http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2015-11-18 05:10:28 - 1 Raindrop : I have a new eBook available at Akamai, its called Security Champions Guide to Web Application Security Why Security Champion Well, AppSec is an area that often falls betwixt and between different groups, it blurs traditional lines Basically it comes down to who cares enough to dig and try to solve the company's WebApp security problems, they may come from Dev team or Security team or Network team or any number of places There is usually not a role call http://www.secuobs.com/revue/news/590364.shtmlhttp://www.secuobs.com/revue/news/590364.shtml Secuobs.com : 2015-11-11 22:05:35 - 1 Raindrop - For this Security 140, I discuss identity with Pam Dingle pamelarosiedee Pam is Principal Technical Architect at Ping Identity, a veteran of building, innovating and riding the many waves of the identity ecosystem We discuss an appropriately wide range of topics from how developers should approach identity to unempowered frogs Gunnar Peterson Consultants always talk about people, process and technology However there is an old consulting truism - its never a process problem, its never a tech problem Its http://www.secuobs.com/revue/news/589815.shtmlhttp://www.secuobs.com/revue/news/589815.shtml Secuobs.com : 2015-11-03 22:07:09 - 1 Raindrop - Robert Garigue was the CISO of Bell Canada and Bank of Montreal I only met him and heard him speak once, and that was over a decade ago, but I learned a tremendous amount from him Garigue's insights continue to resonate, and its an impressive accomplishment, because back then Infosec simply did not have the traction that it does today, yet he could see where things were moving and better still had great ideas on how to organize security practices http://www.secuobs.com/revue/news/588970.shtmlhttp://www.secuobs.com/revue/news/588970.shtml Secuobs.com : 2015-10-25 18:56:39 - 1 Raindrop - Join Mark O'Neill and I for a webinar this Tuesday We have two actually, on EMEA and North American time Register here The webinar goes through the topics in my forthcoming whitepaper The Curious Case of API Security In this project we channel the spirit of Father Brown, Hercule Poirot, and Sherlock Holmes We approach the top security issues in APIs the same way a detective would Our basic process is as follows Understand the context in which our APIs http://www.secuobs.com/revue/news/587897.shtmlhttp://www.secuobs.com/revue/news/587897.shtml Secuobs.com : 2015-10-20 15:04:50 - 1 Raindrop - One of the areas security can improve in view is to be less audit-centric I am just going through the motions because auditors told me to do this and someone else is paying and instead be more architecture centric Architecture means understanding tradeoffs and making making choices on what to build Because of the infosec industry's audit-heavy past, we have a lot of laundry lists of things to do That's how auditors operate Note, I am not against audit as http://www.secuobs.com/revue/news/587357.shtmlhttp://www.secuobs.com/revue/news/587357.shtml Secuobs.com : 2015-10-07 21:44:38 - 1 Raindrop - Information security is a field filled with concepts that are easy to say and very hard to do I have never read your security policy, but I bet that it contains the principle of least privilege Conceptually, its pretty hard to argue with the principle of least privilege After all, why would you ever provision a user or a function with more privileges than it needs But while its easy to say, the only logical next question for an engineer http://www.secuobs.com/revue/news/586004.shtmlhttp://www.secuobs.com/revue/news/586004.shtml Secuobs.com : 2015-10-05 15:58:44 - 1 Raindrop - Some security topics require more than a tweet, to that end today on Security 140 we we talk with TRob Wyatt tdotrob who is an independent consultant specializing in security of the IBM MQ Messaging family of products He enjoys being a father and grandfather now and then In his spare time he does pretty much exactly the same things he does on the job, which is a windfall for his clients but somewhat distressing for his family who http://www.secuobs.com/revue/news/585696.shtmlhttp://www.secuobs.com/revue/news/585696.shtml Secuobs.com : 2015-10-02 19:32:49 - 1 Raindrop - About five years back I might get one question every month or two on tacking privileged users Nowadays, its more like one or two every week I imagine that ten years ago or so the whole product space was about five guys in a garage in Israel Why the change in uptake and urgency This is not a new problem, its been a large scale problem for at least two decades Why is it now top of the agenda I http://www.secuobs.com/revue/news/585519.shtmlhttp://www.secuobs.com/revue/news/585519.shtml Secuobs.com : 2015-09-16 14:39:00 - 1 Raindrop - There is a burgeoning issue, a fatal flaw, in Infosec processes that has the potential to result in increased downside risk to companies, and that issue is found at the intersection of assumptions and security products Robin Roberts former head of R D at NSA said the the problem is you are dealing with systems that have all sorts of assumptions built in, but you cannot query the system about its assumptions, it does not know what they are Andy Steingruebl http://www.secuobs.com/revue/news/583696.shtmlhttp://www.secuobs.com/revue/news/583696.shtml Secuobs.com : 2015-08-18 16:32:11 - 1 Raindrop - Information Security is not a proposition where you come in on a Monday morning brimming with confidence that you have or will solve all the problems at hand Its true that Infosec has a lot more visibility up and down the enterprise and we win a lot more arguments than we did in the past, even though 2015 feels like the year the security dog caught the car my friend Carlos says that we did not so much catch the http://www.secuobs.com/revue/news/580572.shtmlhttp://www.secuobs.com/revue/news/580572.shtml Secuobs.com : 2015-07-06 16:00:34 - 1 Raindrop - I know a few folks who are into this little microtrend of having chickens and chicken coops They all have a similar story Things were going fine, then one day a fox weasel raccoon found its way through the coop protection and they woke up to a coop full of headless chickens John Lambert says Defenders think in lists Attackers think in graphs As long as this is true, attackers win I am a big fan of checklists as a way http://www.secuobs.com/revue/news/576284.shtmlhttp://www.secuobs.com/revue/news/576284.shtml Secuobs.com : 2015-06-12 02:01:00 - 1 Raindrop - Professor Sanjay Bakshi published the below list in response to the Maggi issue that Nestle is dealing with in India We can use the same decision tree to figure out impact from breaches or other security events 1 Will the size of the addressable market be larger or smaller than it size just before the breach 2 Will the company s market share be larger or smaller than her market share before she landed in a jam 3 Would the company http://www.secuobs.com/revue/news/573783.shtmlhttp://www.secuobs.com/revue/news/573783.shtml Secuobs.com : 2015-05-27 17:07:44 - 1 Raindrop - Belgium has contributed a lot to the infosec world, for example Rijndael and a great conference- SecAppDev Plus Hercule Poirot Its commonplace now for people to say they want to build security in , but its worth noting that saying build security in is a lot easier than actually doing it All sorts of questions come into it, what kind of security capabilities do you want to build Where What about legacy migration What quality of protection to shoot for Should http://www.secuobs.com/revue/news/572116.shtmlhttp://www.secuobs.com/revue/news/572116.shtml Secuobs.com : 2015-04-28 20:16:00 - 1 Raindrop - These days, security people have a lot of opportunity Between a recovering economy, ongoing high profile security issues, budgets and executive attention - more than ever before security people have options You spend a lot of time at work, more than almost anything else, so it pays to be choosy on how you spend your time Here some thoughts on how to identify where and how you may be challenged and rewarded First off, do not just look at the http://www.secuobs.com/revue/news/569067.shtmlhttp://www.secuobs.com/revue/news/569067.shtml Secuobs.com : 2015-03-25 17:25:21 - 1 Raindrop - Never, ever, think about something else when you should be thinking about the power of incentives - Charlie Munger In 1980, Wal-Mart implemented a shrink incentive program If the store holds shrinkage theft below a certain level the difference in the amount is reflected in the associates' pay They reported that their shrinkage level after implementing the program was half their competitors' Sam Walton also mentioned the associates felt better about each other because no one enjoys stealing even those http://www.secuobs.com/revue/news/564793.shtmlhttp://www.secuobs.com/revue/news/564793.shtml Secuobs.com : 2015-03-23 18:22:42 - 1 Raindrop - Have a look at this painting by George Seurat Its a beautiful scene, no While the paining looks like an organic whole, its actually a great example of pointillism -a technique relies on the ability of the eye and mind of the viewer to blend the color spots into a fuller range of tones if you zoom in on a pointillist painting, you can identify how the contrast delivers a synthesis in the painting At this point, you might ask http://www.secuobs.com/revue/news/564523.shtmlhttp://www.secuobs.com/revue/news/564523.shtml Secuobs.com : 2015-03-18 16:35:51 - 1 Raindrop - Just released over at Axway, my new paper Top 10 API Security Considerations Mark O'Neill and I did a webinar on this together, and now the paper is available free reg required I see a lot of people rolling out APIs without a ton of thought given to the security fundamentals This paper is designed to help you build a model that works to protect your APIs Here is a summary of the issues top 10 for API Security, you http://www.secuobs.com/revue/news/563937.shtmlhttp://www.secuobs.com/revue/news/563937.shtml Secuobs.com : 2015-03-18 15:55:28 - 1 Raindrop - Here is an interview with me on how stock prices perform post breach and what if anything we can glean from this And here is my post on same topic at Securosis with some more analysis http://www.secuobs.com/revue/news/563929.shtmlhttp://www.secuobs.com/revue/news/563929.shtml Secuobs.com : 2015-03-16 15:23:38 - 1 Raindrop - How many times have you heard Security is a process Say it often enough and it produces a certain Zen-like calm But what does it mean, is it likely to happen or even achievable I have often wondered at the tremendous number of silver bullet efforts in the security industry The first time I saw the trade show floor at RSA I was powerfully moved, and