Category: Stories – Blog

Security Ops Playbook: From Security Audits to Zero-Trust Architecture

Posted on | by admin_emocional





Security Ops Playbook: Audits, Vulnerabilities, Compliance & Zero-Trust



Quick summary (for featured snippets & voice queries): To build a resilient security posture, schedule continuous security audits, implement vulnerability management and prioritization, map controls for GDPR/SOC 2 Type II/ISO 27001, automate incident response, run OWASP Top‑10 code scans during CI, and migrate to a zero‑trust architecture with identity-first controls.

Building a Continuous Security Audit and Vulnerability Management Program

Security audits are the foundation: they tell you what controls exist, what evidence maps to those controls, and where gaps create measurable risk. Start with a threat-informed asset inventory and a risk register that ties directly to business impact so audits produce actionable remediation, not just dense checklists. Link audit frequency to risk category—critical systems quarterly, lower-risk assets semi-annually—and automate evidence collection where possible.

Vulnerability management is continuous, not a quarterly project. Combine automated scanning (SAST, DAST, container image scans, dependency checks) with periodic authenticated scans and targeted penetration tests. Triage by exploitability, asset criticality, and compensating controls to prioritize remediation. Use a vulnerability management pipeline that integrates scan results into ticketing and patch workflows so fixes move from finding to production within defined SLAs.

Operational tips: schedule OWASP Top‑10 checks in your CI pipeline, separate discovery from validation to reduce noise, and enrich findings with threat intelligence and exploitability metadata. For practical tooling and configuration examples, see the project repository for automation patterns and scan templates (example link: security audits and vulnerability automation).

Compliance Roadmap: GDPR, SOC 2 Type II, and ISO 27001

Compliance is evidence collection applied to legal and contractual obligations; it’s not the same as security, but it forces discipline. For GDPR compliance, focus on data mapping, lawful basis for processing, data subject rights workflows, and breach notification timelines. Maintain a record of processing activities (RoPA) and demonstrate technical and organizational measures aligned to privacy-by-design.

SOC 2 Type II readiness emphasizes operational controls and sustained evidence over time. Run readiness assessments against the Trust Services Criteria, instrument logging, change management, access reviews, and incident response, and perform a gap analysis well before the audit window. A Type II audit examines effectiveness over a period—so automated evidence collection and audit trails are critical.

ISO 27001 compliance requires an implemented ISMS (Information Security Management System) and documented risk treatment plans. Map ISO controls to existing processes (and to SOC 2 if you need both) to avoid duplicated effort. The repository includes templated control matrices and control-mapping examples to accelerate ISO27001 compliance efforts (ISO27001 compliance resources).

Automated Incident Response and Threat Lifecycle Management

Incident response automation reduces mean time to detect (MTTD) and mean time to remediate (MTTR). Start with well-documented runbooks for high-priority events, instrument detection playbooks into your SIEM/SOAR, and automate containment actions that are safe and reversible—isolating an endpoint, revoking tokens, or rolling back a faulty deployment.

Triage pipelines should enrich alerts with context: asset owner, business impact, recent change events, and vulnerability exposures. Integrate vulnerability management so that an exploitable CVE on a high-value host will automatically escalate to incident treatment with a prescribed remediation path. This closed-loop approach prevents findings from languishing in spreadsheets.

Measure your program with incident metrics (MTTD, MTTR, percent automated, false positive rate) and tabletop exercises. Keep humans in the loop for decisions that require nuance, but automate verifiable, deterministic actions. Example automation workflows and SOAR playbooks are available in the linked repo for reference (incident response automation playbooks).

Designing Zero‑Trust Architecture and Secure Development

Zero‑trust is a principle set, not a product: verify every access decision, apply least privilege, and continuously assess trust. Start with identity as the new perimeter—strong authentication, short-lived credentials, device posture checks, and policy-based access (ABAC/PBAC). Micro-segmentation reduces lateral movement and limits blast radius when a host is compromised.

Secure development requires integrating security gates into CI/CD: pre-commit dependency scanning, SAST in pull requests, DAST in staging, and runtime protection and monitoring in production. The OWASP Top‑10 should be a checklist at each phase, but aim for shift-left measures that prevent vulnerabilities before they reach production. Automate OWASP Top‑10 code scans during PR validation and block merges on critical findings.

Architecturally, plan for telemetry and observability to validate policy enforcement. Use contract-based security testing, supply-chain attestation, and continuous verification to ensure the architecture remains zero‑trust in practice. For practical zero‑trust design references and example IaC patterns, consult the linked workspace (zero-trust architecture design).

