Posted by Andrew Cooper on Nov 12

Posted by Alan Coopersmith on Nov 12

Posted by Demi Marie Obenour on Nov 12

OMG Roofing Products has introduced the PowerGrip Plus roof mount system, a watertight structural attachment system used to secure solar racks, HVAC, and other equipment to roofs covered with thermoplastic (TPO and PVC) membranes.

HVAC has a critical role to play in the future of building automation and digitalization.

When it comes to this piece of critical infrastructure, operators need to be prepared to face new and sophisticated attacks.

There are plenty of reasons to shut down a potentially dangerous furnace, just make sure the facts back up that decision. 

If contractors don’t have a plan in place to handle red tag furnace second opinions, they can expect some mistakes.

Posted by CISA on Mar 21

Posted by CISA on Mar 28

Posted by Dave Aitel via Dailydave on Oct 31

This episode features an interview with the software security expert Gary McGraw. Gary explains why this topic is so important and gives several security deficiencies examples that he found in the past. The second half of the interview is about his latest book 'Exploiting Online Games' where he explains how online games are hacked and why this is relevant to everybody, not only gamers in their 'First Life'.

The majority of hacker attacks (70 %) are directed at weaknesses that are the result of problems in the implementation and/or architecture of the application. This session shows how you can protect your web applications (J2EE or .NET) against these attacks. The session covers lots of practical examples and techniques for attack. Furthermore, it shows strategies for defense, including a "Secure Software Development Lifecycle". A "Live Hacking" demo rounds it out. This is a session recorded live at OOP 2009. SE Radio thanks Bruce, SIGS Datacom and the programme chair, Frances Paulisch, for their great support!

In the first part of this episode we discuss a couple of basics about SecondLife (scaling, partitioning, etc). The second part specifically looks at how the dev team tackled a number of interesting problems in the context of executing their own LSL scripting language on top of Mono.

Francois Raynaud and Kim Carter cover moving to DevSecOps from traditional delivery approaches. Shifting security focus up front. Building a development team with not only development specialties, but also security and operations.

Docker Security Team lead Diogo Mónica talks with SE Radio’s Kim Carter about Docker Security aspects. Simple Application Security, which hasn’t changed much over the past 15 years, is still considered the most effective way to improve security around Docker containers and infrastructure. The discussion explores characteristics such as Immutability, the copy-on-write filesystem, as well as orchestration principles that are baked into Docker Swarm, such as mutual TLS/PKI by default, secrets distribution, least privilege, content scanning, image signatures, and secure/trusted build pipelines. Diogo also shares his thoughts around the attack surface of the Linux kernel; networking, USB, and driver APIs; and the fact that application security remains more important to focus our attention on and get right.

1. Founder of Thinkst, Haroon Meer talks with Kim Carter about Network Security. Topics include how attackers are gaining footholds into our networks, moving laterally, and exfilling our precious data, as well as why we care and what software engineers can do about it.

Founder of Signal Sciences Zane Lackey talks with Kim Carter about Application Security around what our top threats are today, culture, threat modelling, and visibility, and how we can improve our security stature as Software Engineers.

Armon Dadgar speaks to Matthew Farwell about Secrets Management.

Scott Piper and Kim Carter discuss Cloud Security. The Shared Responsibility Model, assets, risks, and countermeasures, evaluation techniques for comparing the security stature of CSPs. Scott discusses his FLAWS CTF engine. Covering tools Security Monkey and StreamAlert.

Justin Richer, lead author of the OAuth2 In Action book discusses the key technical features of the OAuth2 authorization protocol and the current best practices for selecting the right parts of it for your use case.

Joshua Davies discusses TLS, PKI vulnerabilities in the PKI, and the evolution of the PKI to make it more secure, with host Robert Blumen.

Neil Madden, author of the API Security in Action book discusses the key requirements needed to secure an API, the risks to consider, models to follow and which task is the most important.

