Natalie Hewitt’s Post

🔥 Traceable API Security is bringing the heat to RSA with a series of must-attend sessions! Here's the latest... 👀 Compliance and APIs: It's Coming. 💯 The landscape is shifting for API security. Agencies like the OCC and FFIEC are setting specific demands, with the CFPB, FTC, SWIFT, and PCI soon to follow. Join Traceable API Security CSO Richard Bird for a LIVE session at RSA as he breaks down these changes and their impact on your security program. 🍿 Session: The Compliance Police Are Coming For Your APIs! 📋 RSA Session Link: https://lnkd.in/ebK_7ZFu 🤝 Want more? Visit Traceable for a demo: https://lnkd.in/dc8Aak6e #RSA2024 #RSAC2024 #RSAConference #APISecurity #Traceable

Accessing the EURES portal is now easier than before, thanks to the 1-Factor Authentication! 🔓👩💻 For safety reasons, it is recommended to still use the 2-Factor Authentication! Find out how to switch back to the 2-Factor Authentication! 👉 https://lnkd.in/dFh4f_gJ #EURESjobs

The little padlock🔒 – a familiar sight in your browser. But what does it truly symbolize? This article takes you beyond the icon and into the heart of TLS, the technology that secures your online interactions. Learn, in a clear and concise way, how the TLS handshake establishes a safe connection, protecting your data during every visit to an HTTPS website. 🌟Bonus: Dive even deeper with a live Wireshark demo showcasing the TLS handshake in action!

Secure By Design Activities at S4 (3 Stage 2 Technical Deep Dive sessions, 2 Main Stage sessions, 2 working meetings) S4 first covered Secure By Design in 2008 with Steve Lipner of Microsoft and the Security Development Lifecycle as the keynote for S4x08, and there have been many sessions on it in the intervening 16 years. The CISA dual initiatives of Secure By Design and trying to initiate liability when software and systems are not delivered secure by design has reenergized this topic. While we won't have sessions on the basics of why and what on Secure By Design at S4x24 (the target S4 attendee knows this), there will be many more advanced and leading edge policy and technical sessions and activities at the event. The article gives more detail.

The best free password managers: Expert tested by ZDNET We use passwords every day to access everything from our social media profiles to our bank accounts — and if you are following good password hygiene rules, you have a lot of complex, unique logins that are impossible to remember. A password manager can help you organize and store this information securely, while giving you quick access when you need it. You don’t even need to pay a premium for this service, as there are several great free password managers to choose from. There are some excellent password managers today which provide an abundance of required features free of charge. This leaves really no excuse for anyone still using the same password across different sites. ZDNET has listed Bitwarden, NordPass, Proton Pass and LogMeOnce as worthy of their recommendation. All these services provide full synchronisation across all your mobile and computer/laptop devices. So, by using them, you are also not locked into a specific OS or OEM. Today, one also wants to be sure your password manager can handle TOTP and passkeys (also synced across all your devices). Some now also offer hide your e-mail functionality. The linked article also adds a few worthy mentions at the end such as KeePass, RoboForm and Dashlane. See https://lnkd.in/dtpNWH_5 (https://lnkd.in/dtpNWH_5)

Let's Encrypt is replacing OCSP (Online Certificate Status Protocol) with CRLs (Certificate Revocation Lists) to improve efficiency and reliability. The shift to CRLs will help reduce the reliance on real-time certificate status checks, thus enhancing performance and availability. This change aims to streamline the certificate revocation process, ensuring a more robust and scalable infrastructure for securing internet communications. For more details, you can read the full announcement https://lnkd.in/eU6BT-6m

safepass.me, makers of pwncheck are making a free full scan and reporting voucher available to everyone right now. What is the catch? You'll be able to spot the users with weak passwords, so that you can secure those accounts before the bad guys spot them: http://dlvr.it/T5f0p2

*** ONE MILLION USD PAID *** "Sometime in early May 2024, ARRL’s systems network was compromised by threat actors (TAs) using information they had purchased on the dark web. The TAs accessed headquarters on-site systems and most cloud-based systems. They used a wide variety of payloads affecting everything from desktops and laptops to Windows-based and Linux-based servers. Despite the wide variety of target configurations, the TAs seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system.   This serious incident was an act of organized crime. The highly coordinated and executed attack took place during the early morning hours of May 15.  ..." Full report: https://lnkd.in/getF4pBP

This weekend I spent some time setting up authentication with access tokens and refresh tokens. Refresh tokens offer a number of benefits over standalone JWTs. 🔐 Improved Security 🔐 Refresh tokens enable you to shorten the lifespan of your access tokens without hampering the user experience. By shortening the lifespan of your access tokens to a few minutes, you can limit the amount of damage done if a token is compromised 🙂 Improved User Experience 🙂 Constantly needing to enter your credentials is a hassle. Refresh tokens allow you to give users a smoother, more seamless experience by keeping them logged in for longer periods (without sacrificing security concerns) 🚀 Fewer Database Calls 🚀 JWTs are a form of stateless authentication. When a user logs in, their credentials are checked against existing credential in the database. Refresh tokens ensure that new tokens can be generated without needing to continuously query your database. There are definitely other benefits out there, but these three are super useful!

SBOM for Test - A Bit of Security for May 2, 2024 What useful extensions can enhance the value of a Software Bill of Materials? Listen to this - Let me know what you think in the comments below or at wjmalik@noc.social #cybersecuritytips #codequality #SBOM #softwaretest #BitofSec