Profile cover photo
Profile photo
Dinis Cruz
174 followers
174 followers
About
Dinis's posts

Post has attachment
The Authentication micro-service cache incident
A good example of why we need tests across the board, not just normal unit tests, but integration tests, and tests that are spawned as wide as possible, is the story of a authentication module that was developed as an re-factoring into a separate micro-serv...

Post has attachment
Risk Dashboards and emails
It is critical that you create a suite of management dashboards that map the existing security metrics and the status of RISK tickets: Open, In Progress Awaiting Risk Acceptance, Risk Accepted Risk Approved, Risk not Approved, Risk Expired Allocated for Fix...

Post has attachment
Why GitHub and JIRA
My current experience is that only GitHub and JIRA have the workflows and the speed that allow these risk workflows to be used properly in the real world. I know there are other tools available that try to map this and create some UIs for risk workflows, bu...

Post has attachment
Linking source code to Risks
If you add links to risk as source code comments, you deploy a powerful and very useful technique with many benefits. When you add links to the root cause location, and all the places where the risk exists, you make the risk visible. This reinforces the con...

Post has attachment
Employ Graduates to Manage JIRA
One of the challenges of the JIRA RISK workflow is managing the open issues. This can be a considerable amount of work, especially when there are 200 or more issues to deal with. In large organizations, the number of risks opened and managed should be above...

Post has attachment
Can't do Security Analysis when doing Code Review
One lesson I have learned is that the mindset and the focus that you have when you do security reviews are very different than when you work on normal feature and code analysis. This is very important because as you accelerate in the DevOps world, it means ...

Post has attachment
Threat Model Confirms Pentest
A key objective of pentest should be to validate the threat model. Pentests should confirm whether the expectations and the logic defined in the threat model are true. Any variation identified is itself an important finding because it means there is a gap i...

Post has attachment
Threat Model per Feature
Creating and following a threat model for a feature is a great way to understand a threat model journey. First, take a very specific path, a very specific new feature that you are adding, or take a property, such as a new field, or a new functionality. Next...

Post has attachment
Using Git as a Backup Strategy
When you code, you inevitably go on different tangents. Git allows you to keep track of all those tangents, and it allows you to record and save your progress. In the past, we used to code for long periods of time and commit everything at the end. The probl...

Post has attachment
Feedback Loops
The key to DevOps is feedback loops. The most effective and powerful DevOps environments are environments where feedback loops, monitoring, and visualizations are not second-class citizens. The faster you release, the more you need to understand what is hap...
Wait while more posts are being loaded