Over the past year or so, I’ve come across the occasional remark or comment about InfoSec teams and phishing simulations; typically how they’re run extremely poorly.
Most recently I came across this thread on Twitter and thought I would share my thoughts on phishing simulations and the effectiveness of them; based on my own experiences and understanding. My opinions could change as more data becomes available on the topic.
A mouthful of a title but in this blog, I’ll try to answer this question based on my own understanding and experiences deploying WebAuthn.
Firstly, if you don’t know what Web Authentication is (commonly referred to as WebAuthn), it might be worth having a quick read of my previous blog post as the WebAuthn standard is the foundational building block for passkeys.
In this post, I will be going through some of the essential Branch Protection Rules you should have on all* of your GitHub repositories. GitHub is constantly releasing new updates all the time but my recommendations stand as of January 2022.
I’ve also added some gotchas I’ve tripped over discovered whilst deploying such rules across nearly a thousand repositories.
*Assuming we’re talking about corporate GitHub organisations… and by all, I mean ALL. Branch protection Rules should be the rule, not the exception. Have exceptions if you need them (you will!) but otherwise apply it everywhere.
Web Authentication, or WebAuthn is a standard for strong user authentication and is a core part of the FIDO2 specification. I’m not going to go into too much technical detail about the spec in this blog because there already exists a plethora of awesome documents and demonstrations which explain WebAuthn better than I ever could; I’ll include those in the Additional Reading section below.
Categories
Where is your responsible disclosure page?
I want to start by saying that this article is not only for security professionals. If you have the power to influence positive change at your organisation then this article is for you. With that said, let’s begin…
Take a minute to visit your corporate website and look for a “security” or “responsible disclosure” page or link. Go on, do it now and continue reading after you’ve had a look.
…
Don’t see one? Maybe you have one but it’s obscured and requires a little bit of clicking and button pressing. If so, keep reading…