Telcos agree plan to tighten Sim registration under Rica

Security boss thought MFA would be too much security

A security executive exempted themselves from MFA requirements they enforced on other employees, illustrating a classic 'one rule for workers, another for executives' double standard in corporate security policy. The story highlights how security leadership can undermine the very practices they mandate for others.

How Businesses Can Prevent Credential Theft from Unverified Applications

Unverified applications pose a significant but often overlooked credential theft risk for businesses. Attackers exploit fake authentication requests, embedded malware, excessive permissions, and session/token hijacking through apps that appear legitimate. Key prevention strategies include establishing formal application approval processes, implementing MFA and role-based access controls, adopting a Zero Trust model, restricting third-party app permissions, monitoring authentication activity continuously, and educating employees about shadow IT risks. An incident response plan covering rapid credential revocation, access investigation, and post-incident improvement rounds out a comprehensive defense posture.

Auth0 PHP - manually authenticating JWT idTokens

A practical guide to manually validating Auth0 JWT idTokens in PHP using the Auth0 PHP SDK. Covers setting up the Auth0 client, decoding the idToken, and extracting user claims like nickname and sub. Includes a note that cookieSecret must be set even when not using cookies, and that tokenType must be specified correctly. The author criticizes Auth0's documentation and shares the solution found by reading source code.

What CISOs need to tell the board about zero trust in OT: A 90-day communication and action plan

A principal specialist at a pipeline operator shares a practical 90-day plan for applying zero trust principles to Operational Technology (OT) environments. The plan acknowledges that NIST SP 800-207 was designed for IT networks, not 24/7 industrial systems, and focuses on three phases: mapping assets and identities at the IT/OT boundary (days 1-30), containing vendor remote access with quick wins like MFA and brokered connections (days 31-60), and building a maturity scorecard aligned with TSA, NERC CIP-013, and CISA requirements (days 61-90). The approach emphasizes framing zero trust as a functional principle rather than an abstract architecture, focusing on IT/OT convergence points like jump hosts and remote access paths, and tying actions to existing regulatory requirements.

npm adds preventive account protection for high-impact accounts

npm is rolling out a preventive security feature for high-impact accounts — those maintaining the registry's most widely used packages. When a sensitive account change is detected (email change or 2FA recovery code use), the account enters a 72-hour read-only state and the previous email is alerted. During this period, package installs and browsing remain available, but publishing, token management, and org/team changes are paused. The safeguard lifts automatically after 72 hours with no action required. This directly addresses a supply chain attack vector where compromised accounts change their email, generate new tokens, and publish malicious packages.

Why Your Organization Needs ISPM

Identity Security Posture Management (ISPM) continuously assesses and hardens Microsoft 365 identity environments by evaluating configurations, permissions, and policies against a security baseline. Unlike one-time audits or visibility-only tools, ISPM addresses 'drift' — the gradual degradation of security posture as users, roles, and Microsoft defaults change over time. Huntress data shows over 60% of evaluated tenants were missing more than half of recommended controls, and 55% allowed standard users to perform admin-level functions. Key risks include weak MFA, overprivileged accounts, and stale permissions that enable account takeover and BEC attacks. Microsoft data shows attackers can move laterally within 48 minutes of initial intrusion, making daily scan cycles insufficient. Huntress Managed ISPM addresses this by deploying and enforcing controls continuously, detecting drift within minutes of a change, and offering a Learning Mode to preview user impact before policy rollout.

Long Story Short: I Found My Place Between Code and Community

Một chuyên viên mới tại Okta, hiện đảm nhiệm vai trò AI Builder Advocate, chia sẻ hành trình chuyển từ lập trình viên backend sang developer relations. Cô có nền tảng kỹ thuật vững chắc với Java, Spring Boot, Quarkus, Kubernetes và Docker, đồng thời tích cực tham gia cộng đồng với tư cách MongoDB Champion, đặc biệt hứng thú với lĩnh vực identity, security và AI tại Okta.

Những người có kinh nghiệm kỹ thuật như backend nhưng muốn chuyển hướng sang cộng đồng hoặc công tác phát triển cộng đồng nên tìm hiểu cách kết nối kiến thức kỹ thuật với chiến lược cộng đồng hiệu quả để mở rộng ảnh hưởng và đóng góp giá trị thực tế cho cộng đồng phát triển.