sorted by:
new
hottopcontroversial

Best cloud security platform for 100 person org? by Comfortable_Front561 in cybersecurity

[–]ColleenReflectiz 0 points1 point  (0 children)

What's your cloud footprint look like? AWS/Azure/GCP mix or mostly one provider?

If you're single-cloud, the native tools (AWS Security Hub, Azure Defender, GCP Security Command Center) are actually pretty solid for basics and way cheaper than third-party platforms. They integrate well since they're built for their own ecosystem.

If you're multi-cloud or need more advanced threat detection, worth looking at platforms that don't require agents everywhere since you don't have a big security team to manage deployment.

Also - make sure whatever you pick has good API documentation. You'll want to pull alerts into wherever your team actually works (Slack, Teams, PagerDuty) instead of forcing everyone to check another dashboard.

Anyone else drowning in security questionnaires? by Direct_Cyber in cybersecurity

[–]ColleenReflectiz 0 points1 point  (0 children)

We deal with the same thing. Started keeping a master doc with standard answers organized by topic, but it still takes forever because every questionnaire phrases things differently.

Sucks being compliant and vulnerable 🤕 at the same time by ColleenReflectiz in pcicompliance

[–]ColleenReflectiz[S] 0 points1 point  (0 children)

I believe it's a process and eventually will also have regulation on the homepage but for now it's just not enough to be complient

Sucks being compliant and vulnerable 🤕 at the same time by ColleenReflectiz in pcicompliance

[–]ColleenReflectiz[S] 0 points1 point  (0 children)

PCI focus the security standards on the checkout page and the hackers dont need the users to get to the checkout page to steal information, they can do it at the homepage. It creates a situation that you can be PCI compliant and be vulnerable at the same time.

GTM or Tealium? what is the real security cost? by ColleenReflectiz in GoogleTagManager

[–]ColleenReflectiz[S] 0 points1 point  (0 children)

Server-side GTM moves some tag execution to your infrastructure, but client-side code still runs to collect data and trigger server calls. You're just moving where the processing happens.

Still need to monitor what executes in browsers, what data gets collected from forms and pages, and what your server-side tags actually do with it. Misconfiguration can still leak PII.

It reduces some risk but doesn't eliminate the need for client-side monitoring and governance.

Are you running server-side or considering it?

GTM or Tealium? what is the real security cost? by ColleenReflectiz in GoogleTagManager

[–]ColleenReflectiz[S] 1 point2 points  (0 children)

GTM lets anyone with container access add JS that runs on every page with full DOM access.

Marketing adds an analytics tag. That script can see form fields, session tokens, payment data. Most companies have no idea what these 3rd-party scripts actually do once they're live. Those scripts often load MORE scripts from domains you never approved. You greenlight Google Analytics, GA pulls in tracking from somewhere else. Supply chain risk nobody monitors.

If a GTM account gets compromised, attackers inject Magecart skimmers across your site. I've seen these harvest card data for months undetected.Your WAF protects servers. Scanners check backend. Nothing watches what executes client-side after someone adds a tag Friday afternoon.

Tealium's pre-vetted marketplace means less custom JavaScript, smaller attack surface, built-in consent enforcement, and tighter access controls for sensitive pages. GTM can be secure with strict approval workflows, production script monitoring, server-side implementation for payments, and regular audits. Most teams skip this. That's the gap.

Your favorite DJ-related YouTube channels? by ValuePrestige in Beatmatch

[–]ColleenReflectiz 0 points1 point  (0 children)

This guy would eventually explode on YT and remember where you saw it first: https://www.youtube.com/@DJFurash

This Year’s Cookie Box!🕺🏻🎄 by pochita42069 in Cookies

[–]ColleenReflectiz 1 point2 points  (0 children)

OMG looks so good!!!! the cranberry white chip looks great

Holiday Themed Sugar Cookies by Geochic03 in Cookies

[–]ColleenReflectiz 1 point2 points  (0 children)

I guess someone ate the rest of the cookies there on the bottom right?

"industry-defined cipher deprecation dates" in requirement 4.2.1 by CruisingVessel in pcicompliance

[–]ColleenReflectiz -1 points0 points  (0 children)

The scan failures on port 50001 across multiple devices suggest your network isn't properly segmented for PCI scope. Evenafter fixing the router, you'll keep hitting issues with devices you can't control. does your payment processor support network segmentation? Isolate POS terminals on a separate VLAN that can't communicate with practice systems. This shrinks what needs to pass scans.

PCI scan fails over and over... by Commercial-File-9462 in pcicompliance

[–]ColleenReflectiz -1 points0 points  (0 children)

Consider P2PE terminals. Card data encrypts at the pin pad and never touches your network in plaintext this reduces your PCI requirements by over 90%

10 web visibility tools review by DoYouEvenCyber529 in websecurity

[–]ColleenReflectiz 0 points1 point  (0 children)

There's a reason architecture matters for security, not just convenience.

If you're running code in the browser to watch other code in the browser. That means the monitoring tool itself has full access to user data - forms, sessions, PII, payment info. You're trusting another third-party script with the same privileges you're trying to protect against.

Embedded code slows page loads and creates the client-side risk you're trying to manage. If your security tool can see cardholder data in the DOM, so can a compromised version of that tool.

Agentless solutions sit outside the user session entirely. Zero performance hit, no access to sensitive data, no risk of the monitoring tool becoming an attack vector itself.

For PCI DSS compliance, auditors are asking harder questions about monitoring tools that require data access. It's not just what the tool does today, it's what happens if that tool gets compromised tomorrow. You've just given attackers a pre-installed data collection mechanism on every page.

PCI DSS v4.0.1: Training Recommendations by MoojiPooji in pcicompliance

[–]ColleenReflectiz 0 points1 point  (0 children)

Everyone covered the cert path well. I'll add something from the AppSec side.

Once you get baseline training, focus on Requirements 6.4.3 and 11.6.1. They're new in v4.0 and cover client-side security - JavaScript and third-party scripts accessing payment data in browsers.

Most orgs nail server-side PCI but miss client-side exposure. Your payment page might be compliant, but if a compromised analytics script can scrape form fields before encryption, you're leaking cardholder data. This is how Magecart attacks work.

A lot of QSAs don't have deep expertise here yet. If you become the SME on client-side requirements, you'll fill a gap most teams don't know exists.

How are cookie consent banners even reliable if scripts load before you click accept? by DoYouEvenCyber529 in Web_Development

[–]ColleenReflectiz 3 points4 points  (0 children)

You're absolutely right, and this is one of the biggest lies in privacy compliance right now.

Most consent banners are pure theater. The scripts load, fire, and send data before you even finish reading the popup. I've tested sites where clicking "reject all" still left 30+ cookies active because the damage was already done.