Disclaimer: the author of this post is not affiliated with any of the resources mentioned below.
Security strategy
Cybersecurity is not an “IT issue”. It is an organizational issue of a high priority, and the ongoing collaboration on the Helmholtz Security Strategy aims to make it unambiguously clear. The need for joint effort and even more active knowledge sharing was articulated once again on the Helmholtz Cybersecurity working group meeting on Friday, Feb 20th. Further steps shall be discussed in the upcoming weeks. This discussion will include, among other things, identification and mitigation of immediate and high-priority cybersecurity risks.
Security concerns are not limited to Helmholtz only - HighTech Agenda for Germany explicitly names security of research as one of the main levers for innovation and development. According to this agenda, protecting integrity of research is intertwined with protecting our democratic values. Securing research means building a system of mutual trust and integrity - towards data, systems, and people. (How many cyberattacks are attempted each second? Find out here)
Meanwhile, what can we, the users, do to keep our research secure?
Secret admirers
“What do you like about me?” If you addressed this question to your friends and family, you would hopefully receive a multitude of flattering answers. Your wit. Your gorgeous smile. Your kindness. Your humor. Your generosity.
Access. This is what some people - whom you don’t know - like a lot about you. Your personal data. Your financial data. Your email. Systems you can access. Information you have. People you know. They like your usernames, passwords, session tokens, cookies, API keys… They might even generously offer you free money - this is how much they like you! (Can you outsmart the scammers?)
Security research confirms: valid access to organizational systems is one of the hottest goods on underground marketplaces. Not only that - security incidents involving stolen and compromised credentials typically take the longest time to uncover and resolve. A burglary involving a broken window is easy to notice; but how soon would you notice your silver spoons missing if a burglar opened your door with a key and turned off the alarm?
How to deter the “admirers”?
Keep track of your passwords and services you use. Use MFA. Do not reuse passwords across services. Preferably don’t store your credentials in a browser. Instead, use a password manager as a more secure alternative.
Sometimes unfortunate situations happen even when we do everything right. Emails and passwords get leaked via data breaches of the services we use. With Have I Been Pwned, a service created by a reputable security researcher, you can check whether your email has appeared in any known large data leaks, and a Notify Me function of the service can keep you informed of new leaks.
Can you make an AI chatbot reveal a password?
Secure software development
You developed an amazing piece of software and want to share it with your colleagues in Helmholtz, but a tiny doubt creeps into your mind. What issues should one consider? What should one test? Should one simply avoid sharing anything altogether?
While every case is individual, there are several things you can do, particularly in case of web applications:
- Identify architectural components of your application that you are responsible for. If it is a web application, which framework/platform (and which version) does it use? If you are responsible for configuring the underlying web server - which server is it and which version? Do you have a database? Which (you guessed it) product and which version?…
- Identify data flows in your application. Does it store or process any personal or other sensitive data? Where does data enter your application? Where does data exit your application? Does your system process any user input?
Once you have a decent overview of your system…
- Use a resource such as OWASP Top Ten to understand which security risks might be present in your application and where.
- Use a resource such as OWASP Application Security Verification Standard for a checklist of verifications and security measures that could be applied to your application.
- Using AI and LLMs? This one might be for you.
- Using containers? Here is a bonus tip for you.
Do you want to learn more about web application vulnerabilities? Check out this free resource, and test your skills with OWASP Juice Shop (tutorials and walkthroughs available)!
Would you be interested in workshops or shared materials dedicated to secure development practices and other security topics? Let us know!
What do you tell a hacker after a bad breakup? There are plenty of phish in the sea.
