I mention that the data that appears to be used for those purposes is sent again in a separate request to a separate end point, so we have two types of requests: last read location, and reading analytics. Sorry it wasn't clear, I'll try to improve the wording.
Though I haven't analyzed other devices (because I don't own them), they could easily have similar issues. I personally really want an open e-ink device, but I haven't seen one for sale unfortunately. For now, I do Calibre ODPS server with Marvin app on a phone, but it doesn't really compare.
Perhaps calling it an heroic effort would suit your taste more?
"Those teams rebuilt around 4,000 servers and 45,000 PCs and other devices" over 10 days (according to another article), while the company "ground to a halt".
I don't know about you, but if I had a team that pulled that out, I would have a deep respect for their service and contribution to the business.
Maybe I am missing something, but I didn't see anywhere where this was a company brought in, I am under the impression it is the company's internal staff recovering from ransomware, and now being laid off.
I completely agree. I was only pointing out that even extreme cases don't seem to lead to proper valuations.
Many companies do things in a way where miracles aren't required - but the values perceived by those departments still don't seem in line with value delivered.
I wish I knew of some way to change this paradigm. I have repeatedly seen IT/Engineering teams pull out miracles that save a business, or deliver the critical edge for growth, only to have the business value that same team close to zero shortly after.
It seems to me the gap in time between reducing staffing and disaster is perhaps too long for intuitive connections to be made, but that seems overly simplistic to me too.
You are right on this - I thought you could set multiple sites by setting multiple headers, but it doesn't work that way, which I should have known because headers don't work that way in general...
The recommended way to do multiple sites seems to be to have the server read the request header, check it against a whitelist, then dynamically respond with it, which seems terrible.
Thanks for catching this - I updated the post to reflect this and make it more clear.
That is true! I do set frame-ancestors in the sample CSP for this reason. I could probably do a dedicated post on CSP to do it justice, but don't want to overwhelm anyone who just wants to start setting headers.
One good reason to set both options, as I mention in the post, is that scanners who rate site security posture may penalize site owners who don't set both - no harm in doing it that I know of.
I think it's a good point which is why I set the time low, even though many other resources set it to a week or longer. I just don't like very long cache times for anything that can break, so that site owners have a little more flexibility in case something goes wrong down the line.
I'm not an analyst, but I'm in the field. It's broad, and not many good targeted communities exist that I know of. Here is my current list of places to check regularly. Let me know if you know of others!
## Slack Communities
OWASP - owasp.slack.com
DFIR IR - dfircommunity.slack.com - mostly around the Demisto products, but some other discussion as well
Hangops Infosec - hangops.slack.com - infosec channel
About us:
GE Power is building industrial IoT and analytics to help Power the world more efficiently. I lead the Secure DevOps team at GE Power, focused on helping the business build secure software through automation and deep security expertise.
About the role:
This is a role for a great programmer who loves security, or a great security professional who loves programming. We are happy to train security skills if coming from a programming background with a security interest. The focus of the role is on building security tooling for other development teams. Some examples we are working on today: a two factor auth library in Java, A webhook for code analysis in Java/Spring, and a framework for automating security scans across networks and systems in Go.
We also consult with other teams to build product security features, threat model, implement CI/CD, or train development teams on secure coding practices.
Our goal is to enable our product teams to ship daily code while maintaining a very high level of security. Our product threat model adversaries include everything from common malware all the way up to targeted nation states attempting electrical grid and generation disruption.
Main technologies: Java with Spring is the most frequently used today, but we also use or support Node, Go, Python and C/C++ for various projects.
If this sounds interesting, apply at the link above or reach out to me and I will be glad to answer any questions.
We're a team of software engineers focused on helping the business build secure software on GE's Predix platform (predix.io) and industrial internet of things.
About the role:
We build security tools for development teams, security focused libraries and embed with product teams as security focused developers - focusing on user stories around security.
Technology focus areas:
GE is a big company, and we support teams that use all sorts of languages, frameworks, and technologies. The most frequent technologies we work with are:
* Java with SpringBoot
* Angular
* Polymer
* Node
Other languages I am seeing more of: Python, Ruby, Elixer, Go
When we build internal tooling, we pick the best tools for the job: Elixer, Scala, Python, Node or whatever makes sense.
What we look for:
Great programmers who love security and understand secure coding. Experience with the technologies listed above, CI/CD, TDD, and general development best practices is key.
We hire at all skill levels and are more than happy to train in any technology or skill set if you bring enthusiasm and a programming background to the table.
If you love to code, understand how to find, exploit, and fix vulnerabilities in web apps, and want to help us build security tooling, I'd love to chat!
About us:
We're a new team of software engineers focused on helping the business build secure software on GE's Predix platform (predix.io).
About the role:
We build security tools for development teams (CI/CD security plugins, platform scanners, log aggregators), security focused libraries (2 factor authentication, OAuth wrappers, encryption wrappers), and anything else that might help our teams be more secure.
We also embed directly with product teams as security focused developers - ensuring user stories around security are being implemented, teaching developers about secure coding, and building the most sensitive parts of our critical applications.
Technology focus areas:
GE is a big company, and we support teams that use all sorts of languages, frameworks, and technologies. The most frequent technologies we work with are:
* Java with SpringBoot
* Angular
* Polymer
* Node
Other languages I am seeing more of: Python, Ruby, Elixer, Go
When we build internal tooling, we pick the best tools for the job.
What we look for:
Great programmers who love security and understand secure coding. Experience with the technologies listed above, CI/CD, TDD, and general development best practices is key.
If you love to code, understand how to find, exploit, and fix vulnerabilities in web apps, and want to help us build security tooling and improve app, I'd love to chat!
About us:
We're a new team of software engineers focused on helping the business build secure software on GE's Predix platform (predix.io).
About the role:
We build security tools for development teams (CI/CD security plugins, platform scanners, log aggregators), security focused libraries (2 factor authentication, OAuth wrappers, encryption wrappers), and anything else that might help our teams be more secure.
We also embed directly with product teams as security focused developers - ensuring user stories around security are being implemented, teaching developers about secure coding, and building the most sensitive parts of our critical applications.
Technology focus areas:
GE is a big company, and we support teams that use all sorts of languages, frameworks, and technologies. The most frequent technologies we work with are:
* Java with SpringBoot
* Angular
* Polymer
* Node
Other languages I am seeing more of: Python, Ruby, Elixer, Go
When we build internal tooling, we pick the best tools for the job.
What we look for:
Great programmers who love security and understand secure coding. Experience with the technologies listed above, CI/CD, TDD, and general development best practices is key.
If you love to code, understand how to find, exploit, and fix vulnerabilities in web apps, and want to help us build security tooling and improve app, I'd love to chat!
We're a new team of software engineers focused on helping the business build secure software on GE's Predix platform (predix.io)
About the role:
We build security tools for development teams (CI/CD security plugins, platform scanners, log aggregators), security focused libraries (2 factor authentication, OAuth wrappers, encryption wrappers), and anything else that might help our teams be more secure.
We also embed directly with product teams as security focused developers - ensuring user stories around security are being implemented, teaching developers about secure coding, and building the most sensitive parts of our critical applications.
Technology focus areas:
GE is a big company, and we support teams that use all sorts of languages, frameworks, and technologies. The most frequent technologies we work with are:
* Java with SpringBoot
* Angular
* Polymer
* Node
Other languages I am seeing more of: Python, Ruby, Elixer, Go
When we build internal tooling, we pick the best tools for the job.