Security Blog

Posts about my work in Engineering, IT, and Security

Hot Topics: 5 Simple Steps to Online Safety

Hello there! I have an exciting and unusual story to share with you today. Back in 2019, when I was working at Duo Security, I did something called “Hot Topics – with Steve Edwards” that you might call daring, adventurous, or, let’s be honest, a little crazy. I made a video aiming to educate viewers about the top five things they could do to stay safe online. But…

Read More
milky way, 4k wallpaper, stars-2695569.jpg

Business Astrology: A Fun Exploration of Zodiac Signs and Personality Tools

Hello everyone, We’re about to embark on a fun, exploratory exercise! Before we begin, I’d like to share that this post is meant purely in jest. While I appreciate the appeal and tradition of astrology, my personal journey in leadership and team-building has been informed more by structured personality assessment tools, like Myers-Briggs, DISC, and CliftonStrengths. Tools that have been jokingly called “Business Astrology”. Recently, just for a…

Read More
virtual coworkers, virtual friends, online friends-3382503.jpg

Navigating New Leadership: 5 Questions to Ask When Taking Over an Existing Team

As someone who has been a people leader for about 10 years and has worked in IT and security for over 20, I’ve had the privilege of leading diverse teams across different industries – from small startups to Fortune 50 companies and state institutions. Through these varied experiences, I have learnt that taking on an existing team can be a nuanced process, one that demands adaptability, empathy, and…

Read More
teamwork, cooperation, brainstorming-3213924.jpg

Is Management for You? Navigating Your Career Path

I often encounter professionals wrestling with the question: “Should I transition into a management role?” Today, I’d like to shed some light on this topic in case you are also wondering if management is for you. Choosing a career path is a deeply personal decision and, while it’s thrilling to consider new possibilities, it can also bring up a lot of uncertainty. My hope is that this post…

Read More

Managing Burnout Risk

Burnout, especially within the realm of security professionals, has emerged as an alarmingly pervasive risk. A cursory glance at social platforms like Twitter or candid conversations with colleagues across various companies confirms this rising tide. Yet, intriguingly, when we strategize about risk mitigation in our lives, managing burnout often slips through the cracks. Could it be that it lacks the technical allure of tackling account takeovers or covert…

Read More

Two Factor Authentication – Bank Security Explained

I recently looked at four different aspects of the security posture of a number of US banks. I’d like to explain in detail what these security controls are and why they’re important. In this post I’ll explain what two factor authentication is and why you should be using it everywhere you can. To start off, I’d like to define authentication. Authentication is the process by which one proves…

Read More

Reviewing US Banks’ Web and Email Security

I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see from other banks. I’d like a bank that takes information security seriously, it seems like my current one does not. While…

Read More

Raise your MASSACRE Score with HAProxy

Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on…

Read More

HTTP Security Headers in Apache

HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers. In the httpd.conf I add the following directives to the document root <Directory> section. Header always append X-Frame-Options DENY Header always append X-XSS-Protection “1; mode=block” Header always append X-Content-Type-Options nosniff Header always…

Read More

Using HAProxy with CAS

We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy with CAS for the front-end so we could switch back-end services seamlessly. We used the following HAProxy config, which allowed us to provide front-end and back-end SSL. global log…

Read More
1 2 3 4