Security Blog

Hello there! I have an exciting and unusual story to share with you today. Back in 2019, when I was working at Duo Security, I did something called “Hot Topics – with Steve Edwards” that you might call daring, adventurous, or, let’s be honest, a little crazy. I made a video aiming to educate viewers about the top five things they could do to stay safe online. But…

Hello everyone, We’re about to embark on a fun, exploratory exercise! Before we begin, I’d like to share that this post is meant purely in jest. While I appreciate the appeal and tradition of astrology, my personal journey in leadership and team-building has been informed more by structured personality assessment tools, like Myers-Briggs, DISC, and CliftonStrengths. Tools that have been jokingly called “Business Astrology”. Recently, just for a…

As someone who has been a people leader for about 10 years and has worked in IT and security for over 20, I’ve had the privilege of leading diverse teams across different industries – from small startups to Fortune 50 companies and state institutions. Through these varied experiences, I have learnt that taking on an existing team can be a nuanced process, one that demands adaptability, empathy, and…

I often encounter professionals wrestling with the question: “Should I transition into a management role?” Today, I’d like to shed some light on this topic in case you are also wondering if management is for you. Choosing a career path is a deeply personal decision and, while it’s thrilling to consider new possibilities, it can also bring up a lot of uncertainty. My hope is that this post…

Burnout, especially within the realm of security professionals, has emerged as an alarmingly pervasive risk. A cursory glance at social platforms like Twitter or candid conversations with colleagues across various companies confirms this rising tide. Yet, intriguingly, when we strategize about risk mitigation in our lives, managing burnout often slips through the cracks. Could it be that it lacks the technical allure of tackling account takeovers or covert…

I recently looked at four different aspects of the security posture of a number of US banks. I’d like to explain in detail what these security controls are and why they’re important. In this post I’ll explain what two factor authentication is and why you should be using it everywhere you can. To start off, I’d like to define authentication. Authentication is the process by which one proves…

I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see from other banks. I’d like a bank that takes information security seriously, it seems like my current one does not. While…

Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on…

HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers. In the httpd.conf I add the following directives to the document root <Directory> section. Header always append X-Frame-Options DENY Header always append X-XSS-Protection “1; mode=block” Header always append X-Content-Type-Options nosniff Header always…

We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy with CAS for the front-end so we could switch back-end services seamlessly. We used the following HAProxy config, which allowed us to provide front-end and back-end SSL. global log…