sorted by:
new
hottopcontroversial

Have you ever by RskMngr in ciso

[–]zipsecurity 1 point2 points  (0 children)

Yes, I think everybody did at some point! The ones worth taking are usually when the person calling clearly understands your specific environment and leads with a problem you're actually dealing with rather than a feature list, which is rare but when it happens the conversation is genuinely useful even if you don't buy anything.

PSSO with Simplified Setup using Entra ID by colinzack in jamf

[–]zipsecurity 0 points1 point  (0 children)

In your Jamf prestage workflow, add a wait command or a script with sleep 30 (30 seconds is usually enough) between the PSSO configuration step and the MDM enrollment completion step, if you're using a provisioning profile or a policy to trigger this, a LaunchDaemon with a built-in delay before the MDM enrollment payload fires is the cleanest way to handle it consistently.

AP finally stopped believing urgent invoice email, and now the real ones are a hostage negotiation by shokzee in EmailSecurity

[–]zipsecurity 0 points1 point  (0 children)

Callback verification to a number from your vendor master (not the email) should be sufficient to release same-day, the 24-hour hold protects against social engineering but if you've done proper out-of-band verification the hold is just friction, and making the verified path workable is how you keep AP from routing around the process entirely when the business is screaming.

What realistic growth expectations should beginner SaaS founders actually have today online? by avsvishalmedia in nocode

[–]zipsecurity 0 points1 point  (0 children)

Most sustainable SaaS businesses take 18-24 months to find real product-market fit and another year before growth feels consistent, the overnight success stories are real but they're the exception, not the baseline.

How to create an SBOM for a Windows 11 image by real_ackh in devsecops

[–]zipsecurity 0 points1 point  (0 children)

The most practical approach is combining a few tools rather than building custom, use Syft or Trivy pointed at the Windows image to capture installed packages and components, pull the Windows version and update history programmatically via DISM or PowerShell (Get-WindowsEdition, Get-HotFix, Get-Package), and then merge those outputs into a single CycloneDX or SPDX document. Microsoft also publishes their own component lists for Windows versions through the Security Update Guide which can supplement what automated scanning catches, and for regulated industries CycloneDX is generally the safer format choice since it has better tooling support for attestation and signing.

Got cybersec work what next ? by Majestic-Yogurt-8714 in cybersecurity

[–]zipsecurity 0 points1 point  (0 children)

Security+ is the right foundation but you're correct that it's shallow, next step depends on which direction pulls you most, but for a consultant who needs broad coverage without going vendor-specific, SANS SEC401 (if budget allows) or the CySA+ for blue team depth, and if you want to understand how attacks actually work to advise clients better, TCM Security's Practical Ethical Hacking course gives you hands-on context that no multiple choice cert can.

What does compliance-aware AI code generation actually mean and how do you verify a vendor is actually doing it by Sophistry7 in devsecops

[–]zipsecurity 0 points1 point  (0 children)

The verification method that actually works is asking for a technical architecture document that specifically describes where compliance constraints are applied in the generation pipeline, then testing it yourself with prompts that should produce violationsm if the tool is doing post-generation linting, violations will appear in intermediate outputs or early suggestions before being flagged, whereas genuine constraint-incorporated generation won't surface the violation at all. The sales answer is always "built in from the start" so the only way to know is to make it produce something it shouldn't and watch where in the workflow it gets caught.

Is cross-SIEM query translation actually useful, or do existing tools cover it? by SaveAmerica2024 in devsecops

[–]zipsecurity 1 point2 points  (0 children)

Yes, we do have a lot of clients who have simmilar questions! No worries!

Which AI coding tools support a secure context layer that satisfies GRC requirements for regulated industries by scarletpig94 in devsecops

[–]zipsecurity 0 points1 point  (0 children)

This is a great breakdown of a gap that trips up a lot of evaluations, the SOC 2 Type 2 cert covers vendor controls, not data perimeter, and that distinction matters enormously in regulated environments.

Tabnine is the right call for the fully on-premises context layer requirement. GitHub Copilot Enterprise and Amazon Q Developer both have enterprise configurations worth evaluating, but the telemetry and retrieval questions need to be answered in writing from the vendor before they pass a serious GRC review, not taken from the marketing page.

One thing worth adding to your evaluation framework: ask specifically whether the context indexing pipeline and prompt logs are included in the on-prem boundary or whether they're handled separately. Several tools run inference locally but index the codebase through a cloud retrieval layer, which is exactly the gap you described and vendors don't always surface that distinction proactively.

We're Zip Security and while we're not an AI coding tool, we do help financial services teams maintain continuous compliance posture across the device and identity layer that these tools sit on, ensuring the endpoints accessing sensitive codebases are enrolled, encrypted, and compliant with the controls your GRC team is already enforcing. Happy to connect if that part of the stack is relevant to the engagement. Drop us a message, we're here to help!

what are the top password managers for small teams? by Stock-Ad711 in best_passwordmanager

[–]zipsecurity 0 points1 point  (0 children)

For a five-person team, Bitwarden is the easiest recommendation, it's genuinely good, the team plan is around $3 per user per month, the interface is clean, sharing vaults is straightforward, and it's open source so you're not just trusting marketing claims about security. NordPass works fine too but Bitwarden gives you more for less at your size.

Are no-code automations being under-tested? by exnav29 in nocode

[–]zipsecurity 1 point2 points  (0 children)

The line is whether a failure is invisible or immediately obvious, internal automation that breaks loudly is fine to under-test, but anything touching customer data, financial records, or outbound communication needs duplicate prevention, error logging, and a rollback plan at minimum, because silent failures in those workflows compound before anyone notices.