Ryan Singer on Basecamp’s “Shape Up” software development process. Basecamp has ditched the backlog and 2-week sprint in favor of solution “shaping” and strategic 6-week projects, using tools like scope mapping, checklists, and hill charts to understand and reduce risk.

Sam Procter of the SEI discusses architecture design languages, specifically Architecture Analysis and Design Language, and how we can leverage the formal modeling process to improve the security of our application design and improve applications overall.

Katharine Jarmul of DropoutLabs discusses security and privacy concerns as they relate to Machine Learning. Host Justin Beyer spoke with Jarmul about attack types and privacy-protected ML techniques.

Bert Hubert, author of the open source PowerDNS nameserver discusses DNS security and all aspects of the Domain Name System with its flaws and history.

Sven Schleier and Jeroen Willemsen from the OWASP Mobile Application Security Verification Standard and Testing Guide project discuss mobile application security and how the verification standard and testing guide can be used to improve your app’s...

Aaron Rinehard, CTO of Verica and author, discusses security chaos engineering (SCE) and how it can be used to enhance the security of modern application architectures.

Kim Carter of BinaryMist discusses Dynamic Application Security Testing (DAST) and how the OWASP purpleteam project can improve early defect detection. Host Justin spoke with Carter about how DAST can provide meaningful feedback loops to developers...

Rey Bango, Senior Director of Developer and Security Relations at Veracode discussed Secure coding with host Priyanka Raghavan.

Open source developers Jordan Harband and Donald Fischer join host Robert Blumen for a conversation about securing the software supply chain, especially open source. They start by reviewing supply chain security concepts, particularly as related to open..

Simon Bennetts, a distinguished engineer at Jit, discusses one of the flagship projects of OWASP: the Zed Attack Proxy (ZAP) open source security testing tool. As ZAP’s primary maintainer, Simon traces the tool's origins and shares some anecdotes with SE Radio host Priyanka Raghavan on why there was a need for it. They take a deep dive into ZAP’s features and its ability to integrate with CI/CD, as well as shift security left. Bennetts also considers what it takes to build a successful open source project before spending time on ZAP’s ability to script to provide richer results. Finally, the conversation ends with some questions on ZAP’s future in this AI-powered world of bots.

Nir Valtman, co-Founder and CEO at Arnica, discusses pipelineless security with SE Radio host Priyanka Raghavan. They start by defining pipelines and then consider how to add security. Nir lays out the key challenges in getting good code coverage with the pipeline-based approach, and then describes how to implement a pipelineless approach and the advantages it offers. Priyanka quizzes him on the concept of "zero new hardcoded secrets," as well as some ways to protect GitHub repositories, and Nir shares examples of how a pipelineless approach could help in these scenarios. They then discuss false positives and handling developer fatigue in dealing with alerts. The show ends with some discussion around the product that Arnica offers and how it implements the pipelineless methodology.

In this episode, Ori Mankali, senior VP of engineering at cloud security startup Akeyless, speaks with SE Radio’s Nikhil Krishna about secrets management and the innovative use of distributed fragment cryptography (DFC). In the context of enterprise IT, 'secrets’ are crucial for authentication in providing access to internal applications and services. Ori describes the unique challenges of managing these sensitive data, particularly given the complexities of doing so on a large scale in substantial organizations. They discuss the necessity for a secure system for managing secrets, highlighting key features such as access policies, audit capabilities, and visualization tools. Ori introduces the concept of distributed fragment cryptography, which boosts security by ensuring that the entire secret is never known to any single entity. The episode explores encryption and decryption and the importance of key rotation, as they consider the challenges and potential solutions in secrets management.