Operationalizing & Measuring Success

Operational maturity is measurable. Adopt a security maturity model (e.g., initial, repeatable, defined, managed, optimizing) and map process KPIs to each level. Example KPIs: time-to-patch for critical CVEs, percent of high‑risk findings remediated within SLA, incident dwell time, and audit pass rates. Dashboards should show trend lines—compliance snapshots are useful, but improvement velocity matters more.

Integrate tools: CMDB/asset inventory, vulnerability scanner, SIEM, SOAR, IAM, and ticketing. The integration layer matters—API-driven automation turns reports into action. Establish SLAs for remediation owners and enforce exception policies with documented compensating controls to support audits without blocking operations.

Finally, governance ties everything together: executive dashboards, risk council reviews, and documented policies that map to regulatory requirements. Use the semantic mapping in your ISMS so that evidence collected for ISO27001 can also satisfy SOC 2 and GDPR obligations where they overlap—this reduces audit fatigue and speeds compliance cycles.

Practical checklist (snippet for quick use):

  • Inventory & classify assets → schedule audits and scans
  • Shift-left SAST/DAST + OWASP Top‑10 checks in CI
  • Automate evidence collection for audits (GDPR / SOC 2 / ISO27001)
  • Implement SOAR runbooks for incident automation
  • Adopt identity-first zero-trust controls and micro-segmentation

Tools, Patterns, and Links

Tooling choices depend on scale and budget, but patterns are consistent: run continuous scanning, enrich with context, automate ticket creation, and escalate based on risk. Open-source tools and commercial solutions can coexist—what matters is integration and SLAs.

Common patterns include CI-integrated static analysis, scheduled authenticated dynamic scans, container image scanning in registries, and runtime EDR/NRDR for production visibility. Keep a lightweight source-of-truth for assets to avoid blind spots, and use automation to reconcile discrepancies.

For hands-on examples, automated playbooks, and configuration templates, see the linked repository covering many of the above patterns: practical security ops playbook and examples.

Selected recommended integrations:

  • CI/CD: integrate SAST and dependency scanning
  • Vulnerability management: ticketing + remediation SLAs
  • SOAR: automate containment for high-confidence detections

FAQ

Q1: How often should security audits and vulnerability scans be run?

A: Frequency depends on asset criticality. High-value or internet-facing systems: continuous automated scans and quarterly authenticated scans plus annual pen-tests. Lower-risk internal systems: scheduled scans monthly or quarterly. Always complement scans with confirmation/validation steps to reduce false positives.

Q2: What’s the difference between SOC 2 Type II and ISO 27001?

A: SOC 2 Type II evaluates operational effectiveness of controls over a time period against the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). ISO 27001 is an international standard for an ISMS with required risk assessments and continuous improvement (PDCA cycle). They overlap—control mapping reduces duplicate work.

Q3: How can we safely automate incident response without risking accidental outages?

A: Automate deterministic, easily reversible actions first (e.g., token revocation, user lockout, network isolation of an endpoint). Use safety gates: require human approval for high-impact actions, apply canary executions, and maintain detailed audit logs. Test automation in staging and runbooks in tabletop exercises before production deployment.


Semantic Core (clustered keywords)

Primary queries (core):

  - security audits
  - vulnerability management
  - GDPR compliance
  - SOC 2 Type II readiness
  - ISO27001 compliance
  - incident response automation
  - OWASP Top-10 code scan
  - zero-trust architecture design

Secondary queries (intent-based, medium/high frequency):

  - vulnerability scanning tools
  - penetration testing checklist
  - SOC2 readiness checklist
  - ISO 27001 ISMS implementation
  - automated incident response playbook
  - SAST and DAST integration
  - CI/CD security gates
  - micro-segmentation best practices

Clarifying / LSI phrases (synonyms, related formulations):

  - security posture assessment
  - risk assessment and treatment plan
  - control mapping and evidence collection
  - exploitability prioritization
  - threat-informed vulnerability management
  - least privilege and identity-first security
  - supply chain security and SBOM
  - continuous compliance monitoring



Home Page Roots photo

Our Best Reviews

Posted on | by Administrador Administrador

More Than Function

More Than Function

December 15th, 2021

Our best reviews

We know we are a new brand, making its path among thousands of multinational corporative brands.

We also know that many brands’ good reviews are often made up. We could put beautiful quotes on our homepage saying we are great. But we are not like that.

Instead, we prefer to tell a story that happened last year.