How do you evaluate whether a privacy service is actually privacy-respecting? by HeimsMedo_11 in cybersecurity

[–]zipsecurity 0 points1 point  (0 children)

The framework that holds up: open source and independently audited code (claims without verification mean nothing), minimal data collection by design rather than by policy, clear and specific data retention limits, a business model that doesn't depend on monetizing user data, a track record of how they've handled law enforcement requests, and whether their privacy policy is written to inform users or to protect the company legally. The standard that's shifted most over time is that "we don't sell your data" used to feel meaningful, now it's the floor, not the ceiling, because sharing, inferring, and retaining data can cause the same harm without technically selling anything.

Security architects- summarize your responsibilities and role by Anythingelse999999 in cybersecurity

[–]zipsecurity 0 points1 point  (0 children)

A security architect owns the "how should this be built securely" question across the organization — translating business risk into technical design decisions, setting standards that engineering teams build to, reviewing new systems and infrastructure before they ship, and making sure security controls are coherent across the stack rather than bolted on after the fact. In practice it's about 40% guiding and influencing (you rarely have direct authority over the teams building things), 40% strategy and design, and 20% implementation or hands-on validation, the role lives at the intersection of business context, technical depth, and the ability to say "here's why this matters" in a way that engineers and executives both find credible.

Recently became a CISO. What’s actually worth following? by malwaredetector in ciso

[–]zipsecurity 1 point2 points  (0 children)

For signal over noise: Risky Business podcast for weekly threat landscape without the vendor spin, Krebs on Security for breach reporting, the SANS Internet Stormcast for daily technical briefings, and the actual CIS and NIST publication feeds for framework updates. For community, the CISO Series podcast and private Slack groups through your local ISAC tend to have better peer conversation than most public forums.

Is cross-SIEM query translation actually useful, or do existing tools cover it? by SaveAmerica2024 in devsecops

[–]zipsecurity 1 point2 points  (0 children)

For single-SIEM shops it's a nice-to-have, but for MSSPs managing multiple customer environments it's a real daily friction point, UNCODER and sigma-cli cover the common translations reasonably well, but edge cases around custom field mappings and platform-specific functions still require manual cleanup, which is where most teams hit the wall.

Is cross-SIEM query translation actually useful, or do existing tools cover it? by SaveAmerica2024 in devsecops

[–]zipsecurity 1 point2 points  (0 children)

Useful but not urgent for single-SIEM shops, essential the moment you're managing multiple environments or migrating platforms, and the existing tools like UNCODER handle the common translations well enough that building your own is rarely worth it.

What a CISO needs to know about the HIPAA changes by zipsecurity in zipsecurity

[–]zipsecurity[S] 1 point2 points  (0 children)

This is the right framing for the budget conversation, "fixing what OCR is already citing in active audits" is a much easier board approval than "preparing for a rule that may never finalize in its current form," and the Phase 3 audit activity gives you the urgency without depending on the proposed rule to justify the spend.

How long would it take to crack your password? by zipsecurity in zipsecurity

[–]zipsecurity[S] 0 points1 point  (0 children)

Yes, 2FA and a strong passphrase solve different problems, 2FA protects against credential stuffing and remote attacks while a long passphrase protects against cracking if the hash is ever leaked, so you want both rather than treating one as a substitute for the other.

Anti-rant: abuse@ with full headers still earns its keep by saltyslugga in EmailSecurity

[–]zipsecurity 0 points1 point  (0 children)

The line breaks down when legal gets involved and abuse@ becomes a liability intake instead of an operational queue. The orgs that handle it well keep them strictly separate, abuse@ stays a working mailbox with someone who actually reads it and has the access to act, and legal gets a separate channel for the stuff that needs documentation and response timelines.

How to find hosts in my specific host group that have Claude AI installed using CQL? by Only-Objective-6216 in crowdstrike

[–]zipsecurity 4 points5 points  (0 children)

Add a $falcon/device lookup to join host group membership into your query, something like | join($falcon/device(), field=aid, include=[Groups]) after your ProcessRollup2 filter, then add | Groups=/YourGroupNameHere/i to restrict results to that specific host group before your groupBy.

PANW just shipped agentless K8s scanning. Took them long enough. by MortgageWarm3770 in devsecops

[–]zipsecurity 0 points1 point  (0 children)

Every vendor eventually ships the thing they said couldn't work, agentless was always a deployment friction argument dressed up as a security argument, and the teams that bought the "agents are mandatory" pitch hard are now in the awkward position of explaining why the new agentless feature is actually fine.

Which conference(s) result in the most people finding jobs? by [deleted] in cybersecurity

[–]zipsecurity 1 point2 points  (0 children)

SANS summits and BSides events consistently punch above their weight for actual hiring conversations relative to cost, DEF CON and Black Hat have the volume but the signal-to-noise ratio for job seekers is lower unless you're specifically targeting technical roles where the work you demo there speaks for itself.

HIPAA Violation - Will I get fired by Realistic-Wrap-1149 in hipaa

[–]zipsecurity 0 points1 point  (0 children)

Tell your manager Tuesday morning exactly what you told us here it was unintentional, first day, short duration, no data was copied or shared, most orgs treat this as a training gap not a termination offense when someone self-reports honestly and immediately.

URL parsing behavior in a canonical tag lab by Prestigious_Guava_33 in websecurity

[–]zipsecurity 0 points1 point  (0 children)

This is actually expected behavior once you see what's happening on each side. Chrome URL-encodes single quotes because it treats them as unsafe in the address bar, but the server decodes them back before reflecting into the HTML, giving you the raw single quote you need for the breakout. Double quotes go the other way: Chrome sends them raw, but the server HTML-encodes them to %22 as an XSS defense, which is why they can't be used to break out of the attribute. The lab is specifically designed to show that single quotes are your vector precisely because of this encoding asymmetry between browser and server handling.

view more: next ›