How to define security requirements in an organization

What are security requirements

In every organization, it is important to define and document the cybersecurity requirements.

Requirements are mandatory security controls and practices defined by the security team, but that must be frequently implemented by other parts of the company. In this article I call these other parts of the company “engineering teams”.

Something similar to requirements are recommendations. Recommendations are very important, but optional, and very dependent on the specific case. While requirements have been decided by the company to be essential, recommendations are not essential.

The balance between what is mandatory (requirements) and what is optional (recommendations) is critical for keeping the organization agile and business-oriented.

Continue reading “How to define security requirements in an organization”

Smart Contracts and Cybersecurity

I was one of those people that used to think and say that blockchain, and the different technologies around it, are solutions for problems that don’t exist. That many people talk about it without knowing any technical details or implications, or focusing on the wrong topics (e.g. politics, finance, etc.) didn’t help either.

However, lately, I have been changing my mind. I’m just starting to explore the technology, but I already think that it is very interesting, new, and that it has much more meat that I thought. I guess I was suffering the Dunning-Kruger effect: when I didn’t know too much about it, I was more sure about my thoughts. Now I have many questions.

Continue reading “Smart Contracts and Cybersecurity”

Good communication between colleagues that belong to the same team is key

Some years ago, me and a colleague were coached by two great professionals of our company. I used to pass some days during the week with one of them, and my colleague with the other.

One of the lessons they wanted to transmit us was the importance of great communication between colleagues. They used to talk every day, and share relevant information about different topics, meetings, or events they had participated in or discovered during the day. While they were coaching us, they used to talk about us too.

Continue reading “Good communication between colleagues that belong to the same team is key”

Containers: Rootful, Rootless, Privileged and Super Privileged

This article is about containers, the different types (depending on what privileges we let them have), and how they build their isolation: mainly kernel namespaces and capabilities, overlay filesystems, seccomp, and SELinux. My motivation to start this article was for me to understand a bit better how the combination of container isolation mechanisms and privileges affects (increasing or decreasing) the risk of kernel flaws.

Continue reading “Containers: Rootful, Rootless, Privileged and Super Privileged”

My introduction to Z3 and solving satisfiability problems

Z3 is a powerful framework for problem solving, developed by Microsoft Research. Given a list of restrictions and conditions, Z3 finds one solution that satisfies them all, if that solution exists. Some complex problems can be solved easily with Z3. It can be used for multiple purposes but some known uses in security are exploiting or checking firewall rules. It is also a handy tool for solving many CTF challenges related to encryption and keygen generation.

Continue reading “My introduction to Z3 and solving satisfiability problems”

10 mental models for infosec teams

Applying these 10 mental models for making decisions daily can help any infosec team (in reality, any team) to accomplish its mission. These mental models are general knowledge and common sense. The difficult thing is not to know them, but to take them into account and apply them every day.

Continue reading “10 mental models for infosec teams”

Introduction to Landlock

Note: I published this post in a previous blog i closed. Now I’m re-publishing it here.

Landlock is yet another sandoxing mechanism for Linux, but with important differences. Its goal is to make possible to restrict access rights to different Linux elements (e.g. filesystem access), in a secure and programmatic way, without the need of admin privileges.

Continue reading “Introduction to Landlock”

Introduction to dependencyCheck: an open source Software Composition Analysis (SCA) tool

depencencyCheck is an open source dependency security scanner. This kind of tools are also called SCA (Software Composition Analysis).

dependencyCheck identifies which dependencies (aka third party libraries) a software is using and indicates if any of them have known vulnerabilities.

Continue reading “Introduction to dependencyCheck: an open source Software Composition Analysis (SCA) tool”