not in a good way, by the sheer number of people questing for the http://www.secuobs.com/revue/news/563588.shtmlhttp://www.secuobs.com/revue/news/563588.shtml Secuobs.com : 2015-02-27 02:16:36 - 1 Raindrop - From Christopher Alexander's Nature of Order The purpose of the boundary which surrounds a center is two-fold First, it focuses attention on the center and thus helps to produce the center It does this by forming the field of force which creates and intensifies the center which is bounded Second, it unites the center which is being bounded with the world beyond the boundary For this to happen, the boundary must at the same time be distinct from the center http://www.secuobs.com/revue/news/561389.shtmlhttp://www.secuobs.com/revue/news/561389.shtml Secuobs.com : 2015-02-11 05:37:10 - 1 Raindrop - The paper and code for Using the OWASP Top Ten to Upgrade your Authorization Services that Srijith Nair and I wrote is available at Axiomatics The exercise was a new and fun one to work on Instead of extending access control models that make decisions based on user, privileges, permissions, and attributes to see what a user is allowed to do We turned the model on its head and show how authorization services are in a great position in the http://www.secuobs.com/revue/news/558974.shtmlhttp://www.secuobs.com/revue/news/558974.shtml Secuobs.com : 2015-02-05 22:13:11 - 1 Raindrop - Its time for a change in infosec If you have been in this business 5 or 10 years you have spent countless hours trying to get people to care about security Now Not so much There was until recently a common passive-aggressive game call My VP beats your VP where security and developers and ops would meet on a project The security team presents requirements, dev and ops nod But there was not much intent to follow through, then when http://www.secuobs.com/revue/news/558290.shtmlhttp://www.secuobs.com/revue/news/558290.shtml Secuobs.com : 2015-02-03 19:06:52 - 1 Raindrop - There are not that many fields that have to deal in such abstract concepts as infosec Software is abstract to begin with and layer human's difficulty with risk on top of that, information security has to climb two mountains Believe it or not, Infosec people can learn some things from developers For better and worse, Agile projects ship code Developers have clearly embraced Thomas Carlyle Our main business is not to see what lies dimly at a distance, but to http://www.secuobs.com/revue/news/557853.shtmlhttp://www.secuobs.com/revue/news/557853.shtml Secuobs.com : 2015-01-30 16:09:28 - 1 Raindrop - Srijith Nair and I have written a new paper - Using the OWASP Top Ten to Upgrade your Authorization Services The paper uses code examples to show how improving authorization can help mitigate some common vulnerabilities illustrated in WebGoat The paper implements these techniques for JSON Injection, Forced Browsing, Parameter Tampering, and Access Control vulnerabilities One of the factors that makes security so challenging is the dual mandate of delivering better access control and identity services, making these policies reflect http://www.secuobs.com/revue/news/557298.shtmlhttp://www.secuobs.com/revue/news/557298.shtml Secuobs.com : 2015-01-20 16:16:21 - 1 Raindrop - When we think of computer security, we think the computer is making an access control decision like access granted or access denied In reality, the computer is trying to make an access control decision Hackers have known this, and this distinction has fundamental implications for your access control and security architecture Pat Helland points out a fundamental disconnect in computing Computers always have partial knowledge for a couple of reasons First, they will always be separated from the real world http://www.secuobs.com/revue/news/555507.shtmlhttp://www.secuobs.com/revue/news/555507.shtml Secuobs.com : 2015-01-19 15:05:10 - 1 Raindrop - Bob Blakley reset he traditional authentication rubric Something You Have and Something You Know to a more real world view something you lost and something you forgot New entrant - Something You Have and Something You Tell Stranger with TV Cameras http://www.secuobs.com/revue/news/555342.shtmlhttp://www.secuobs.com/revue/news/555342.shtml Secuobs.com : 2014-11-14 01:17:00 - 1 Raindrop - Here is a recurring question - how often do you see SSL TLS on internal communications Its a relevant question, after all internal systems house the most valuable data, identity protocols, authentication, management, and services Its not the keys to the kingdom, its the whole kingdom Most websites and mobile apps have at least some of their external facing communications protected by TLS SSL And yes there are lots of config problems there too, but leaving those aside for now I asked http://www.secuobs.com/revue/news/545423.shtmlhttp://www.secuobs.com/revue/news/545423.shtml Secuobs.com : 2014-11-05 05:09:02 - 1 Raindrop - Very sad to hear the passing of Tom Magliozzi I think in a lot of ways, what we need to do in infosec is what Click and Clack the Tappet brothers did so well for so long Car Talk, bring a light to a complicated set of issues where people did not know the details btu did understand the importance of their car They may not what questions to ask the dealer or mechanic, but they understood the decision set, http://www.secuobs.com/revue/news/543796.shtmlhttp://www.secuobs.com/revue/news/543796.shtml Secuobs.com : 2014-09-23 17:07:01 - 1 Raindrop - To kill an error is as good a service as, and sometimes even better than, the establishing of a new truth or fact - Charles Darwin The IEEE Center for Seucre Design recently published a set of design principles for Avoiding Security Flaws The distinction between Bugs versus Flaws is a crucial one, the lion's share of attention in the indsutry goes to bugs and perhaps this appropriate, but we can really use a lot more clarity of thought in http://www.secuobs.com/revue/news/536399.shtmlhttp://www.secuobs.com/revue/news/536399.shtml Secuobs.com : 2014-09-17 23:59:53 - 1 Raindrop - Mark O'Neill and I are doing this webinar talk tomorrow and Monday Monday will be at an AsiaPac friendly time We will focus on Ways to architect and design security for RESTful APIs Develop patterns for Cloud and Mobile security Understand and define the role of identity in your RESTful systems Prepare to cope with malicious attacks Many of the tools that we have come to rely on for AppSec do not work all that well out of the box http://www.secuobs.com/revue/news/535402.shtmlhttp://www.secuobs.com/revue/news/535402.shtml Secuobs.com : 2014-09-14 23:16:05 - 1 Raindrop - Started another season as an FLL coach The mission theme this year is education On a security note, one of the missions is geared around storing data in the Cloud and the robot designers need to figure out a way to make an access key harder than it looks because the robot is in motion and has to drive a fair distance to be able to insert the key no word if brute force is allowable The team did the http://www.secuobs.com/revue/news/534847.shtmlhttp://www.secuobs.com/revue/news/534847.shtml Secuobs.com : 2014-09-10 22:07:45 - 1 Raindrop - Security is a business where you must have a big picture view, because after all security is a system level property and attackers will look for weak links And at the same time, we live in a mainly bottom up project by project world The role of architecture is central to mediate the gap, grasp the big picture and craft a plan to execute bottom up project by project Identity is an interesting domain It absolutely gets some strategic due http://www.secuobs.com/revue/news/534294.shtmlhttp://www.secuobs.com/revue/news/534294.shtml Secuobs.com : 2014-08-29 00:55:58 - 1 Raindrop - Morgan Housel has a post up on why Finance is a strange industry , reading it I felt that each and every point applies to infosec as well I can't think of another industry in which there is so much ignorance around costs Security is complex and costly Most of the solutions are sub optimal, fraught with tradeoffs but you'd never know it judging by how companies lurch from silver bullet to silver bullet Even for something as basic as building http://www.secuobs.com/revue/news/532082.shtmlhttp://www.secuobs.com/revue/news/532082.shtml Secuobs.com : 2014-08-21 22:39:27 - 1 Raindrop - There is a core of folks who assert that infosec problems cannot be solved by technical means, and that geeks won't be able to put things right instead we have to go begging for help to laywers, politicians, spooks, and law enforcement Just today, the incoming Cybersecurity Czar boasted about not having technical chops Plenty of jobs in DC don t require technical expertise, but I do not see how Cybersecurity Czar is one of them Does the Treasury Secretary brag http://www.secuobs.com/revue/news/530957.shtmlhttp://www.secuobs.com/revue/news/530957.shtml Secuobs.com : 2014-08-18 19:36:11 - 1 Raindrop - Could not agree more with this tweet from Dino Dai Zovi Finding the balance between productivity and security is very difficult In the context of a rapid fire development project its even more so Threat models are the best available option to establish an analytical framework and tradeoff scenarios If I were stranded on a desert island and could only bring two AppSec tools I would bring a threat model and fuzzer of course a machete and Swedish firesteel might http://www.secuobs.com/revue/news/530376.shtmlhttp://www.secuobs.com/revue/news/530376.shtml Secuobs.com : 2014-07-30 18:55:23 - 1 Raindrop - Excellent piece by John Kay, Why mean outcomes are often meaningless You have spent 2 on a lottery ticket On Saturday evening you may be a millionaire Or, more likely, not But meantime, the auditors arrive They must confirm that your accounts show a true and fair view An old-fashioned auditor might allow you to record the lottery ticket at its historic cost of 2 A modern one would want to assess its fair value But there is no market http://www.secuobs.com/revue/news/527647.shtmlhttp://www.secuobs.com/revue/news/527647.shtml Secuobs.com : 2014-07-19 16:18:40 - 1 Raindrop - Watch The Identity Cheese Shop with Adrian Lane Inside Studio Notes Identity standards and solutions mentioned Role Based Access Control Attribute Based access control XACML Federated identity Strong authentication SMS authentication Biometric authentication Mobile identity for iOS Android Kit Kat based HCE iOS fingerprint scanner OATH compliant authentication Oauth Oauth 20 OpenID connect SAML RESTful authentication Android kit kat tapin with BTLE prox against NFC creds mutually authenticated SSL Automated provisioning Access control lists Privileged account management Geolocation Back end