Charles Weir—developer, security researcher, and Research Fellow at Security Lancaster—joins host Giovanni Asproni to discuss an approach that development teams can use to create secure systems without wasting effort on unnecessary security work. The episode starts with a broad description of the approach, which is based on Weir's research and on a free Developer Security Essentials workshop he created. Charles presents some examples from real-world projects, his view on AI's impact on security, and information about the workshop and where to find the materials. During the conversation, they consider several related topics including the concept of "good enough" security; security as a product decision; risk assessment, classification, and prioritization; and how to approach security in startups, greenfield, and legacy systems.

Shahar Binyamin, CEO and co-founder of Inigo, joins host Priyanka Raghavan to discuss GraphQL security. They begin with a look at the state of adoption of GraphQL and why it's so popular. From there, they consider why GraphQL security is important as they take a deep dive into a range of known security issues that have been exploited in GraphQL, including authentication, authorization, and denial of service attacks with references from the OWASP Top 10 API Security Risks. They discuss some mitigation strategies and methodologies for solving GraphQL security problems, and the show ends with discussion of Inigo and Shahar's top three recommendations for building safe GraphQL applications. Brought to you by IEEE Software and IEEE Computer Society.

Jonathan Horvath of Z-bit discusses physical access control systems (PACS) with host Jeremy Jung. They start with an overview of PACS components and discuss the proprietary nature of the industry, the slow pace of migration to open standards, and why Windows is commonly used. Jonathan describes the security implications of moving from isolated networks to the cloud, as well as credential vulnerabilities, encryption using symmetric keys versus asymmetric keys, and the risks related to cloning credentials. They also consider several standards, including moving from Wiegand to the Open Supervised Device Protocol (OSDP), as well as the Public Key Open Credential (PKOC) standard, and the open source OSDP implementation that Jonathan authored.

Brought to you by IEEE Computer Society and IEEE Software magazine.

Video now circulating in Israeli media corroborates allegations from Palestinian detainees that Israeli agents at Sde Teiman detention center rape and torture prisoners.

To be clear at the beginning of this article, determining the cross-section of conductors and cables is, for sure, not the most exciting part of electrical design. There are much more challenging and more exciting parts than staring at endless... Read more

The post The art of determining the right cross-section of low voltage conductors appeared first on EEP - Electrical Engineering Portal.

It's unbelievable that 2016 is here and the school year is half over, but that also means we are closer to the busiest time of year for those of us in the assessment industry.

I hope everyone has created and follows a secure assessment policy, but if not, John Kleeman, founder of Questionmark, created Ten tips for Securing Your Assessment System, which provides a secure foundation for your assessment system.  It seems security breaches most often occur as we get busy and are more prone to creating shortcuts in our work, but a "system" should help minimize these errors.  Please read John's post in its entirety and address any weaknesses in your assessment security:

What can you do to make your assessment system more secure? How can you avoid a disruptive data breach where people’s personal information is disclosed? Using a vendor who takes security seriously reduces risk, as I wrote in my blog article Eight ways to check if security is more than skin deep. But security involves both vendor and user. This post gives ten good practice tips on how you as a user or administrator of an assessment system can reduce the risk of data breaches.

1. Don’t give yourself or other administrators unnecessary privileges. Follow the principle of least privilege. It may sound counter-intuitive, but most administrative users don’t need access to all capabilities and data within your system. Limiting access reduces the impact of a data breach if an account is compromised or someone makes a mistake. If you are using Questionmark, allocate appropriate roles to limit people to what they need.

2. When someone leaves the project or organization, remove their access. Don’t allow someone who has left your team to still have access to your assessment data.

3. Follow good password security. Do not share passwords between people. Do not use the same password for two accounts. Choose strong passwords and change them periodically. If someone asks you for your password, never, ever give it. And if a web page doesn’t look right, don’t type your password into it.

4. Install all the patches and secure the system. A common cause of security breaches is failing to install the latest versions of software, and attackers exploit known vulnerabilities. You need to be proactive and always install the latest version of system and application software, set up good technical security and follow the vendor’s recommendations.