In the Summer of 2020, we received an email from Romania. The lady who sent it was looking for a statement desk for her home office, and, apparently, a friend told her she should check out our brand.

She fell in love with our Roots Home Desk Back in Black Edition.

Roots Home Desk Back in Black

After some initial agreements and order confirmation, we started the desk refurbishment to send it to Romania as soon as possible. It was an in-stock piece, and we always do that on these pieces because they have to be sent as good as new. But something went wrong and, a few days before delivery, João Faria decided it was not as good as he wanted and didn’t allow the sending.

We could make up a lot of excuses for the delay. Put the blame on lots of different things, such as COVID and so on. Instead, we made what we would want for ourselves if we were the client. We refunded the initial payment without asking the client first. Then, after making that, we explained all the situation in detail and gave her new lead times. The lead time we knew was necessary for the piece. But, with the refund, we took the risk of the client making another buying decision or, worse, choosing a different brand.

We were devastated, mainly because we hate to fail.

Buying an Emotional Object has to be a joyful experience, not an additional problem to people’s life.

Then, João took the matter into his own hands and made the refurbishment himself. If the client still wanted it in the end, great! If not… a sale was lost, but life goes on.

Joao working Roots Home Desk

Fast forwarding the story, the sale was finally made. The desk was sent to Romania, but, in our minds, we were not 100% happy because we took more time than we said in the first place, and the client had to wait much more time than she should have. It was far from good.

Our biggest and greatest surprise was the client’s email a few days later. She said she loved the desk and that this had been the best shopping experience ever.

She made our day!

These are our best reviews.

The private ones. The ones that arrive by email and turn into great stories.

Thank you, Eugenia O.

If you read this, you know it’s our story together. 😉

Foto Shoot Roots Home Desk

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp
Iris Butter Dish

Why is our butter dish called Iris?

Posted on | by Administrador Administrador

More Than Function

More Than Function

May 19th, 2021

Why is our butter dish called Iris?

Many years ago, and for many decades, a restaurant in Vila Nova de Famalicão (Portugal) located at a service station was a gastronomic reference for travel guides.

It was a mandatory stop for fuel supply and, of course, for having lunch or dinner. That restaurant was called Íris and, unfortunately, closed a few years ago, leaving many with their hearts broken.

Among its amenities, such as the silver cutlery, was the butter also served in small silver cylinders with holes on the top.

When the restaurant closed, we desperately tried to buy one of these butter dishes for a souvenir. But it was impossible. In its final dismantles, they had all disappeared … Nobody knew where they were …

A few years later, still missing the restaurant and the butter cylinders, João Faria decides to reproduce them for himself. He spoke to a goldsmith and had the first prototype made for what would become Iris. However, the piece did not look as he wanted, and, disappointed, he kept it in a kitchen drawer for several years.

Iris Butter Dish

In 2014, he decided to present the butter dish in a design contest promoted by the Serralves Museum in Porto – POPs Objects. In the previous year, the Bluetooth speakers OLD FRIEND were finalists, and João wanted to repeat the excellent experience.

The piece was redesigned for its current clean shape and size. Instead of silver, polished stainless steel 316 (suitable for food use) was the chosen material.

Iris Butter Dish

One of the requirements of the POPs contest was to name the pieces. That was an easy task because the name came naturally – Iris – in honor of the cherished restaurant, with its cylinder-shaped silver jars of butter.

At the contest, Iris was selected for the final. On the day of its presentation to the jury, an early summer afternoon, the butter proved to be such a challenge that would give another story alone.

The presentation went well, but nothing made us think we were going to win. On the contrary, we were just about to abandon the awards ceremony earlier. We just didn’t do it because some staff elements convinced us to stay a few more minutes.

Tired and thinking about the next day’s professional commitments (João Faria was a teacher back then), we were bored at the back of the room. Then, surprisingly, our butter dish was announced as the first prize in the 2014 Decorative Objects category. We became almost hysterical! The first prize ever won has an extraordinary and unrepeatable flavor.

Iris Butter Dish

After this victory, poor Iris returned to the kitchen drawer a few more months. Until the beginning of 2015, when João decided to compete with her again, this time for an international design award. And, once again, Iris won with gold!

This second victory gave the most needed push for the formal start of Emotional Objects as a commercial brand – trademark registration, logo, website, catalogs, etc. Everything that hadn’t been done before, because it was only for fun.

For this reason, we often say that, although small, Iris was responsible for the birth of Emotional Objects. Without her, we might not be here.

