Author: Kaveh Mofidi

While he enjoys working with computers and dealing with information security, he believes that our challenges, as humans, extend far beyond infosec and even technology. He says: "The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on the Earth!"

Why Common Vulnerability Scanning Practice is Useless?

I hope you will find this so obvious but unfortunately security community is highly relied on vulnerability scanning in a way which makes it totally useless or even harmful!  Vulnerability assessment is evaluating of a System against known and potential security flaws. A System is simply a collection of processes, workflows, people, nodes, software…but traditional… Continue reading Why Common Vulnerability Scanning Practice is Useless?

Penetration Testing vs. Secure Code Review

What is the best way to make sure a software product is secure?  The easiest way is to roll out to the market and see what is going to happen and hope everything does well…no kidding, that is what most software developers do!  Let’s forget about what majority of software community do and see what… Continue reading Penetration Testing vs. Secure Code Review

Does Internet Act As A Valid Source Of Information?

Internet was built with the initial goal of providing the most validated data to the corresponding party. Today we are so far away from that mindset but still, how much we can rely on the data provided via the Net? The answer is simply depends on the source of data. People usually believe what they… Continue reading Does Internet Act As A Valid Source Of Information?

No Silver Bullet in Computer Security

No Silver Bullet in Computer Security

There is no silver bullet in any aspect of information security. All the answers like EDR, MFA, SIEM… might get you in a better or worse security posture, it all depends to how you implement and manage but none of them are silver bullet in their area (malware protection, authentication, monitoring…). It is all about… Continue reading No Silver Bullet in Computer Security

Accurate Vendor Risk Assessment

How to have an accurate vendor risk assessment

How to have an accurate vendor risk assessment?  Assessing your vendors, suppliers, business associates…or any other term you give to who is providing services to your firm is crucial and even might be required from a regulatory stand point (i.e. like in HIPAA). I do not want to get into detail of what would be… Continue reading Accurate Vendor Risk Assessment

Vendor Risk Assessment: Hassle or Blessing?!

A Security Questionnaire, RFI, VRA (Vendor Risk Assessment), VR Management…helps customers identify and evaluate the risks of using a vendor’s product or service. Performing such a review is sometimes mandatory based on the industry (e.g. healthcare). During this standard business process, customer collects written information about security capabilities of a supplier and you could barely… Continue reading Vendor Risk Assessment: Hassle or Blessing?!

ISMS is Not equal to Real Security!

Is having an information security management system equal to actual security?  Nop! Having an information security management system is not an indication of quality of security controls. Management systems are easier way of administration in a standard and systematic way, but they do not necessarily an indication of security control effectiveness.  As an example, ISO… Continue reading ISMS is Not equal to Real Security!

Simple Sign of Security Program Has Already Been Failed

The simple sign is your Trust and Confidence: Do you have faith in your security program?   For a moment be honest and ask yourself: am I confident with my company security program? Do I have faith in our security team? Do they really know what they are doing? Does my information security officer worth pay… Continue reading Simple Sign of Security Program Has Already Been Failed