http://www.secuobs.com/revue/news/526011.shtmlhttp://www.secuobs.com/revue/news/526011.shtml Secuobs.com : 2014-07-15 19:09:41 - 1 Raindrop - The Verizon DBIR has been out for awhile I thought I would share some thoughts on where it can improve going forward The Good The DBIR is a net plus for the industry When Wade Baker and team first released it, the infosec industry was dominated by BS hallway conversations if you knew what I knew , this still happens obviously, but there is a lot more out in the open There have been very few events that I have seen http://www.secuobs.com/revue/news/525278.shtmlhttp://www.secuobs.com/revue/news/525278.shtml Secuobs.com : 2014-06-24 01:28:15 - 1 Raindrop - AppSec is a great example of something that is simple to understand but hard to do Kind of like quitting smoking Here is Dan Ariely on the latter Dear Dan, What's the best way to get people to stop smoking Myron The problem with smoking is that its effects are cumulative and delayed, so we don't feel the danger Imagine what would happen if we forced cigarette companies to install a small explosive device in one out of every million http://www.secuobs.com/revue/news/520342.shtmlhttp://www.secuobs.com/revue/news/520342.shtml Secuobs.com : 2014-06-18 18:56:45 - 1 Raindrop - Here is a recent interview I did with IBM Security strategist Diana Kelley on Mobile Wallet security Diana covers what security issues wallet developers need to be aware of and the risk profile for mobile apps http://www.secuobs.com/revue/news/519556.shtmlhttp://www.secuobs.com/revue/news/519556.shtml Secuobs.com : 2014-06-05 17:09:38 - 1 Raindrop - Any teacher knows that its way more valuable to catch someone doing something right and reinforce good behavior than to nag about mistakes Why then does infosec take the latter path and often try to blindside developers, project teams and wave the list of vulnerabilities like a bloody shirt parading through the streets Kent Beck has a great quote - I used to think of programs as things, now I think of them as shadows of the communities that build http://www.secuobs.com/revue/news/517303.shtmlhttp://www.secuobs.com/revue/news/517303.shtml Secuobs.com : 2014-05-28 23:37:06 - 1 Raindrop - Here is a keynote talk I gave at the Cloud Idenity Summit - I gave the talk awhile back but these topics keep coming up and thought it would be good to share A good operating principle for any new technology is eat what you kill , its been said that when it came out Apple's iPhone did not destroy competitors, it paved over whole segments - portable music players, GPS, PDAs, digital cameras, and more were all thriving multi billion http://www.secuobs.com/revue/news/516001.shtmlhttp://www.secuobs.com/revue/news/516001.shtml Secuobs.com : 2014-05-10 15:12:38 - 1 Raindrop - Wrote up my notes on John Gapper's excellent eBook How to Be a Rogue Trader The FT has a sad story of the aftermath for one Jerome Kerviel is walking from Rome to Paris before his jail sentence starts It was after July 2007, when the financial crisis was starting to rout stock markets, that Kerviel s initially modest gaming of the system started to get out of control The economic situation was so bad, he thought, that the markets could http://www.secuobs.com/revue/news/512900.shtmlhttp://www.secuobs.com/revue/news/512900.shtml Secuobs.com : 2014-04-29 18:24:00 - 1 Raindrop - One of the best books I have read in many years is Thinking, Fast and Slow At the heart of the book is two systems - System One and System Two They both play into decision making in different ways For System One, think catching a ball, for System Two think - doing your taxes System 1 Fast, intuitive, frequent, emotional, subconscious System 2 Slow, effortful, infrequent, logical, calculating, conscious Both systems represent ways of thinking and they are both http://www.secuobs.com/revue/news/510938.shtmlhttp://www.secuobs.com/revue/news/510938.shtml Secuobs.com : 2014-04-20 23:16:34 - 1 Raindrop - NASA engineer John C Houbolt has died, he had much success to his credit, including Lunar Orbit Rendezvous research used during the Gemini and Apollo programs Beyond the accomplishments, how he was able to deliver them is a great story As NASA describes on its website, while under pressure during the US-Soviet space race, Houbolt was the catalyst in securing US commitment to the science and engineering theory that eventually carried the Apollo crew to the moon and back safely http://www.secuobs.com/revue/news/509350.shtmlhttp://www.secuobs.com/revue/news/509350.shtml Secuobs.com : 2014-04-19 16:46:26 - 1 Raindrop - And now for something completely different We have a special guest this time on Security 140 Ok they are all special,but instead of talking about ABAC or Static Analysis or API economy or identity or software security or Netflix security or security writ large, instead of all that we are going to talk brands Bruce Tait is a Founding Partner at Tait Subler, a strategic consultancy specializing in the development of holistic, highly-differentiated brand strategies All of us in http://www.secuobs.com/revue/news/509277.shtmlhttp://www.secuobs.com/revue/news/509277.shtml Secuobs.com : 2014-04-16 22:40:25 - 1 Raindrop - Want to know what its like to lose a few billion dollars Why not study Nick Leeson, Jerome Kerviel, John Rusnak, and Kweku Adoboli John Gapper's eBook How to Be a Rogue Trader gives you an inside look at what makes these people tick For people whose job it is to defend these systems from malicious actors, there is a lot to learn I mentioned that in terms of building out a defensive plan, I prefer to start with assets http://www.secuobs.com/revue/news/508789.shtmlhttp://www.secuobs.com/revue/news/508789.shtml Secuobs.com : 2014-04-14 15:50:39 - 1 Raindrop - People think management is about timing and tactics, but its really about values and focusing on what matters We're lucky to have two good options for Dim Sum in the Cities Both of them require getting there early We arrrived at Mandarin Kitchen a half hour early this Sunday, and the parking lot was empty, first in line - win Within 5 minutes there were 20 people Then the manager drove by, parked in back, and we did not see http://www.secuobs.com/revue/news/508149.shtmlhttp://www.secuobs.com/revue/news/508149.shtml Secuobs.com : 2014-04-11 20:18:44 - 1 Raindrop - The road to hell is paved with tl dr I am not a fan of the term or its implication If we ever really manage to irrevocably screw up this planet the epitaph will be tl dr But taking the world on its own terms, here is my tl dr book review of Adam Shostack's new Threat Modeling book - its full of gems, better yet, it shows you how to create your own treasure map - get it, read it, and use http://www.secuobs.com/revue/news/507842.shtmlhttp://www.secuobs.com/revue/news/507842.shtml Secuobs.com : 2014-04-11 00:14:40 - 1 Raindrop - IDAM What's the Plan Symposium In too many organizations, Identity and Access Management is a tangled mess, with the strategic direction outsourced to Accenture or Deloitte How can you plan for the future What should guide your IDAM efforts What framework should you use to think about this complex issue When Apr 16 2014 10 00 AM - 3 00 PM EDT Where 2000 Town Center Suite 1900, Southfield, MI Here is the link to register for Detroit symposium http marketingiansresearchcom acton form 3335 0058 d-0001 0 indexhtm id 0058 Chicago http://www.secuobs.com/revue/news/507641.shtmlhttp://www.secuobs.com/revue/news/507641.shtml Secuobs.com : 2014-04-10 22:14:12 - 1 Raindrop - Some field notes based on a conversation with Adam Shostack There are a lot of things that make security architecture a tough business One of the ones that comes up regularly is that security is a system level property, but yet we live in a project based world Its not really the mandate of any one project to overhaul IDM or software security tooling I like bottom up approaches, most of the time they are the right way to go, http://www.secuobs.com/revue/news/507620.shtmlhttp://www.secuobs.com/revue/news/507620.shtml Secuobs.com : 2014-04-09 03:06:40 - 1 Raindrop - Oftimes, security people and developers are not on the best of terms The standard script is that the developers build something, the security people thrash and find how its broken Making a living by telling people their baby is ugly may be correct and even helpful but it does not win many friends As AppSec becomes a bigger part of IT, one of the areas security is moving is upstream into processes like SDL Its been a slog Its hard http://www.secuobs.com/revue/news/507144.shtmlhttp://www.secuobs.com/revue/news/507144.shtml Secuobs.com : 2014-04-04 17:20:11 - 1 Raindrop - Why should infosec pros care about your business' competitive advantage ie moats Lenny Zeltser raises the most important reason why Information security professionals often complain that executives ignore their advice There could be many reasons for this One explanation might be that you are presenting your concerns or recommendations in the wrong business context You re more likely to be heard if you relate the risks to an economic moat relevant to your company We have all been there many times http://www.secuobs.com/revue/news/506550.shtmlhttp://www.secuobs.com/revue/news/506550.shtml Secuobs.com : 2014-04-03 17:14:42 - 1 Raindrop - The Axiomatics Spring newsletter arrived did not know that it was actually spring in Stockholm this soon, but moving on and in it Babik Sadighi tells us that 2014 is the year of ABAC and here I thought it was the year of PKI Mr Sadighi shares with us Gartner's blessing that by 2020, 70pourcents of enterprises will use attribute-based access control ABAC as the dominant mechanism to protect critical assets, up from less than 5pourcents today Well I have http://www.secuobs.com/revue/news/506361.shtmlhttp://www.secuobs.com/revue/news/506361.shtml Secuobs.com : 2014-04-01 17:04:38 - 1 Raindrop - Thanks to Jay Jacobs, back in May 2012, I put together a talk for SIRA called I am a better security pro because I am an investor, and I am a better investor because I am seucrity pro In a nutshell, the talk explores why the mindset of a security pro, to look at the downside not just the upside, is fundamental in investing I moved most of my investing posts to a new blog, Total Return Investor The last http://www.secuobs.com/revue/news/505941.shtmlhttp://www.secuobs.com/revue/news/505941.shtml Secuobs.com : 2014-03-31 20:14:03 - 1 Raindrop - First time for everything And here is my first blog link to a TMZ story Its about the fallout from when Rihanna fired her accountant, Peter Gounis who she claims lost 9 million of her money Unfortunately, the irrational actions leading up to the event will be all too familiar to infosec pros emphasis