Iris Butter Dish

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp
Blog Artist or Maker

João Faria, Artist or Maker?

Posted on | by admin_emocional

More Than Function

More Than Function

October 5th, 2020

João Faria, Artist or Maker?

Sometimes people asked if João Faria, the mastermind and co-founder of Emotional Objects, is an “artist” or a “maker.” He is both and likes to be both.

His work is an inspiring process where every Emotional Object has a meaningful story.

Starting each piece with a sketch, João finds inspiration from the most unusual things around him – a fabric, a boat or a car, or only a memory. After he has an idea and explores it in his mind, an extensive search is done by his team to find out if the object is original. If not, he abandons it. João believes that good products are timeless and loves balanced and straightforward designs. Not all get the honor of being called Emotional Objects. To be one, a strong impression must happen to people. Many ideas were left behind because they weren’t bold enough or someone thought of something similar before. But, if it is original, then the magic starts.

Sometimes influenced by any particular music (João has an eye for spotting musical treasures before they became known), he put on his headphones and listened to it loudly and absorbed as if no one or nothing else exists. Many objects or collections have their unique music that plays over and over during the design process.

With the drawings finished, he moves his attention to the “Lab” (the nickname we gave to his workplace) and tirelessly solves all the problems and technical issues to make the prototypes. It´s not unusual to see him taking some time (sometimes, years) to think and mature about the pieces he has in progress. Sometimes, it takes something to happen to solve an ancient Emotional Object; Iris took four years and Lazy Day more, for example.

He uses mainly wood and metal (stainless steel, brass, and copper), but wood is in his blood. He prefers natural processes that are safer and allow the wood to mature beautifully over time. João always selects the veneers himself and finds profound beauty in its natural imperfections full of character. Due to these variations, there aren’t two objects precisely alike. Nevertheless, seeing his pieces come to life in his hands in a dynamic interplay of forms and surfaces is exciting. Many times, he has to come back to the drawings to perfect the object. Making each prototype by hand himself, he works on one piece at a time to achieve a singular focus and great attention to detail.

Over the years, João has been developing and cultivating relationships with artisans and master craftsmen in his hometown – Vila Nova de Famalicão, near Porto – in Portugal. These are the ones he trusts in the manufacturing of specific parts of his pieces. By empowering and collaborating with all of them, João brings new methods and materials to create unique, contemporary designs that celebrate ancient traditions. He constantly discovers, develops, learns, and fuses traditional with modern techniques and perfecting Emotional Objects’ methods, sometimes with trial and error.

Made to last for generations, the distinction between functional and fine art is not easy to find in his work. But, most important, he only makes pieces that he would want for himself.

Blog Artist or Maker
Blog Artist or Maker
Blog Artist or Maker
Blog Artist or Maker

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp
Blog More Than Function

The end is near…

Posted on | by admin_emocional

More Than Function

More Than Function

January 24th, 2020

The end is near…

When our marketer and digital strategist told us that we have to have a blog, we said “no way!”. We are not going to make a blog just to please Google SEO and stuff like that. There are thousands of blogs in that field – “The 10 best interior designers…”; “The 5 top sofas for your living room…”; “The trendiest colours to use in 2020…” – and we don´t want to be another one!

However, after some thoughts, we realize that we have so much to tell people (things that don´t fit the social media networks or the website “normal rules”) and the blog doesn´t look so bad idea after all. As someone said before, only the foolish doesn´t change their minds… 😊

But we have to warn that we are not going to “follow the trends”! This means we are not going to publish just because we have to and we are not writing about Interior Design unless we have something meaningful to say about that. We can speak about something that inspires us; we can have a political opinion about an issue or we can only publish a song we love.

Saying that, what better way to start this by telling you how is going to be the end of Emotional Objects?

Yes, it´s true, we already have our “dead” schedule. The only mystery is the date… we know how, we just don´t know when.

Curious?

Every time we have an idea for a piece, we give it a number and explore it until its last consequences. Sometimes it´s not feasible, but the idea is not forgotten, just waits until technology catches up. That´s the reason why we have 53 lines drawn in our computer and only 13 produced. (we will come back to this later).

But a few years ago, we decided that Emotional Objects will have an end when we reached the 99th object.  When that happens, we will publish a book – called “99th”, obviously – with all the projects produced or not.

People will be able to have Emotional Objects, unless the limited-edition series finished, but no new objects will be made.

Why?

Because we can and because everything ends…

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp

SHARE

Share on facebook
Share on pinterest
Share on linkedin
Share on whatsapp