Posts

Showing posts from 2021

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion

Image
I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game.... https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078  A recording of the Panel with Andy Purdy, CSO of Huawei North America. https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s Both are decent and worth a listen.

Attack Surface Management - What's old is new again!!

Image
  Attack Surface Management (ASM), a new sexy approach to cyber security visibility.  "How about we try to see what systems are exposed to the public Internet  so we can make sure they are being secured." ASM is not Vulnerability management (detection of cyber security weaknesses) but rather takes a step back to answer the question, "What do I need to secure?" but is can also help identify the SBoM (Software Bill of Materials) across deployed systems. Attack Surface Management (ASM) which provides you the ability to see all services exposed to the public internet across your global estate. As new systems are deployed, decommissioned or a system changes, ASM can inform you of the event.  This is done in real-time and on a continuous basis in most cases. I wrote a bog in 2018   when we first introduced Edgescan's ASM solution which has evolved since by including both API discovery and multi-region monitoring. API discovery  locates exposed API endpo...

Edgescan, why we do what we do.....

Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale bu...

HSE Hack - What should we do now......personal opinion

Image
What I would do to make the HSE a more resilient organization from a cyber standpoint...... This is somewhat an open letter to my government on how to secure *our* data. I do not cover compliance or certification but more practical "Must-have" items. Awareness & Resilience (and budget) Folks who write the cheques need to understand the value and importance of cyber security. Its not a "Tax" or an "Insurance" its a process to which we try to help ensure we are somewhat resilient to breach. Breach is 9 times out of 10 more expensive than multiple years of cyber spend. Embrace cyber security! "Hackers don't give a shit" and if you are weak you will be hit. Cyber-Resilience and awareness may not prevent breach but it may limit the extent of the breach and enable us to act in a timely manner before the genie is out of the bottle.  Investment in cyber security is paramount due to the potential losses due to fraud and breach recovery. Compliance...
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA...

BBQ Cyber Security Thoughts......

Image
BBQ Cyber Security Thoughts...... During lockdown, I've taken to standing over the BBQ staring at the temperature gauge, lifting the lid occasionally and slow cooking various meats. Given the lockdown situation this provided a focal point for the day; something to attend to for the afternoon.  When standing there in a mindful stasis things go through your head, these are some of mine... "Software testing Software, who thought that would work?" "Using systems with potential vulnerabilities to discover potential vulnerabilities in systems" "Shift Left would make more sense if development was linear" "The reliance on automation to defend against a human adversary, sounds fair.....💀" "We cant improve what we cant measure; We cant secure what we cant see." "We accept false positives in scanners (Software getting it wrong) but we don't accept vulnerabilities (Software getting it wrong)." - Software testing software. "T...

Edgescan Weasel - Our new Web Security Scanning Tech

Image
  Web Application Scanning...Evolution For the past 24 months Edgescan has been developing a new Web Scanning engine, namely " Weasel ". Its a core component to the edgescan SaaS web security aspect of the service. We built it for many reasons: Faster Assessment speed. Increased coverage. Better Accuracy. More user control and configuration. Improved API support and navigation. More metrics. Javascript/Single-Page-Application (SPA) improvement. Improved content discovery. Dynamic Learning A cool thing about weasel is it has a dedicated team that not only consists of developers but also analysts and researchers. This was exciting as some of our penetration testers trained and pushed the engine and our developers implement ongoing changes. Developing a web scanning engine is certainly a treadmill and a never-ending process. Change is good, and to change often is to live well. Dynamic Learning - Once aspect that is exciting for us is the idea of continuously integrated test ca...