added Gounis claims Rihanna blew through millions of her own money by going on endless shopping sprees -- buying roomfuls of designer shoes, clothes, and jewelry http://www.secuobs.com/revue/news/505642.shtmlhttp://www.secuobs.com/revue/news/505642.shtml Secuobs.com : 2014-03-28 13:57:17 - 1 Raindrop - From Jason Zweig his co author on Thinking Fast and Slow, a series on Daniel Kahneman's work HOW HAS KAHNEMAN'S WORK INFLUENCED YOUR OWN While I worked with Danny on a project, many things amazed me about this man whom I had believed I already knew well his inexhaustible mental energy, his complete comfort in saying I don't know, his ability to wield a softly spoken Why like the swipe of a giant halberd that could cleave overconfidence with a http://www.secuobs.com/revue/news/505346.shtmlhttp://www.secuobs.com/revue/news/505346.shtml Secuobs.com : 2014-03-27 23:08:23 - 1 Raindrop - Here is a talk by Russ Thomas that doesn't get nearly the focus it should - unintended consequences There is a lot of good ideas alluded to in the slides Anti Pattern 8 - perfect is the enemy of the good, for example neatly summarizes Brad Hill's defense of HTML5 argument There seems to be two Anti Patterns numbered 10, regardless they are both among the most important 10a - Complexity arises from controls Major problem if you are only http://www.secuobs.com/revue/news/505247.shtmlhttp://www.secuobs.com/revue/news/505247.shtml Secuobs.com : 2014-03-26 17:43:19 - 1 Raindrop - WSJ 'About 36pourcents of all Web traffic is considered fake, the product of computers hijacked by viruses and programmed to visit sites, according to estimates cited recently by the Interactive Advertising Bureau trade group So-called bot traffic cheats advertisers because marketers typically pay for ads whenever they are loaded in response to users visiting Web pages regardless of whether the users are actual people' 'Many ad executives only now are coming to grips with the reality of fraud Part of the http://www.secuobs.com/revue/news/504980.shtmlhttp://www.secuobs.com/revue/news/504980.shtml Secuobs.com : 2014-03-21 20:34:03 - 1 Raindrop - When you don't enforce separation of duties your traders have more rights than they need When you traders have more rights than they need they trade ETFs because they know you are not logging them When your traders will make a series of bets using ETFs that various European markets will rise sometimes they will be wrong When your traders think have a high level of certainty they will trade with unhedged futures When your traders trade with unhedged futures, http://www.secuobs.com/revue/news/504274.shtmlhttp://www.secuobs.com/revue/news/504274.shtml Secuobs.com : 2014-03-18 19:33:38 - 1 Raindrop - The most important paragraph that I have read in 2014 for infosec pros from Lenny Zeltser Information security professionals often complain that executives ignore their advice There could be many reasons for this One explanation might be that you are presenting your concerns or recommendations in the wrong business context You re more likely to be heard if you relate the risks to an economic moat relevant to your company http://www.secuobs.com/revue/news/503608.shtmlhttp://www.secuobs.com/revue/news/503608.shtml Secuobs.com : 2014-03-17 16:03:21 - 1 Raindrop - Forget about Satoshi Nakamoto, Bitcoin That's chump change and shenanigans, the real Keyser Soze mystery is who runs AwesomePennyStocks, Bloomberg Short-sellers and stock promoters have puzzled for years over who operated one of the largest penny-stock websites A US lawsuit points to a Bugatti-driving 26-year-old from Montreal John Babikian used an e-mail list called AwesomePennyStocks to tout a coal company s stock while dumping his own shares, the Securities and Exchange Commission said last week in a civil complaint AwesomePennyStocks messages http://www.secuobs.com/revue/news/503235.shtmlhttp://www.secuobs.com/revue/news/503235.shtml Secuobs.com : 2014-03-16 23:33:47 - 1 Raindrop - Back to back devil posts Last post was called Friend of the Devil, the Shostack Code Now we are into Sympathy for the Devil and Cormac Herley's work Don't read into the devil part too much as a company thing, just because Adam Shostack and Cormac Herley both work at Microsoft Its actually a commentary on dealing with devils - governance Shostack and Threat Models and passwords Herley Passwords feel like dandelions to me Every year, you try and root http://www.secuobs.com/revue/news/503148.shtmlhttp://www.secuobs.com/revue/news/503148.shtml Secuobs.com : 2014-03-12 16:33:55 - 1 Raindrop - This is part three on looking at governance and compliance In the first post, we looked at Charlie Munger's comments on governance Specifically, how a seamless web of deserved trust beats the compliance check box Olympics Compliance is a drag, but on the other hand the regs are not there for no reason In the second post in this series we looked at Chesterton's Fence and how compliance regs are a result of legitimate consumer concerns Whether they are too http://www.secuobs.com/revue/news/502578.shtmlhttp://www.secuobs.com/revue/news/502578.shtml Secuobs.com : 2014-03-10 15:49:58 - 1 Raindrop - I see so much confusion over compliance Information risk management people sometimes say that compliance is blocking them and that it inhibits risk management Compliance is not the sum total of governance Erik Heidt said it best - Compliance is Risk Management Just NOT YOUR Risk Management Complaining about compliance is a classic Chesterton's Fence problem 1 Before tearing down compliance first ask - why does it exist in the first place Erik Heidt SOX is the result of http://www.secuobs.com/revue/news/502066.shtmlhttp://www.secuobs.com/revue/news/502066.shtml Secuobs.com : 2014-03-06 16:28:29 - 1 Raindrop - From Stanford comes Corporate Governance According to Charles T Munger which is characterized by avoiding best practices and insted going in the direction of trust based governance A lot of this will resonate with infosec people weary of compliance check box Olympics Here are some highlights One solution fits all is not the way to go All these cultures are different The right culture for the Mayo Clinic is different from the right culture at a Hollywood movie studio You http://www.secuobs.com/revue/news/501490.shtmlhttp://www.secuobs.com/revue/news/501490.shtml Secuobs.com : 2014-03-05 15:17:15 - 1 Raindrop - I have a new paper in the February For Good Measure column in USENIX login written with Dan Geer called Margin of Safety or Speculation Measuring Security Book Value The goal of this paper is to show a simple metric that compares the risk your system is taking on as measured by what you spend on app development, databases and so on versus what you are investing to defend the system The higher the former and the lower the latter, http://www.secuobs.com/revue/news/501246.shtmlhttp://www.secuobs.com/revue/news/501246.shtml Secuobs.com : 2014-02-27 18:01:41 - 1 Raindrop - Many of the worst security problems arise when formerly good assumptions change Robin Roberts summed it up this way - security systems are built up on assumptions, but you cannot after the fact go back and query the system about the assumptions that were made when it was built Tal Klein and colleagues came across an interesting piece of malware which amounts to - when SaaS met Zeus Banks, of course, are used to coping with malware like this They http://www.secuobs.com/revue/news/500280.shtmlhttp://www.secuobs.com/revue/news/500280.shtml Secuobs.com : 2014-02-26 17:40:24 - 1 Raindrop - Infosec can, at times, be disheartening You look at Apple's gotofail and you think - how did they manage to screw up the most fundamental and oldest security protocol on such a wide scale with such an old bug On days like that it can feel like, if someone like Apple cannot get the basics right, what chance does an average company have But on the other hand, I see company after company, where the security teams are just getting http://www.secuobs.com/revue/news/499994.shtmlhttp://www.secuobs.com/revue/news/499994.shtml Secuobs.com : 2014-02-12 14:28:44 - 1 Raindrop - Whether its a breach, credit card theft, IP copying or something other event, the impact is best conceptualized in terms of how it impacts competitive advantage Michael Mauboussin shares some ideas on Measuring Moats which is a good way to think about defining security metrics, which events impact the moat Businesses have different kind of moats, and so the way to measure business value for a company with moat based on the network effect differs from the measures used on http://www.secuobs.com/revue/news/497433.shtmlhttp://www.secuobs.com/revue/news/497433.shtml Secuobs.com : 2014-02-06 01:36:43 - 1 Raindrop - Dear Satya Nadella, Congratulations on your new role I am excited that the board picked not only a tech CEO, but a middleware guy There's great, latent power in Microsoft technologies and if middleware people know one thing, its connecting stuff together to create value I was further heartened by the mobile first, cloud first mantra you laid out in your first speech I know you are busy, but here is one opportunity to consider, and I am pretty confident http://www.secuobs.com/revue/news/496198.shtmlhttp://www.secuobs.com/revue/news/496198.shtml Secuobs.com : 2014-01-31 18:09:08 - 1 Raindrop - Before there was the 2008 financial crisis, there was Long Term Capital Management, a hedge fund run by a small group of people that almost brought down the global economy It foreshadowed quite a bit of 2008 Roger Lowenstein's When Genius Failed chronicles LTCM and is required reading to see the interplay between models and behavioral reality Here is a summary from Warren Buffett The whole LTCM story is really fascinating If you take John Meriwether, Larry Hildenbrand, Victor Haghani, http://www.secuobs.com/revue/news/495315.shtmlhttp://www.secuobs.com/revue/news/495315.shtml Secuobs.com : 2014-01-24 17:29:23 - 1 Raindrop - One of the most trenchant observations in infosec comes from one of Richard Thieme's old Blackhat keynotes He quoted Robin Roberts saying in effect that security systems are built up on assumptions, but you cannot after the fact go back and query the system about the assumptions that were made when it was built That's pretty problematic, because the world has a pesky habit of changing which renders formerly good assumptions invalid A classic example from the last decade is http://www.secuobs.com/revue/news/493918.shtmlhttp://www.secuobs.com/revue/news/493918.shtml Secuobs.com : 2014-01-21 23:09:11 - 1 Raindrop - An interesting talk by Appollo Robbins that shows how fooling the brain's guard function gains an advantage for the pickpocket The similarity I