Category: Noname

Reducing export to many countries, not Norway.

NotSoSecure have made this wiki for cloud security, with tools and methods for how to research and develop knowledge in this topic. I find it quite useful when browsing various cloud security research blogs they refer to, tools and methods. E.g., for AWS a lot of defensive and offensive tools are listed such as ScoutSuite in which I have great experience with.

Minimum Viable Security Product has a baseline requirements list for B2B software and products thats worth checking out. It is founded on the same principle as most frameworks, e.g., as the CIS critical security controls, by “prioritizing security functions that are effective”.

MS Threat modeling tool, Cairis, Iriusrisk, Kenna, OWASP pytm, OWASP threat dragon, threagile are some of the most known threat modeling tools I know.

Personally I like OWASP Threat Dragon for being supported on most common platforms, and because of its flexibility in designing and registering threats. MS Threat modeling tool provides a lot of out-of-the-box threat scenarios with details based on the model designed.

EDRhunt, an open source, tool to detect installed EDR on Windows. Fingerprinting detection mechanisms obviously make the red team test even more sophisticated.

Intruder has assessed the most know CVE vulnerability scanners on the market. One great fun fact is that they both cover only half the published CVEs. Check it out and whos the winner.

According to Microsoft it is encouraged to drop EICAR and to generate anomalous security logs in order to test security monitoring and detections in Azure… Wonder if that means their way og feeding their detection rules.

Should have mentioned this before but Red Canary and Atomic Red Team share test steps you can use to verify if your detection architecture works properly. Both for windows and linux. And of course they also cover cloud, e.g., for Azure. They publish, together most of the tests on GitHub for you to play with and some on their website, nice!

Any way that makes security compliance easier is always welcome I think. Reporting on or even assessing compliance to more than one standard is common if you at least are a service provider; ISO, NIST, ISF SoGP, GDPR, PCI DSS, CSC etc.

ComplianceForge makes this at least slightly simpler with their immense guidelines and tools for mapping most common standards. Most is not free, however, some of their material is and it is a great start. Would also recommend CIS Securitys Compliance mapping.

NIST is planning to update more standards in 2021, e.g., supply chain management and performance measurements are some of them. Looking forward to it!