If you haven’t got the time or resources to do this properly, move to a cloud solution. In a cloud SaaS solution like Questionmark OnDemand, the vendor is responsible for updating Windows, updating the application, monitoring security and ensuring that everything is up to date.

5. Install good quality antivirus / anti-malware software. Reportedly there are nearly a million new or variant malware and viruses produced each day. Protect your computer and those of your co-workers with up to date, professional software to address this threat.

6. Protect any downloaded data. Questions, assessments and reports on results are generally safer on a server or in an on-demand service than on a workstation. If you need to download data locally, set up security procedures to protect it and try to ensure that any download is temporary only.

7. Dispose of data properly. Deleting a file on a computer doesn’t erase the data, it simply erases the index to it. If you use a reputable service like Questionmark OnDemand, if a disk is repaired or reaches end of life, it will be securely destroyed for example by degaussing. But if you download data locally or use installable software to manage your assessments, you need to do this yourselves. A recent study suggested that about half of used hard drives sold online contain residual data. Make sure this is not your assessment data!

8. Be careful about clicking on a link or attachment in an email. Phishing attacks use email or malicious websites (clicking on a link) to collect sensitive information or infect your machine with malware and viruses. Such attacks could even be aimed at your organization or assessment activity directly (this is called spear phishing!). Think before clicking.

9. Be aware of social engineering. Social engineering is when someone tries to trick you or someone else into a security breach. For example someone might ring up and claim to be a student who wants their results, but really is an imposter. Or someone might spoof an email from your boss asking for the questions for the next test to review. Be wary of strange phone calls or emails that ask for something urgent. If something seems suspicious, clear it with a security professional before you give them info or ask a caller to hang up and call them back on an official number.

10. Conduct security awareness training. If you’re not already doing this, organize training sessions for all your authors, proctors, administrators and other users to help them be security aware. if you can, deliver tests after the training to check understanding. Sharing this blog article with your co-workers would be a great way to start.

To see more Questionmark posts click HERE.

This approach assumes retrofitting and upgrading old substation secondary equipment such as intelligent electronic devices (IEDs), monitoring sensors, power apparatus, communication protocol and operating standards to improve the overall performance or reduce cost without disrupting the continuity of service. For... Read more

The post Secondary equipment you should always consider when retrofitting existing HV substation appeared first on EEP - Electrical Engineering Portal.

FREE schools preview screening of the film 'Adele Blanc-Sec'

Online support materials for the interactive educational CD-Rom aimed at 7 - 13 year olds to accompany the cinema release of The Adventures of TinTin: The Secret of the Unicorn

Tue 16 Oct: Secret of Kells + Storyteller introduction at the Clevedon Curzon

Screening of Eleanor's Secret as part of Cineschool 2013

 Free screening of Adele Blanc Sec for Wrexham secondary schools

Let’s discuss the visual and mechanical inspection procedures for oil-filled power transformers. It’s important, very important to examine a variety of key checkpoints, both external and internal to transformers, all based on the IEC 60076 standard. Each item on the... Read more

The post Field secrets and warnings in power transformer mechanical check and visual inspection appeared first on EEP - Electrical Engineering Portal.

CRDN moves up on the 2024 Franchise Times Top 400 list, ranking third in sales growth within the Disaster Restoration category. Securing an overall ranking of 243, up from 278 in 2023, CRDN continues to showcase its growth and leadership in the restoration industry.

Rapid urbanisation, coupled with the lack of coordination in the use of resources, such as taxis and security personnel, has negatively affected a wide array of quality-of-life metrics. These include waiting time in queues, response time for emergencies, and the number of traffic violations in cities. Using AI and Machine Learning methods, aggregation systems have been developed and adopted to improve the matching of resources and demand, thereby enhancing the efficiency of real-world transportation, emergency response and security systems. In this podcast, Associate Professor Pradeep Varakantham from the SMU School of Information Systems shares how AI can be used to improve transportation and security.