Blog
Security Assessment Color Palette
There are many different types of security assessment methodologies identified by cute color associations. Here are simple descriptions of the most popular to help you choose which approach is right...
Unintentionally exposing your organization to MFA bypasses on Azure Active Directory
Some organizations may believe that they are enforcing a second authorization factor when using Microsoft Single-Sign On on Azure Active Directory, but their configuration might have an easy way to...
Secrets in Broad Daylight, or How $500,000/Year Software Can Help Hackers Compromise Your Network
You might have taken all the right steps to secure a corporate Windows workstation: your users are not running as local admins, endpoint protection is in place, service ACLs and file permissions are...
Decrypt TLS traffic with mitmproxy & Wireshark
You can view decrypted TLS connections in Wireshark by creating a key log file using mitmproxy: Set an environment variable to point to the desired location to record the TLS encryption keys: export...
Backend DDoS protection
Is your website hosted behind a CDN? Could an attacker brute force or guess your website's origin URL? Are your origin servers hardened against DDoS threats? A common website...
Universal Principle of Smoothness
This post is fundamentally about humans and how they achieve goals. It is about defeating our tendencies when solving hard problems and pushing the boundaries of our performance. I call it the...
An Easy Cybersecurity Model for Busy Execs
Do you know what your organization's attack surface is? Attack surface is everything that a bad person (aka “attacker”) can interact with or touch. Your organization’s attack surface consists of PIA:...
Cybersecurity Threat Modeling for Business Leaders
As a business leader, you are likely familiar with SWOT analysis. SWOT is a strategic planning exercise to help identify a business’s Strengths, Weaknesses, and Opportunities, as well as Threats...
5 Ways to Increase Pen Testing ROI
Carve COO Max Sobell presenting on "Shifting Security Left" at Giphy HQ. Many a CTO and VP of Engineering has begrudgingly spent money on penetration tests in order to make their enterprise...
Security is a Long Distance Event
Twenty-five miles and seven hours into my first 50 mile trail running race, I told myself there are only twenty-five miles and seven hours to go. It should be simple - just keep going, right? This...