see in infosec is that you cannot put all your eggs in any one bucket for example the access control bucket, because once that is bypassed, a fundamentally different capability like monitoring, threshholds and or error correction is needed http://www.secuobs.com/revue/news/493162.shtmlhttp://www.secuobs.com/revue/news/493162.shtml Secuobs.com : 2014-01-15 21:49:42 - 1 Raindrop - Interesting tidbit at the end of this Bloomberg profile of bond fund manager Jeffrey Gundlach Hands-off, though, isn t normally the first description that comes to mind when discussing Gundlach In mid-September, thieves robbed the money manager s Santa Monica home in a quiet residential neighborhood, taking more than 10 million in artworks as well as his red 2010 Porsche Carrera 4S, wine and watches The robbers also snatched two works by Gundlach s late grandmother, Helen Fuchs, who was an amateur painter http://www.secuobs.com/revue/news/491835.shtmlhttp://www.secuobs.com/revue/news/491835.shtml Secuobs.com : 2014-01-10 18:18:11 - 1 Raindrop - New Year's is the time for predictions which I don't go in for much However it is a good time to reflect and think about trends and goals Here is my New Year's goal for the infosec industry - start taking yes for an answer, I have done a fair amount of risk briefings over the years Ten years ago, I would do them, get escorted along mahogany row, and the execs would give you thrity minutes to talk information http://www.secuobs.com/revue/news/490879.shtmlhttp://www.secuobs.com/revue/news/490879.shtml Secuobs.com : 2013-12-13 13:42:39 - 1 Raindrop - Some years back, I was decompressing with another security person He asked how my conference was going and I said Great I did a training today and I am doing another training tomorrow How's yours He groaned, Ughh I did a training today and, he sighed, I have to do another tomorrow It surprised me, sure training is a lot of work, but I really enjoy the idea flow, and seeing developers and security people think about appsec in http://www.secuobs.com/revue/news/486123.shtmlhttp://www.secuobs.com/revue/news/486123.shtml Secuobs.com : 2013-12-02 15:25:14 - 1 Raindrop - I am not much of a football fan, in fact over Thanksgiving holiday I didn't watch a down One thing I do appreciate about the sport though is the acknowledged role of defense in success Many of the most successful teams are defense oriented, and even the offense is built around protection schemes like protecting the quarterback The worst place for protection to fail is on the Quarterback's blind side, then rushers can close in quickly without the QB being http://www.secuobs.com/revue/news/483851.shtmlhttp://www.secuobs.com/revue/news/483851.shtml Secuobs.com : 2013-11-14 18:43:39 - 1 Raindrop - Whenever you roll out a new security architecture, the collaboration with the architecture and development team is fundamental to success Push back from those teams can come in all sorts of ways, they may think the security team is over reaching Development teams justifiably worry that the security requirements will swamp the budget and make them blow their timeline I was on a project and we did a review with tech leads and the comment at the end was I http://www.secuobs.com/revue/news/481020.shtmlhttp://www.secuobs.com/revue/news/481020.shtml Secuobs.com : 2013-11-13 17:02:27 - 1 Raindrop - Yesterday's post makes the case there are no security problems I used to think we had security problems, and then we figured out how to integrate the security solution Actually, the security basics are long figured out, its the integration that's killing us We don't have a security problem with integration requirements We have an integration problem with security requirements The why is pretty easy to understand Security is mainly an isolated department Not really ops, not really arch and http://www.secuobs.com/revue/news/480699.shtmlhttp://www.secuobs.com/revue/news/480699.shtml Secuobs.com : 2013-11-13 05:20:28 - 1 Raindrop - I used to think that we had security problems to solve, and that the role of a security architect was to identify threats and to design, implement, and integrate controls I was wrong We don't have security problems Not really Our protocol life span is measured in decades SSL, Kerberos, SDSI and SPKI, these have been around for decades The problem is not the protocols The hard part isn't mapping threats to controls either True the industry as a whole http://www.secuobs.com/revue/news/480577.shtmlhttp://www.secuobs.com/revue/news/480577.shtml Secuobs.com : 2013-10-31 19:11:16 - 1 Raindrop - Mark O'Neill and I just published Top Ten Security Considerations for Internet of Things It was very a lot of fun to work on this on a personal and professional level I have been a big fan of Mark's work for along time I only got to work with him once before when we did a full day of Web Services security at the OWASP AppSec conference, we had a full day just on WS and had a great lineup http://www.secuobs.com/revue/news/478271.shtmlhttp://www.secuobs.com/revue/news/478271.shtml Secuobs.com : 2013-10-23 03:50:06 - 1 Raindrop - I have no interest in investing in IPOs, so I won't be buying Twitter's It may do fine, who knows I do have an interest in trying to figure out how durable companies' competitive advantage is When I think of Twitter, one obvious comparison is Facebook Facebook went through a much maligned IPO, it came public in the high 30s, cratered down south of 20, and was last seen heading north of 50 Of course, short term price movers are http://www.secuobs.com/revue/news/476428.shtmlhttp://www.secuobs.com/revue/news/476428.shtml Secuobs.com : 2013-10-16 16:18:51 - 1 Raindrop - Security Metrics crying need is for metrics that serve others, outside of infosec In Infosec, we think of the biggest influencers as the people who give talks at conferences, I disagree Here is my list of the top five influencers on your security, these are the people who will impact security, positively and or negatively The Person Coding Your App Your DBA Your Testers Your Ops team You With the possible exception of 5, none of them work in security This http://www.secuobs.com/revue/news/474992.shtmlhttp://www.secuobs.com/revue/news/474992.shtml Secuobs.com : 2013-09-24 15:37:35 - 1 Raindrop - Adrian Lane and I have a new research paper out on API Gateway Security I really enjoyed working on this piece, because API Gateway bring all the talk that security must be an enabler right to front and center APIs are an enabler, and businesses are going that way - making your data and app functionality exposed to any device any where and for use cases you never thought of before Certainly your mainframe, your backend Unix servers were never http://www.secuobs.com/revue/news/470491.shtmlhttp://www.secuobs.com/revue/news/470491.shtml Secuobs.com : 2013-08-17 22:01:19 - 1 Raindrop - I think I've been in the top 5pourcents of my age cohort all my life in understanding the power of incentives, and all my life I've underestimated it Never a year passes that I don't get some surprise that pushes my limit a little farther - Charlie Munger In Security Engineering, Ross Anderson describes an analytical framework for examining information security Good security engineering requires four things to come together There's policy what you're supposed to achieve There's mechanism the http://www.secuobs.com/revue/news/463504.shtmlhttp://www.secuobs.com/revue/news/463504.shtml Secuobs.com : 2013-08-15 19:13:08 - 1 Raindrop - The late, great Robert Garigue posited two models of the CSO - the Court Jester model and the Roadkill model The Court Jester Sees a lot Can tell the king he has no clothes Can tell the king he really is ugly Does not get killed by the king Nice to have around but how much security improvement comes from this Then we have the Roadkill Model Changes happened faster that he was able to move Did not read the http://www.secuobs.com/revue/news/463163.shtmlhttp://www.secuobs.com/revue/news/463163.shtml Secuobs.com : 2013-07-11 04:03:11 - 1 Raindrop - Text from my keynote talk at the Cloud Identity Summit Photo credit Brian Campbell 1 Problem statement We have some hard problems in IAM I wonder if there is sometimes too much focus on the short term and not enough on the long term And specifically not enough focus on the consequences of the consequences of bringing in a new technology or process One kind of project I work on with companies is building out an IAM Roadmap In my http://www.secuobs.com/revue/news/456285.shtmlhttp://www.secuobs.com/revue/news/456285.shtml Secuobs.com : 2013-06-28 23:20:04 - 1 Raindrop - I think there are four essential security services for Cloud applications I described these in Don't Trust And Verify The four tools I think are essential in anyone's Cloud Security stack are Gateway Don't trust your Attack surface to the Cloud, and do verify at the Gateway Its a Defensive structure to limit attack surface and enforce policy Security token service Don't trust messages, implement verifiable security tokens The STS handles Issue, validate, and exchange security tokens Monitor Do implement http://www.secuobs.com/revue/news/454487.shtmlhttp://www.secuobs.com/revue/news/454487.shtml Secuobs.com : 2013-06-11 20:59:35 - 1 Raindrop - For many years in secure coding training, I have used this quote from Gary McGraw- Software security is the idea of engineering software so that it continues to function correctly under malicious attack This simple yet powerful statement encapsulates many of our challenges, however I have one nit to pick, and it makes our job harder Our job, in my view, is to engineer software so that it continues to function correctly under attack Note that I left out malicious http://www.secuobs.com/revue/news/450819.shtmlhttp://www.secuobs.com/revue/news/450819.shtml Secuobs.com : 2013-06-10 18:24:10 - 1 Raindrop - Glad to have the chance to talk with Gerry Gebel on current work and trends authorization To my mind authorization gets nowhere near the attention it deserves in security architecture For a refersher, here are some previous conversations with Gerry on these topics Gerry Gebel was formerly with Burton Group and is now President of Axiomatics America Axiomatics focuses on authorization and the XACML standard Gunnar Peterson The thing that strikes me about XACML and ABAC is that its really http://www.secuobs.com/revue/news/450520.shtmlhttp://www.secuobs.com/revue/news/450520.shtml Secuobs.com : 2013-06-05 20:10:41 - 1 Raindrop - James A Lewis on Five Myths about Chinese Hackers hits key points, starting with point 1 Trying to cram Chinese hackers into antiquated cold war formulas doesn t help, either America s relationship with China is very different