Chetan Conikee

ShiftLeft Blog - Medium

Majority of security solutions focus on externally triggered unauthorized and illegitimate access to systems and information. Unfortunately, the most damaging malicious activity is the result of internal misuse within an organization, perhaps since far less attention has been focused inward.Insider threats are one of today’s most challenging cybersecurity issues that ... Read More

Evolving Threat series — Bug bounties and the Cobra EffectHave you ever tried to fix your cybersecurity posture, only to make things worse?That’s called the Cobra Effect — when an well intentioned solution results in unintended consequences.In a real-world system, there will be multiple reinforcing connections between events, resulting in often unpredictable feedback loops.In ... Read More

Evolving Threat series — Infiltrating Python’s Software Supply ChainZDNet published this interesting post 2 days ago titled “Two malicious Python libraries caught stealing SSH and GPG keys” which sets stage to what is coming in 2020 and onward.And if you think your are safe (as you recently procured a well marketed commercial ... Read More

Credit: AmatechincMany developers dread code reviews, and one reason for this is probably that most reviewers only offer criticism rather than encouragement. Remember as a peer reviewer, you can also reinforce things you see that are done well, which can be every bit as important and effective as nitpicking every ... Read More

The average multinational spends several million dollars a year on compliance, while in highly regulated industries — like financial services and defense — the costs can be in the tens or even hundreds of millions. Despite conducting these rigorous assessments yet we wake up to data breach announcements on an hourly basis.World's Biggest Data ... Read More

In my previous post, we witnessed a vendor partnership flaw that was exploited. Let us now situate ourselves in an online auction event.Online auctions offer buyers and sellers of a wide variety of goods an enormous platform for trade. Just like local auctions, there are sellers and bidders and winners ... Read More

Fast forward 2012, from my last post that enacted Citibank’s exploit from 1999.The actors in this story are Andrew and Allen Chiu and their plot to defraud Nordstorm via a channel partner FatWallet.com.FatWallet Inc. used to be a membership-based shopping community website that used to promote various online retailers by ... Read More

In my previous post, we witnessed how a flawed design pattern of session management across SaaS vendors led for an exploit to manifest.Type your email here https://haveibeenpwned.com/ and verify if you have been pwned. If you are not, skip this entire post.Houzz a $4 billion-valued home improvement startup recently admitted ... Read More

In my previous post, we witnessed how a bidding process can be abused in an online auction marketplace.All of us are guilty of using SaaS services in this cloud era. Our systems use services like Okta for uniauth, Stripe for payments, Sendgrid for email notifications, HubSpot for customer success and ... Read More

In the prior installment, I discussed and described the definition of a business logic flaw.Let us now turn back time to 1999 and recount events leading to Citibank attack on approximately 360,000 of its customers’ financial dataThe company said that hackers who breached Citi Account Online on May 10 had ... Read More