep.com/integrating-security-with-agile-development/], and mentioned some ways to automate security checks during development. In this article, I'll walk through a basic Jenkins setup for CI/CD, and integrate SonarQube and DependencyCheck for security

Integrating Security With Agile Development

> "We're practicing agile, so that means we don't do any architecture or security planning" - A Project Manager I spoke with Agile is sometimes used as an excuse to bypass controls in large organizations. Fortunately, agile methodologies and security methodologies work really well

Launching the Mozilla Plugin Privacy Test Database

Today, I launched the Plugin Privacy Test Database for Mozilla plugins [https://nullsweep.com/mozilla-plugin-privacy-database/]. The tests attempt to determine whether plugins passively gather data about users browsing habits. In this introductory blog post, I will outline the test methods used and some of the results limitations. For a step

Digging Through Someones Past Using OSINT

Recently, a distant cousin reached out to me for help in researching a persons history. My cousin's father had met and gotten engaged to a woman who my cousin thought was trying to steal from him. After starting this relationship, he started to change his behavior - pushing

Personal Security & Privacy Tools I Recommend

Updated in December 2019 to account for recent changes in the product landscape. In summary, I switched from PIA to Mullvad for VPN, and no longer recommend StartPage for search. Friends and family sometimes ask me for advice about security tools or practices they should use to improve their own

How I Built an Application Inventory for a Secure Development Program

When I first formed the Secure DevOps team, one of the first things I set out to do was to understand our software landscape. Our company has traditionally done a pretty good job of maintaining a list of all running IT applications (we use ServiceNow [https://www.servicenow.com/] and

Building a World Class Application Security Program

In this article, I will walk through setting up a modern appsec program from scratch. The goal is to help security professionals building a new application security program, but there should be plenty of ideas that can be adapted into existing programs as well. I'll start by looking

How to Detect If a Browser Plugin is Spying On You - A Complete Guide

I'm a huge privacy advocate, and I use a number of plugins to help protect my privacy from trackers around the web. Some of these plugins come from well known organizations, such as the EFF (their excellent privacy badger plugin). Others are open source and supported by excellent

A Comprehensive Web Server Security Guide

A lot of security advice I read tends to fall into two camps: tailored to enterprises with full time security and infrastructure teams, or rapid fire tool installation without context for solo web developers. In this article, we will tread a middle path, and look at some ways to manage