from the one it had with the Soviet Union, in which contacts were extremely limited and there was no economic interdependence The idea of containment for China is inane How would you contain a major economic partner Any security discussion that glosses over the http://www.secuobs.com/revue/news/449602.shtmlhttp://www.secuobs.com/revue/news/449602.shtml Secuobs.com : 2013-06-01 17:50:40 - 1 Raindrop - As a general question, we have way more security metrics than we did say 5 years ago, but do we have the right kind of metrics Wade Baker and the Verizon DBIR team performed an exceptionally useful service when they launched DBIR It was among the first rocks that started tumbling that led an avalanche of de-fudified the infosec industry ok, mostly def-fudified , before DBIR breaches were discussed in whispers and if you knew what I know kind of BS http://www.secuobs.com/revue/news/448894.shtmlhttp://www.secuobs.com/revue/news/448894.shtml Secuobs.com : 2013-05-30 17:17:10 - 1 Raindrop - Costco has a P E ratio of 25 This is hands down better than their peers P E Costco 25 Target 15 Dollar Tree 19 Walmart 15 Basically what this is showing is that investors are willing to 60pourcents more to own Costco over its competitors Top down thinking can be good because it helps people abstract away some complexity and take shortcuts On the other hand, top down thinking can be bad, after all its lossy compression and what is lost http://www.secuobs.com/revue/news/448578.shtmlhttp://www.secuobs.com/revue/news/448578.shtml Secuobs.com : 2013-05-29 05:19:33 - 1 Raindrop - In the previous post we looked at some of the policy zones that an Enterprise API Management has in Mobile security, including 1 External security policy for the Mobile device - API Management Layer message exchanges 2 Internal security policy for the API Management Layer - Enterprise backend message exchanges 3 External Internal mapper security policy to facilitate the right security and identity services for each boundary transition Gateways and API Management have many, varied capabilities They can play http://www.secuobs.com/revue/news/448219.shtmlhttp://www.secuobs.com/revue/news/448219.shtml Secuobs.com : 2013-05-17 19:26:00 - 1 Raindrop - For any security project when we're trying to use risk to inform our software development, operational processes, the current state of available data is not particularly helpful But even if it was better than it is currently and we had statistics , its not likely to help much when it comes to risk Good example from Nassim Taleb in AntiFragile A turkey is fed for a thousand days by a butcher every day confirms to its staff of analysts that butchers http://www.secuobs.com/revue/news/446193.shtmlhttp://www.secuobs.com/revue/news/446193.shtml Secuobs.com : 2013-05-14 22:59:21 - 1 Raindrop - The risks in cloud deployments are generally differences of degree rather than different in kind But there are some risks that are fundamentally new We saw two examples recently First was Bloomberg, not a 21st century Cloud for sure, more like 1990s era Cloud but the precedent is right there for anyone using a Cloud application In one instance, a Bloomberg reporter asked a Goldman executive if a partner at the bank had recently left the firm noting casually http://www.secuobs.com/revue/news/445405.shtmlhttp://www.secuobs.com/revue/news/445405.shtml Secuobs.com : 2013-05-10 22:08:57 - 1 Raindrop - I attended the Berkshire Hathaway annual meeting along with Adrian Lane and 40,000 or so other shareholders Adrian commented on something that is near and dear to my heart I am hooked, but not because I want investment ideas instead I am fascinated by an incredibly simple investment philosophy, that involves an incredibly complex set of rational models, that forms the foundation of their decision process Both men are contrarians they choose to invest in a method that http://www.secuobs.com/revue/news/444727.shtmlhttp://www.secuobs.com/revue/news/444727.shtml Secuobs.com : 2013-05-07 19:40:04 - 1 Raindrop - Depending on how its used risk can mean many things, sometimes it means CYA Infosec mostly informs the business as to the nature and severity of risk incurred by the types of things the business wants to do The business side uses the information culled from vulnerability assessments and related activities to decide what countermeasures they want to bring to bear and what risks they are willing to take Questions worth asking about this include - does the information Infosec http://www.secuobs.com/revue/news/444020.shtmlhttp://www.secuobs.com/revue/news/444020.shtml Secuobs.com : 2013-04-16 16:57:34 - 1 Raindrop - Over the next several posts, I will explore some of the core patterns for Service Gateways that provide access to Enterprise Mobile Applications that need to leverage enterprise apps and data Before I go there - a word about risk Mobile security is a hot topic Is Android less secure than iOS What about rooted devices How should enterprise deal with BYOD How do mobile dev teams write secure code for mobile platforms And the list goes on and on, http://www.secuobs.com/revue/news/439757.shtmlhttp://www.secuobs.com/revue/news/439757.shtml Secuobs.com : 2013-04-06 17:13:53 - 1 Raindrop - Richard Bejtlich's blog on Risk Assessment, Physics Envy and False Precision points out a number of important issues Overweighting what be counted and underweighting what can't be counted is an easy trap to fall into The seduction is amplified by the beauty of mathematics, the quest for certainty in an uncertain world Unfortunately this leads to a number of problems brought on by overconfidence because hey you counted and you're using math As Dean WIlliams said Confidence in a forecast http://www.secuobs.com/revue/news/437993.shtmlhttp://www.secuobs.com/revue/news/437993.shtml Secuobs.com : 2013-04-05 01:32:34 - 1 Raindrop - Tokenization is a major trend in application and data security and Gateways are an ideal location to deploy tokenization services Tokenization replaces sensitive data with benign data The classic example here is PCI DSS, and the business value of tokenization is summed up here Now I am no graphic designer, but let me take advantage of the Chinese saying that 1,001 words is worth more than a picture As much as I like the graphic above it does not tell http://www.secuobs.com/revue/news/437762.shtmlhttp://www.secuobs.com/revue/news/437762.shtml Secuobs.com : 2013-04-02 22:48:00 - 1 Raindrop - John Wilander's perspective on software development and security sheds light on some of the many gray areas that exist between these two related but too often divergent disciplines We discuss the current state of play, trojanizing dev teams, the different tactics involved in prescription versus proscription, and a lot more Gunnar Peterson We first met a few years back, and I remember this very well, we did a detailed Threat model and discussed a very long set of security protocols http://www.secuobs.com/revue/news/437232.shtmlhttp://www.secuobs.com/revue/news/437232.shtml Secuobs.com : 2013-04-02 16:35:36 - 1 Raindrop - Session management vulnerabilities are tricky They are highly dependent on context Identifying session fixation, session replay and the like means looking at the end to end session lifecycle from creation to use to termination On normal webapps this is mostly a straightforward affair including - examine the session cookie, ensure proper cookie hygiene, make sure transport is protected, and that timeouts are set correctly On normal webapps the server sets the timeout for the session cookie say 20 minutes , sends http://www.secuobs.com/revue/news/437140.shtmlhttp://www.secuobs.com/revue/news/437140.shtml Secuobs.com : 2013-03-25 22:59:47 - 1 Raindrop - I have three mailboxes in my office IN, OUT, and TOO HARD I was joking with the MIT students that I should have a TOO HARD bin - Warren Buffett Even for a great investor like Warren Buffett, most investing ideas wind up in the TOO HARD bin Investing is a great in that way, where you can pick and choose which problems to tackle There is no penalty for sitting it out when things are too complicated Unfortunately, http://www.secuobs.com/revue/news/435740.shtmlhttp://www.secuobs.com/revue/news/435740.shtml Secuobs.com : 2013-03-24 15:56:13 - 1 Raindrop - Hancock Bank, a small local bank on Mississippi's Gulf coast, gives a master class in survivability In the days after Katrina they gave out 50M in cash They used folding table on the sidewalk for branches The IOUs were handwritten notes on sticky notes Its a great story - more here The story is a case study for how Howard Lipson describes survivability - the ability of a system to fulfill its mission, in a timely manner, in the presence http://www.secuobs.com/revue/news/435517.shtmlhttp://www.secuobs.com/revue/news/435517.shtml Secuobs.com : 2013-03-22 16:29:52 - 1 Raindrop - Benjamin Robbins PaladorBenjamin just completed 52 solid weeks working solely on mobile Of course there were some issues, but he did it and the lessons learned are instructive A key takeaway From a practical perspective I ve learned that there are certain needs of human ergonomics that you just can t engineer your way around no matter how cool the technology I can say with confidence that a monitor and keyboard are not going anywhere anytime soon This is a key insight http://www.secuobs.com/revue/news/435291.shtmlhttp://www.secuobs.com/revue/news/435291.shtml Secuobs.com : 2013-03-19 21:13:48 - 1 Raindrop - Bruce Schneier tackles security training in Dark Reading He basically says that training users in classic security awareness training is a waste of money Certainly there is a lot of evidence to back up that claim, users routinely click on certificate warnings, for example What I found most interesting is what Bruce Schneier recommended to do instead of security awareness training for users we should be spending money on security training for developers These are people who can be taught http://www.secuobs.com/revue/news/434622.shtmlhttp://www.secuobs.com/revue/news/434622.shtml Secuobs.com : 2013-03-15 19:27:43 - 1 Raindrop - We are all, in my view, condemned to float endlessly in a vast sea of unanswered questions and unknown reference points A sea of ignorance if you will The example that I like to use is a chessboard How many moves ahead can you see on a chessboard I can see about one move ahead in a chess game If you can see three or four moves ahead in a chess game you can beat 99pourcents of chess players And http://www.secuobs.com/revue/news/433854.shtmlhttp://www.secuobs.com/revue/news/433854.shtml Secuobs.com : 2013-03-14 20:00:43 - 1 Raindrop - Stop the presses Sensitive IP has been stolen Not only that, its some of the