Bram Patelski on LinkedIn: Work hard, party hard. Sopra Steria Netherlands (formerly Ordina a Sopra… (2025)

Forget killing privacy. This will be a field day for social engineers like FC . and 🤗Jayson E. Street🤗 (not that they need it): https://lnkd.in/eTFHYqQE

2

Bold statement: strong authentication can fix 50-80% of current attacks.Politie Nederland was attacked by (apparently) a nation state attacker. While I don't have any details other than what's in the news, I can say that a nation state attacker, an APT or advanced persistent threat. As Chris Kubeckatold me: emphasis on persistent. They won't stop until they get what they want, and they don't just want anyone's money. If you're a bank, your money is just as good as any other bank's. So you just have to not be the slowest one running from the lion. If you're an entity that has unique assets, like Politie Nederland or ASML or TenneT you are in a unique position and your assets are NOT just as good as anyone's. Those assets can only be attacked through you and APT's will do anything to get them.Strong authentication is the first line of defence and we all know how widespread password-reuse, easy to guess passwords and lack of MFA or multi-factor authentication is. So please protect yourselves and generate and save all your account credentials in a password manager and please, please, please use MFA whenever possible. Once you start using a password-manager, you'll never go back. Also you'll see that it's much easier to just dump all your accounts in a password-manager, not just the high-profile accounts.Want to know how nasty APT's can get and don't think truth can beat the thriller excitement of the Mr. Robot tv-series? Read Sandworm by Andy GreenbergWant more memes and more laughs on authentication and other security topics? Feel free to invite me for a live talk filled with (security awareness disguised as) memes for your organisation. Talks can be anywhere from 20 to 45 minutes, but will always be live and in-person.PS: Technical details on the hack Politie Nederland are still unknown, but I assume they have MFA in place.

Using generic AI chatbots is not always a good idea. AI is good at many things, but not all. But the most important criterium to not choose for AI for me, is reliability. If I really need something to be correct and I cannot double-check for correctness myself, AI is not the answer.So I use AI as a buddy to debug some issues, which often results in an actual conversation where AI shows me a direction and I still need to ask a few follow-up questions for it to realise its mistake and together we can figure it out.Or I use AI as a kickstarter for ideas and I build on that.Yesterday I had an interesting home decoration project that I needed some options for on how I could technically build it. Then I asked some rough specs and price indication, including some options to have a ballpark idea of how feasible it was. And based on that I could Google for some more actual living people-written guides and tutorials.So next time you have a challenge, see if you need a sparring partner to bounce off some ideas. If it is, generic AI bots can certainly help.

3

Fast, Cheap, Good.... pick two.How about: This is our baseline quality standard. Anything below is not acceptable. Now your challenge as the person with the budget is to define that baseline quality standard and most importantly: CHECK.Put verifications in the definition of done, that validate your desired quality. I'll give some examples:1: The application is checked and there are no vulnerable components found on deployment2: Source-code is scanned with SonarQube and there are no code-smells or bugs in the codebase with high or critical severity.3: Source-code is scanned for secrets (API-keys, passwords, certificates) using an automated tool and none where found4: Source-code was scanned for security bugs using a dedicated SAST tool and no issues of severity moderate or higher where found (SonarQube is not a SAST tool)5: At least two developers peer-reviewed the code using a Pull Request and approved the code changes using the OWASP Code Review Guide and the Secure Coding Practices Checklist6: Functionality is checked with automated unit-tests covering happy scenario's and edge-cases. All unit-tests are successful7: Deployed application was tested using a DAST tool like OWASP ZAP and no issues where found8: All results from automated scans and tests are aggregated in a single dashboard that is updated near-realtime for each application's main, development and feature branches. The dashboard is available for the Product Owner to review at any time.

16

Security Budget these days..... in most places, nothing changed.When I started working in IT over 20 years ago, I was building web-apps that almost always used a database for its "dynamic" components: users, articles, items in a webshop etc. And to do my work properly as a Java developer, I really needed to know some basic SQL. Sure, whenever I needed complex queries or had performance issues, I asked a DB expert, but SQL fundamentals where crucial.The same is now happening to security. As a developers you need to accept that in order to complete your work properly, you need to know the fundamentals of Secure Software Development. You need to know when something touches on security, who to ask for help and what questions to ask. You don't have to know everything, obviously I don't know everything either.And to those with the budget: security doesn't come for free. If it did, we would have security built in everywhere. But it's not just a matter of money, it's mostly a matter of caring for security. Care about security, ask for security, define security requirements together with your developers and check what's needed and if those requirements are implemented. You'll see that quality in general will increase alongside security as well. Don't be Jurassic Park's John Hammond. Care about security before the dinosaurs break your fences and eat your employees and customers. Because preventing damage by doing security from the start is much cheaper than burning a failed island and starting over.

51

4 Comments

Welcome to my life

14

7 Comments

Ever wanted to try your hands at Web Application hacking? There are still spots available. Claim your spot now.

3

Seeing the Dutch Government adopt OWASP® Foundation 's projects confirms what was obvious for me as an opensource advocate. In security, sharing is caring. OWASP® Foundation is the very best at gathering experts in the field who create excellent resources to increase your security posture and improve your defences. And who else to get on board than Software Improvement Group 's very own Rob van der Veer to add both OpenCRE and the OWASP AI Exchange to OWASP. And the best part? It is Creative Commons, no licensing, no royalties, no limitations, no nothing. Just digg in and start using these awesome projects for free, nada, nothing but your own time. And if you need a helping hand, there's a Slack Community, OWASP BeNeLux Days and OWASP Netherlands Chapter meetups and if you really need to get professional help ASAP, yes you can hire (for money) any of the awesome OWASP and Security specialists in our network.

4

You can never have enough scanning, remember there is no silver bullet or black-box that solves all your coding challenges. Also, managing all the output of those scan-tools requires some effort. You can use more tools, like Defect Dojo. But in the end, your developers need to know what tools they can use, what the benefits of those tools are and above all, what the limitations are. Even AI has its limits, false positives and false negatives. Tools are never a (full) replacement of actual, human grey matter.

4