Securus Global is again looking for new people to join our team. Information here. (Not all the roles this time will require the same level of experience, as we are also looking to train the right people who have attained a certain level of expertise and experience to date).

With our range of clients and the types of work we are engaged to do, we believe very few other organisations can offer Information Security people in Australia, (with an interest in penetration testing, research and developing their technical expertise), the same challenges and diversity of work.

If you have applied in the past, please don’t let this stop you applying again as we don’t generally go through previous CVs given the amount that we receive.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Uncategorized, news


This is a question I threw onto Twitter yesterday. Some responses so far. (Track here @ddrazic though thread could dive into history):

jeremiahg @DDrazic Re: because “security” isn’t (yet) a major skill that leads developers to better employment opportunities.
securityninja securityninja @DDrazic it at dev conferences. We talk about app sec to security people at security conferences with a few developers in the crowd
securityninja securityninja @DDrazic Same worldwide I imagine. I keep coming back to the cons, lots of people talking about application security but very few are doing
securityninja securityninja @DDrazic I think the two (dev and info sec) are still seen as two separate things. Virtually no security talks at developer conferences etc
securityninja securityninja RT @DDrazic: Wonder why more web developers don’t follow infosec ppl on Twitter. A source of great information that impacts their field.
fassy fassyfassy @DDrazic result is there’s still business for you guys :P howdy anyway, long time no speak!
fassy fassyfassy @DDrazic management. sad but true i suppose.
fassy fassyfassy @DDrazic mostly they aren’t in charge of being able to fix security problems. just means more work for them if they identify them to

I’m not saying Information Security Professionals are it! Most couldn’t do anything close to what the talented developers out there can in terms of product…But, those infosec people who excel in Web Application and General Application security can rip apart applications that are insecure and turn that piece of code into a nightmare for anyone using it. We see it everyday.

(more…)



The APRA “prudential practice guide”, (PPG234) hasn’t really come out all guns a blazing so far has it? (Press release and document here). Or has it?

It would be interesting to know from readers if anyone has yet been involved with PPG 234 and APRA. ie; Are you talking about it? Are you adopting the “principles”? Are you dealing with APRA in any sense regarding the “principles”?

We mentioned in a previous post that it’s very similar to the Monetary Authority of Singapore’s “Internet Banking and Technology Risk Management Guidelines“, only seems to have no teeth and is a decade behind.

Lets hope not. I talk in this post here recently about regulation and the impacts of enforcing stronger controls and practices on organisations – in particular, the financial sector. APRA has never really given us any indication of heading down this path like the MAS and other regulators in the region have. You have to wonder why not? Seriously. (The simplest answer probably is that it’s all too hard, lack of funding and support etc etc). So what’s the point of it you may ask? And, that would be a fair question.

I welcome your thoughts on this.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



- I wonder how Minister David Campbell’s police investigation into the SMH hackers is going. I never knew the SMH hired hackers but hey, some of those journos are dark horses when it comes to technology. Over at un-excogitate.org, 4 great minds have proposed a solution.

- My favourite posting in recent times. The ACS recommends males over 45 as mentors for women in IT. LOL. Have enjoyed the banter over this one on Twitter. Please no ACS responses….unless they are witty. :)

- Jarrod over at /dev/null has created Wall of Shame postings. Support the local bloggers. Have a read and post your thoughts to Jarrod.

- Patrick at Risky.Biz has a story today on “Ex Sourcefire employee goes rogue“. “Wake up your f–king idea!” LOL…

- 2010: There’s still companies out there that think their industry is stupid. (Not infosec). If you’re going to create an “industry” discussion forum (supposedly independent), seed it with posts and responses from anonymous users that talk about how great your business is and how bad your competitors are, at least be smart enough to ensure that the domain name registration information doesn’t give you away! One of the dumbest websites I have seen in years. Sadly, they’re not getting the hint and I can see it ending badly for them.

- As I have mentioned, we are looking for new people to join Securus Global both in Melbourne and Sydney. See advertisement here.

- There’s been a few updates to the Australian Information Security Bloggers Directory. If you wanted to be added to the list, please let me know.

- Follow me on Twitter: @ddrazic. (Can’t guarantee anything of quality).

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Uncategorized


(Also posted this as a question on Twitter; @ddrazic).

Does anyone know a website that documents and posts links to all the more well known Annual Security Surveys and Reports? So many come out, it’s hard to keep track of them all these days.

While I take most with a grain of salt, some do have some decent substance in there. Which ones do you read and which ones do you brush aside? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



We’re looking for people again. Check out the role advertisement. If you think you fit the role description and want to join one of the region’s best and fastest growing security companies, give us a yell.

Just a note: while we are open to overseas people applying, and we have recruited OS before, having a work visa or the like for Australia is preferred.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Uncategorized


This is a dodgy operation who went bankrupt and did not pay their bills but somehow still exist under the same name?

http://www.commander.com/

Stay away from them. Weird they exist.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Bad Stuff, WTF


I’m not going to go back over all the old posts to try to remember who all these mobs were, but is there a consortium still doing anything? eg; ICASI and SAFECode. etc etc…..

Some previous posts mentioning them: http://beastorbuddha.com/?s=consortium

Not much more to add that I haven’t already said in the link above and links within the posts.

Is there a Cloud one also? Sure there is. :)

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



A bit quiet lately. Sometimes I wonder if there’s more to say that I haven’t covered in the 500+ posts in Beast or Buddha. (The really interesting stuff, you can’t write about for obvious reasons). What do you do? Continue to rehash the old stuff? Sometimes!….which brings me to an interesting discussion.

We were asked to do a presentation recently on “emerging threats” at a business forum for IT Security and Risk Management professionals. Seems straightforward enough but when looking back over previous such presentations we’ve been doing over the years, nothing much was changing – in particular our recommendations on how organisations should be dealing with “emerging threats”. We could have almost just pulled out “Emerging Threats” presentation, (circa 2002) and done it word for word, (with only a few very minor wording and definition changes, eg; “Cloud”, “APT” etc :) ).

Should we be calling these presentations; “Emerging Responses”? It’s the response part that is in most cases yet to “emerge” effectively! The “threats” (most of them), emerged a long time ago. In many cases, we just call them different things now because we’ve failed to deal with them properly at the time, so it’s easier to rename something – makes it all seem that little bit new, and covers up to a degree for failures in the past.

Am I being unfair? Keen on your thoughts.

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.



Dear Recruiters,

Unless we officially approach you to work with us, ie; approve you to go out and look for candidates, please don’t go out and approach people who you think we might like to fullfill roles that we advertise. This doesn’t look good upon you. We don’t support random headhunting of people.

Securus Global Team

———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.

Posted in: Uncategorized


Older Posts »