world's most advanced technology - robotic surgery How will the Pentagon respond Scrambling jets Carriers on high alert Oh, one clarification, the headline Mako Sues over stolen trade secrets was not from CNN or NYT, it was from an almost as big a name media player -- the South Florida Business Journal Not to be confused with the North Florida Business Journal one supposes Mako http://www.secuobs.com/revue/news/433610.shtmlhttp://www.secuobs.com/revue/news/433610.shtml Secuobs.com : 2013-03-12 00:04:02 - 1 Raindrop - The DMZ is a Web app security architecture workhorse The DMZ operates under a different ruleset both in terms of what is allowed and in terms of the level scrutiny design, deployment and operations get To the extent Web security works at all, its due in no small part to the isolation the DMZ provides The DMZ concept has lived on in the Web services world primarily through Web services gateways which limit Web Services attack surface, help developers navigate http://www.secuobs.com/revue/news/432853.shtmlhttp://www.secuobs.com/revue/news/432853.shtml Secuobs.com : 2013-03-09 00:39:16 - 1 Raindrop - Heartland reported its full 2012 results They had the best year since the breach and the best year in the last ten years length of history of data I have for them They knocked the cover off the ball in every value metric - cash flow, margins, return on equity, and paid down debt This is the sixth in a series of posts tracking Heartland's post breach business performance Just to review our valuation metrics, we are going to take http://www.secuobs.com/revue/news/432460.shtmlhttp://www.secuobs.com/revue/news/432460.shtml Secuobs.com : 2013-03-05 17:12:35 - 1 Raindrop - Well it was a quiet year in Omaha The annual letter is out Buffett called it a subpar year despite a 24B gain The part I liked best was this part on the annual meeting Finally to spice things up we would like to add to the panel a credentialed bear on Berkshire, preferably one who is short the stock Not yet having a bear identified, we would like to hear from applicants The only requirement is that http://www.secuobs.com/revue/news/431503.shtmlhttp://www.secuobs.com/revue/news/431503.shtml Secuobs.com : 2013-03-01 19:01:33 - 1 Raindrop - Here is a version of the Checklist talk I gave at Secure 360 last year It was one of my favorite talks I ever gave made even more so by a great audience including David Mortman and other folks in the trenches I really respect I worked really hard to make things very simple and real world, no assumptions around and then a guru appears from behind the curtain fixes everything , I was targeting strategies that any organization could muster http://www.secuobs.com/revue/news/430934.shtmlhttp://www.secuobs.com/revue/news/430934.shtml Secuobs.com : 2013-02-28 17:57:27 - 1 Raindrop - I am not sure how the cybersecurity meme started and it sure won't die, but it needs to We need to stop saying cybersecurity because this gross generalization obscures the real issues that lay beneath Mark Twain observed that precise langauge is the difference between lightning and a lightning bug When you hear someone say cybersecurity, you can guarantee the very next sentence will contain a wild, sweeping generalization that's likely neither perscriptive nor useful Here is why - context http://www.secuobs.com/revue/news/430700.shtmlhttp://www.secuobs.com/revue/news/430700.shtml Secuobs.com : 2013-02-26 23:16:16 - 1 Raindrop - Next week I am participating in a webinar called Mobile Optimized Healthcare API Programs, from a technical perspective we'll be looking at some interesting integration between Intel's Security Gateway and Mashery From a healthcare standpoint, the discussion looks at what new kinds of use cases are possible in this ecosystem For as much hype that financial services and other sectors get vis a vis security, the healthcare security problem set really is harder than the rest At the same time, http://www.secuobs.com/revue/news/430190.shtmlhttp://www.secuobs.com/revue/news/430190.shtml Secuobs.com : 2013-02-23 17:44:12 - 1 Raindrop - No they did not ask me to do a keynote isn't security blogger hall of fame better tho , but here is what I would say and hey you are getting it before the conference even starts, and you don't even have to get on a plane to hear it Let's start with some historical perspective- all countries do it, especially emerging countries, including especially the US China did not invent industrial espionage After a decade spent warning people about credit http://www.secuobs.com/revue/news/429580.shtmlhttp://www.secuobs.com/revue/news/429580.shtml Secuobs.com : 2013-02-20 19:42:14 - 1 Raindrop - Before landing at SFO, vaccinate yourself against hype, what should you watch for Not threat du jour, not capabilities, watch for integration http://www.secuobs.com/revue/news/428872.shtmlhttp://www.secuobs.com/revue/news/428872.shtml Secuobs.com : 2013-02-20 19:42:14 - 1 Raindrop - Security requires some thought in design, lots of developer attention in secure coding, but there are gaps that the platform can close that can make the designer and the developers lives easier, setting secure defaults Default Android introduces a number of ways that companies can unwittingly open up vulnerabilities Jelly Bean offers a number of security improvements, one of the more interesting is adding a new and important Secure Default which protects Content Providers, aka your data The setting protects http://www.secuobs.com/revue/news/428871.shtmlhttp://www.secuobs.com/revue/news/428871.shtml Secuobs.com : 2013-02-06 21:24:35 - 1 Raindrop - Recently I did a talk at OWASP Twin Cities on building a mobile app security toolchain The talk went pretty well, lots of good questions One takeaway, there are many people in many different kinds of companies struggling with how to do Mobile App Sec The room was sold out, and so it looks like the OWASP Chapter is organizing a repeat talk some time this month, so if you missed it and want to come, stay tuned The basics http://www.secuobs.com/revue/news/426181.shtmlhttp://www.secuobs.com/revue/news/426181.shtml Secuobs.com : 2013-02-05 23:36:40 - 1 Raindrop - Over on Dark Reading, my latest column looks at the incentives driving SCIM Beyond the technical problems it solves, aligning incentives will be key to determine whether Cloud vendors line up behind it for provisioning is what will drive its success http://www.secuobs.com/revue/news/425955.shtmlhttp://www.secuobs.com/revue/news/425955.shtml Secuobs.com : 2013-02-04 21:32:56 - 1 Raindrop - My lateast Dark Reading column is on the three worst words in the English Language- Can't we justgo back through every suboptimal design decision and the prefix to the prevaling argument was probably can't we just http://www.secuobs.com/revue/news/425732.shtmlhttp://www.secuobs.com/revue/news/425732.shtml Secuobs.com : 2013-02-01 17:58:41 - 1 Raindrop - Richard Bejtlich tweeted yesterday that what was rare about the NYT hack was not that it happened but that they dicslosed so much On a related point, I think this is pretty rare - in the course of reporting the NYT story, the WSJ disclosed almost as an aside that it had been notified of a breach In the most recent incident, the Journal was notified by the FBI of a potential breach in the middle of last year, when http://www.secuobs.com/revue/news/425262.shtmlhttp://www.secuobs.com/revue/news/425262.shtml Secuobs.com : 2013-02-01 17:07:35 - 1 Raindrop - Yesterday, I completed my first month with a Treadmill Desk There is not that much to them, a pretty bare bones standing desk and a treadmill that runs quietly Yet one month in I can say its the second greatest technology I have worked with in my career It is total yin yang balance A stress inducing device computer on top of a stress releasing device My world is in harmony Neal Stephenson's book Some Remarks has an excellent chapter http://www.secuobs.com/revue/news/425249.shtmlhttp://www.secuobs.com/revue/news/425249.shtml Secuobs.com : 2013-01-31 18:24:39 - 1 Raindrop - Security departments are getting spun up over BYOD and its younger brother COPE Company Owned, Personal Enabled I suggest a new approach that is neither BYOD or COPE, I have even have a catchy slogan that is sure to catch one its called NYEAABTODADWI Noticing Your Employees Are Already Bringing Their Own Devices And Dealing With It WSJ summarizes the issues in How BYOD Became the Law of the Land The most challenging adjustment and one that still has the longest http://www.secuobs.com/revue/news/425011.shtmlhttp://www.secuobs.com/revue/news/425011.shtml Secuobs.com : 2013-01-30 18:14:00 - 1 Raindrop - Alan Shimel announced the Security Blogger Awards and Security Blogger Hall of Fame It was a treat for me to be included in both, mostly because it was alongside a number of people whose work I have great respect for More than anyone, Richard Bejtlich was the guy who made me think a blog on technical security issues would be a good way to consolidate knowledge and that writing a journal on events in software security would be useful Jack http://www.secuobs.com/revue/news/424802.shtmlhttp://www.secuobs.com/revue/news/424802.shtml Secuobs.com : 2013-01-23 22:32:22 - 1 Raindrop - Are you interested in Mobile app security, Ken van Wyk and I are happy to announce our hands on training class for iOS and Android security will be in NYC this April 29-May 1 Early bird rates are offered now for this three day training session I've written on mobile security a number of times, its a new technology and its not a surprise that security is lagging technological innovation, but at the same time this time is worse The http://www.secuobs.com/revue/news/423514.shtmlhttp://www.secuobs.com/revue/news/423514.shtml Secuobs.com : 2013-01-23 21:39:49 - 1 Raindrop - Dan Geer has a snappy little rule of thumb on security which says that when those that can make the changes to improve security are not those that impacted by the effect of poor security, you will basically get status quo and no security improvement In the same vain Mohamed El-Erian co CEO PIMCO We are kicking the can down the road on issuesthere's a reason for that Its the wrong generation making the decision Its basically my generation, which http://www.secuobs.com/revue/news/423509.shtmlhttp://www.secuobs.com/revue/news/423509.shtml Secuobs.com : 2013-01-09 17:23:22 - 1 Raindrop - Here is a dangerous question to start the new year Does your company actually need a security department If you are doing CYA instead of CIA, the answer is probably no Dark Reading http://www.secuobs.com/revue/news/420717.shtmlhttp://www.secuobs.com/revue/news/420717.shtml Secuobs.com : 2012-12-19 00:25:59 - 1 Raindrop - I have