A big thank you to everyone who applied, DM'd or emailed me for the Senior Manager - Governance and Business Support role 🙏 I have received c95 applications, emails and messages so I am still working through my inbox. I will get back to EVERYONE regardless. 📥 The role is now closed 🔒 Please bear with me and thanks for your patience 🤝 #recruitment #governance
Kohort Recruitment’s Post
More Relevant Posts
-
I wholeheartedly agree! The recent discovery of the xy attack highlights the critical importance of robust supply chain security measures. This incident not only underscores the technical vulnerabilities but also emphasizes the significance of social engineering tactics in cybersecurity threats. It serves as a stark reminder that closed source solutions are not immune to exploitation, and vigilance is paramount in safeguarding our systems and data. In today's digital landscape, companies like SUSE play a vital role in fortifying infrastructure and applications against such threats. Supply chain security must remain a top priority for organizations to ensure the integrity and resilience of their operations. For a deeper dive into the xy attack and its implications, check out this insightful blog https://lnkd.in/e3a-bmvC by my colleague Marcus Meissner - Distinguished Engineer in Solution Security.
The xz attack was not because it was open source. The attack *failed* because it was open source! The way this attack works for non-open source is the attacker spends 2 years getting an agent hired by contract software development vendor, they sneak it in, nobody finds out.
To view or add a comment, sign in
-
After my recent post I've been asked by a few people in private why I assert that closed source environments are not immune to security breaches, especially considering the recent attack on xz, a FOSS (Free and Open Source Software) compression tool. It's crucial to understand that the methods used in the xz incident, particularly social engineering, are not exclusive to open source projects. Closed source environments are equally vulnerable. If a target (application, OS, renowned company) holds sufficient value to an attacker, they may employ deceptive tactics, such as applying for a position within the company, leveraging fabricated references, and making significant contributions to gain trust. This might be even more attractive for paid black hat hacker groups compared to open source projects, given the potential for higher financial gain?! Similar tactics, such as consistent submission patterns beyond assigned tasks, can grant attackers increased access within the organization, eventually leading to the introduction of malicious code. This mirrors the trajectory of the xz attack, where the perpetrator gradually gained submit and release rights over several months or years. Moreover, closed source environments pose unique challenges in security oversight. Code reviews may lack transparency, and there may not be a dedicated community continually scrutinizing the code for vulnerabilities, as is common in open source projects. The openness of the code not only accelerates the discovery of any issues and debugging but also facilitates a faster resolution. A community approach will be much quicker in fixing the issue and providing a new release compared to a single company. The key message here is that irrespective of software openness, organizations must prioritize robust supply chain security measures. This entails implementing stringent vetting processes for contributors, maintaining transparency in code review practices, and fostering a culture of security awareness. Only through such proactive measures can we effectively mitigate the risk of similar attacks, ensuring the integrity and resilience of our systems and data. Neither SUSE Linux Enterprise Server nor openSUSE Leap suffered, for example, which underlines the benefits we at SUSE provide for your business. Additionally, the Common Criteria certification process undertaken by SUSE ensures a secure supply chain environment, fostering trust and reliability. This certification, continuing up to EAL4+, underscores our commitment to robust security practices in our development process and the protection of our customers' data and systems. While SUSE has put into place the highest security standards in an attempt to secure our software, it is imperative that each of us adhere to security best practices. It is unknown where the next attack can come from. Be prepared.
The xz attack was not because it was open source. The attack *failed* because it was open source! The way this attack works for non-open source is the attacker spends 2 years getting an agent hired by contract software development vendor, they sneak it in, nobody finds out.
To view or add a comment, sign in
-
Advocating data mastery 📊 and automation innovation ⚙️ for delivering trusted 💙, compliant 🛡️, and enduring 🔋 software products.
In this case, being OSS did not help that much (see the other comments). In general OSS is better for security, but only if the users of the OSS code or any shared code: - only pull the raw code and no artifacts - never blindly pull “latest” - pin all versions - review all new versions - build all artifacts themselves To help with these tasks, there are tools and the OSS community as a review hive can also help. The key point here is that code can be reviewed easier than artifacts. Questions to the community: How much do software builder live these principles? How safe are `go get`, `pip install`, `npm install`, etc.?
The xz attack was not because it was open source. The attack *failed* because it was open source! The way this attack works for non-open source is the attacker spends 2 years getting an agent hired by contract software development vendor, they sneak it in, nobody finds out.
