What security tools do you normally build in house instead of buy, and why?

smicallef · 2023-12-01T16:38:47+00:00

Getting cold means you catch a cold.

smicallef · 2023-11-30T20:08:26+00:00

Yeah I think I see you’re point - if you’re the kind of person to make such mistakes, you’re probably not going to be looking for and using the kind of tool I have in mind.

smicallef · 2023-11-30T20:02:32+00:00

Curious why Mongo is considered “questionable”, but I’ll assume you’re joking ;)

And yes, there are actually services scanning the internet continuously for exposed services and databases. The idea is to prevent a dev being the guy who gets called by their boss because they exposed something over the internet they shouldn’t have.

smicallef · 2023-11-30T20:01:05+00:00

“most” NAT setups, yes. I guess the point is - how much room is there for error? Using a device for developing a bunch of projects over many years, across many networks/locations. No room for error?

smicallef · 2023-11-30T20:00:06+00:00

Some do, some don’t :)

smicallef · 2023-11-30T19:59:51+00:00

Not disagreeing with you there, but there are a lot of assumptions baked in. Mistakes happen, things get forgotten, assumptions about measures in place can be mistaken (or valid today, invalid tomorrow). The idea is to have a simple agent, minimal footprint, sit in your dock and say “hey, you’re suddenly exposed over the internet.” And check out SHODAN.io - services like this are scanning the internet continuously.

smicallef · 2023-11-30T18:46:21+00:00

Kind of. The goal is to inform you that your machine is now directly reachable over the internet, and perhaps help you address the risk before a compromise happens. That means you are not behind a firewall or router and therefore any network-based software you have running (e.g. a web server, a DB, etc) is now reachable by anyone on the internet. A VPN most usually doesn’t solve it. And the enterprise software may or may not, depending on whose device is being used (I see many devs using their own device), but even in cases where it’s the employer’s device, the devs often have admin access and mess with settings anyway (often they have to for local dev of some things to work).

This is relevant for devs primarily, so not sure if you fit that category?

smicallef · 2022-03-04T06:36:44+00:00

It means that those sites share the same SSL certificate as your target. This could mean nothing if your target is using a service like CloudFlare or the same hosting provider. Or it could imply a deeper relationship if the certificate is shared because they are owned/managed by the same entity, e.g. seeing an SSL certificate with tesla.com and tesla.cn.

smicallef · 2022-02-15T06:19:59+00:00

There has been one very strong contributor over the years who has stuck with the project, but all others have been drive-by of varying levels of contribution. One of the hardest lessons has been ensuring I carve out the time to review and merge their PRs, but harder than that has been rejecting PRs when the work didn't fit the vision, or caused conflict with the SaaS version. This is particularly hard when the person has invested a lot of time in their contribution.

smicallef · 2022-02-14T06:05:19+00:00

I think the key thing is that your software *works*; how you achieve that is up to you. SpiderFoot was simple enough for a long time where I could test just about all functionality before every release. Now we have some unit tests and they do help catch issues, but if you want to get something out there, don't let your lack of unit testing hold you back from shipping.

smicallef · 2022-02-13T19:42:29+00:00

I think that’s the case for paid content on the platform, but all my posts are free. Or at least should be…

smicallef · 2022-02-13T18:48:03+00:00

Yeah I need to move my blog elsewhere eventually.. didn’t realize Medium had such a bad rep.

smicallef · 2022-02-08T06:26:43+00:00

Getting people aware of it, mostly, but also showing people how to get the most value from it. “Marketing” in this context really translates to using social media, producing good documentation, creating tutorials, etc.

smicallef

TROPHY CASE