Daniel Szpisjak
Thinking like an attacker
The best defense is a good offense! See things from your enemy’s point of view! It takes a thief to catch a thief! All great advice, however, it is a bit hard to utilize them without knowing the context in which they apply. The goal of this post is to provide that context. Who are the attackers? What are their goals? Where are they? That’s what we will cover! Who is the attacker?
Daniel Szpisjak
Defense in Depth a.k.a the Castle Approach
Imagine you are back in middle school and your new science homework is The Egg Drop Project. For those of you not familiar with it, here is a brief description: your task is to design a protective structure for an egg. Once you finished, the egg will be placed in the shuttle you created and dropped from a certain height. The egg must survive the fall without harm! Here is a hint: defense in depth.
Daniel Szpisjak
States of data
Probably the most valuable thing you need to protect is data. You may own this data, or you may just be the custodian. It might be sensitive such as PII and credentials or just metadata you collected and organized. No matter its type and content when you think about its security here is what you need to keep in mind. Data is kind of like water. Water is essential for life just as data is critical to the business.
Daniel Szpisjak
How much security is enough?
As a security engineer, I regularly work with developers. Together we draft various ideas and try to find the best possible solution to the problem at hand. During this process, the following question always comes up in some form: how secure should this be? Simple as it may seem, usually a lot of thought goes into answering this. Let’s see why! There are quite a few things in play here: legal and business requirements, the risk of exploitation, cost of mitigation, loss expectancy, business impact, etc.
Daniel Szpisjak
A guide to software engineers in the field of IT security
Hey, I am Daniel and my mission is to guide software engineers, like you, in the field of IT security. Think of me as a good friend, who has been here for a while and knows the clever little tricks you need to stay out of trouble. Security used to be a hobby of mine; now it is my passion, my craft. This blog is the collection of my thoughts and notes about IT security.