To view or add a comment, sign in
-
*MCA Helpdesk for Foreign Director OTP* We were experiencing issue with not receiving the mobile OTP for one of our clients, a foreign director, while filing the Director KYC. We raised a complaint on the MCA portal and received the following response: "Dear Stakeholder, we have observed from our records that the Mobile OTPs are being delivered to your Mobile service provider and you may retry to file the form. If you still face OTP related issue, we have set up MCA - OTP Helpdesk Support and you may avail the service. Please make sure both the Professional and Director should be available in the meeting. Please note the following: Meeting over Microsoft Teams Timing 10.00 AM to 06.00 PM – Weekdays https://lnkd.in/gpBTYT9k You must have Director’s DIN, email OTP and Mobile Number to get Mobile OTP support." If you are experiencing similar issues, you can reach out to them. I was able to resolve my issue using their support. #mca #compliances #directorkyc #30thseptember
To view or add a comment, sign in
-
Criminals recruited to test NHS application software!!!. Testing flaws in application software products requires a level of honesty and integrity, however, you can imagine the results when put in this process in the hands of criminals. They can quickly identify flaws, fail to report and sell on the dark web!!!
To view or add a comment, sign in
-
As a Director and Planning Consultant at c2c Planning Consultants Ltd, I help people get planning permission.
Apparently, this is one of the worst days, ever! Maybe one of your worse days involves a planning issue. You’ll never walk alone if you have C2C Planning Consultants by your side. Give us a call to see how we might be able to help. In the meantime, 6 Nations starts very soon. Come stand shoulder to shoulder with C2C! (I don’t think I can add any more cheese to this post but hit me with your best cheesy lines!)
To view or add a comment, sign in
-
Special Security Officer-SSO @ United States Air Force | Security Compliance |SSO SCIF Manager |TS/SCI | Veteran| Scientist
This is a crucial reminder for everyone in the security clearance process. Honesty and accountability are key. While no one has a flawless background, owning up to past mistakes can lead to positive changes. Individuals working in sensitive areas have shown that transformation is possible. By acknowledging their past, they now hold high-level clearances. Remember, honesty is the best policy. Even if the outcome is uncertain, disclosing the truth can prevent future repercussions. #SecurityClearance #Honesty #Accountability
Security Clearance Recruiting Leader | Ex-Blockbuster Video Cashier | GOVCON Enthusiast | Founder at Mount Indie | Conference Speaker | Musician in Disguise
DON'T LIE ON YOUR SF86!!! Bottom line - you sign it, you own it! In this sub there were a lot of comments that this is a widespread issue with recruitment. I honestly can't speak on that, but understand when youngsters are enlisting they want to be able to trust their recruiter. Lying on your Sf86 will absolutely cause issues downstream. Not saying it will be an automatic clearance denial, but it will be considered. The topic of drug use and clearance is a very popular one. More and more candidates are admitting to drug use in the past, and still receiving successful clearance adjudications. It is all about disclosure, and the "whole person" score. Your trustworthiness to receive a clearance is based on a variety of factors including but not limited to: 🇺🇸 Citizenship Status 💵 Credit background a delinquent debt 🫣 Criminal record 🇨🇳 Foreign Connections 💊 Drug & Alcohol abuse They are not tossing people aside for casual pot smoking at a Taylor Swift concert a few years back. Unless.... You bought the concert tickets with a stolen credit card After getting a DUI and caught in possession of a Russian passport Then you might have an issue. These little white lies follow you in the cleared world... I mean they are quite literally are tracked and continuously evaluated. Best to just stick to the truth.
To view or add a comment, sign in
-
Application Security Researcher | Globally Top 25 @bugcrowd | MVP | Top 15 P1 warrior Insta - @krishnsec
recent P1 vuln Bypassed auth 5th time in same program 1- visited register page for employees ( 3 org listed ) 2- entered email as admin@company1.tld > only then can access next register step 3- on next email verification page , email was readonly 4- inspect > deleted readonly restriction 5- updated email to my own email 6- received email verification > signed up 7- got access to company1 org features 8- On further investigation found internal creds assigned to company1 employees to access different panel 9- triaged as P1 #P1 #bugbounty #bugbountytips #bugcrowd
To view or add a comment, sign in
-
Today Cellebrite Case-to-Closure has become a reality. With C2C, we can close cases faster and more defensibly - with complete information. Looking forward to seeing all of you and discover what's possible at all the user forums, conferences, and different events and webinars coming up this year. #JusticeAccelerated
Welcome to the Future of Digital Investigations. Our Mission: Justice Accelerated. Your Platform: Cellebrite Case-to-Closure (C2C) – A full suite of solutions for each investigative stage, delivering a complete case picture like never before. Learn more about C2C and discover what we have in store for 2024: http://ms.spr.ly/6041iq9bH
Cellebrite Case-to-Closure (C2C)
To view or add a comment, sign in
-
Non-competes are on their way out. Are you protecting your confidential information and trade secrets? What policies and processes are in place? Is your business conduct policy clear? Intellectual property training is essential. Do you classify and label emails and documents? Securing key electronic and computer systems? Are your facilities and offices secure? Employment agreements and procedures current? Can you effectively prove that your secrets have value? IP Excellence will provide you with what you need to sleep at night. #ipexcelllence #tradesecrets #noncompetes #employment #iptraining
To view or add a comment, sign in
1,127 followers