a regular blog on Dark Reading on Identity and Access Management topics Three recent ones The Reason the OWASP Top Ten Doesn't Change - turns out six of the OWASP Top Ten are identity and access failures, who knew The Most Important IAM Question Who Does This A haunting question that most companies answer with ad hoc resources The Identity Cliff kicking the can down the road on security works, until it doesn't The last one is really http://www.secuobs.com/revue/news/417699.shtmlhttp://www.secuobs.com/revue/news/417699.shtml Secuobs.com : 2012-11-01 20:36:15 - 1 Raindrop - What's the most dangerous part of your enterprise How about your developer's desktop There are few things with more ability to negatively or positively impact your enterprise security than developers Infosec must empower them with knowledge and security tools they need to get the job done Intel is rolling out integration with Mashery for enhanced API security management Why is this a big deal Back in February I did a Security 140 Conversation with Craig Burton emphasis added GP http://www.secuobs.com/revue/news/409064.shtmlhttp://www.secuobs.com/revue/news/409064.shtml Secuobs.com : 2012-11-01 15:05:24 - 1 Raindrop - Now this is a lede What happens if you give a thousand Motorola Zoom tablet PCs to Ethiopian kids who have never even seen a printed word Within five months, they'll start teaching themselves English while circumventing the security on your OS to customize settings and activate disabled hardware Michael Howard said something years back that stuck with me - programming is human against compiler, much easier than security which is human against human Of course in this case its http://www.secuobs.com/revue/news/409005.shtmlhttp://www.secuobs.com/revue/news/409005.shtml Secuobs.com : 2012-10-09 21:38:34 - 1 Raindrop - In yesterday's blog we looked at Technical Debt, and how its infosec's habit to lag technology innovation In the big picture, this approach worked pretty well in the Web, early web security was pretty poor but early websites were mainly proof of concepts and brochureware As the value of the websites increased, infosec was able to mostly get just enough of the job done and played catchup for the whole decade But this catchup approach does not work in Mobile, http://www.secuobs.com/revue/news/404544.shtmlhttp://www.secuobs.com/revue/news/404544.shtml Secuobs.com : 2012-10-08 23:55:58 - 1 Raindrop - If there is one thing that's crystal clear in Infosec its that Infosec lags software innovation Its a field where we are always playing catch up and the important question tends to be - how fast can we catch up Because innovation outpaces security, Infosec has been a passive bystander shuffling debt issuances around like someone processing subprime mortgages and rating it Triple A when the first payment cannot even be made The industry ships apps everyday with substandard access http://www.secuobs.com/revue/news/404307.shtmlhttp://www.secuobs.com/revue/news/404307.shtml Secuobs.com : 2012-10-04 18:15:35 - 1 Raindrop - This is the fourth in a series of posts focused on building an Android Security toolkit So far we have looked at access control services and defensive coding, which are necessary for the Mobile app but no Mobile app is an island Mobile apps can have lots of communication channels, such as SMS, NFC, and GPS If used, each of these presents the enterprise a new set of challenges to deal with, protocols and threat models that the enterprise security http://www.secuobs.com/revue/news/403604.shtmlhttp://www.secuobs.com/revue/news/403604.shtml Secuobs.com : 2012-09-27 17:01:29 - 1 Raindrop - Good news - Google is shipping OAuth 20 tools via Google Play Wish this had happened years ago when the Android platform shipped but its good its happening now OAuth 20 is not perfect from a security perspective but as Tim Bray says this is Pretty Good Security meets Pretty Good Usability Makes sense to me - we have to stop using passwords and we have to do so in a way that won't have developers rioting in the streets http://www.secuobs.com/revue/news/402176.shtmlhttp://www.secuobs.com/revue/news/402176.shtml Secuobs.com : 2012-09-26 18:20:09 - 1 Raindrop - In the last two posts, we explored what goes into building an Android Security Toolkit, these are tools that developers can apply to minimize the amount of vulnerabilities in their Android app and, because no app is perfect, to lessen the impact of those that remain So far we focused on access control, which helps to establish the rules of the game authentication and authorization controls who is allowed to use the app and what they are allowed to do http://www.secuobs.com/revue/news/401910.shtmlhttp://www.secuobs.com/revue/news/401910.shtml Secuobs.com : 2012-09-19 02:54:27 - 1 Raindrop - In the last post, we started building out an Android Security Toolkit, things every Android developer should know about security Access control is fundamental to application security In my perfect world, when a developer learns a new language they first learn Hello World, the next thing a developer learns should be how to implement who are you and what can you do in the langauge - authentication and authorization The AndroidManifestxml file describes the access control policy that forms the http://www.secuobs.com/revue/news/400420.shtmlhttp://www.secuobs.com/revue/news/400420.shtml Secuobs.com : 2012-09-12 05:10:08 - 1 Raindrop - Ken van Wyk asks mobile developers - what's in your bag of tricks From a security perspective Ken lists a number of critical things for developers to protect their app, their data and their users these include protecting secrets in tranist and at rest, server connection, authentication, authorization, input validation and out put encoding These are all fundamental to building a secure mobile app Over the next few posts, I will address the core security issues from an Android standpoint http://www.secuobs.com/revue/news/399081.shtmlhttp://www.secuobs.com/revue/news/399081.shtml Secuobs.com : 2012-09-07 19:03:14 - 1 Raindrop - Over on the Mobile App Sec blog, Ken van Wyk asks what is in your Mobile App Security toolkit I had planned to write a post responding to that, but saw the tweet below from two of my favorite people in the industry and thought I would expand on this The first part, mostly, makes sense Training developers is not an instantaneous fix, to be sure In my training for developers we look at concrete ways for developers and security http://www.secuobs.com/revue/news/398312.shtmlhttp://www.secuobs.com/revue/news/398312.shtml Secuobs.com : 2012-09-02 00:52:23 - 1 Raindrop - Well done, Marcus Come join two leading experts, Gunnar Peterson and Ken van Wyk, for a Mobile App Security Training - hands on iOS and Android security, in San Jose, California, on November 5-7, 2012 http://www.secuobs.com/revue/news/397204.shtmlhttp://www.secuobs.com/revue/news/397204.shtml Secuobs.com : 2012-09-01 18:40:10 - 1 Raindrop - Jim Bird and Jim Manico are working on a new addition to the OWASP Cheat Sheets family, they have a draft cheat sheet on Attack Surface in process The Attack Surface helps you see where your system can be attacked, from the Cheat Sheet Attack Surface Analysis helps you to identify what you need to review test for security vulnerabilities identify high risk areas of code that require defense-in-depth protection identify when you ve changed the attack surface and need to do http://www.secuobs.com/revue/news/397180.shtmlhttp://www.secuobs.com/revue/news/397180.shtml Secuobs.com : 2012-08-29 17:40:14 - 1 Raindrop - Ken van Wyk and I started a new blog for Mobile App Sec Triathlon, which you may be interested in reading Ken has two new posts iOS SMS Spoofing - What every developer should know Astounding amount of iOS apps have been hacked Really We will be posting there leading up to our Mobile App Sec training class in San Jose Nov 5-7 If you are working on mobile apps, join us there http://www.secuobs.com/revue/news/396497.shtmlhttp://www.secuobs.com/revue/news/396497.shtml Secuobs.com : 2012-08-23 19:21:46 - 1 Raindrop - In looking at the overall pieces in play for Enterprise security architecture in Mobile app deployments there are three high level categories of security concern Mobile Security - this is net new for the enterprise Mobile apps need to deal with proprietary, byzantine systems and their access control models Unlike traditional enterprise desktops where enterprise security teams can configure systems the way they would like, the smartphones and tablets of today are akin to buying a car with the hood http://www.secuobs.com/revue/news/395387.shtmlhttp://www.secuobs.com/revue/news/395387.shtml Secuobs.com : 2012-08-01 17:00:22 - 1 Raindrop - Jason Chan is Cloud Security Architect at Netflix In this Security 140 conversation, we discuss some of the innovations that Netflix has applied to its security in AWS and what other enterprises can learn from their pioneering experiences GP Jason, your practitioner's perspective of AWS in particular and overall approach to security in general at Netflix is something I think the industry can benefit from You use an evocative image to describe the shared security responsibility for AWS users, http://www.secuobs.com/revue/news/391091.shtmlhttp://www.secuobs.com/revue/news/391091.shtml Secuobs.com : 2012-07-19 15:26:00 - 1 Raindrop - This is a snippet from my Cloud Identity Summit talk, there is an old physics saying- assume a spherical cow of uniform density Thanks to Marcus Ranum we now have the infosec equivalent - the endpoints we have so far never made any successful effort to secure, which we will assume forthwith to be secure http://www.secuobs.com/revue/news/388397.shtmlhttp://www.secuobs.com/revue/news/388397.shtml Secuobs.com : 2012-07-10 17:11:25 - 1 Raindrop - I have long been a fan of Philippe Kruchten's work 4 1 showed a new way to look at software architecture and I still consider it the defining work in the profession due to its simplicity and clarityPhilippe's Tao of the Software Architect is a little known gem, one of my favorite parts When the process is lost, there is good practice When good practice is lost, there are rules When rules are lost, there is ritual Ritual is the beginning http://www.secuobs.com/revue/news/386342.shtmlhttp://www.secuobs.com/revue/news/386342.shtml Secuobs.com : 2012-07-09 18:22:32 - 1 Raindrop - Many years ago Robert X Cringely sagely observed that there are only two types of programmers hippie programmers and nerd programmers The Hippie programmers do the right thing, the wrong way The ner programmers do the wrong thing, the right way I will pause a moment here for you to mentally categorize the programmers you have worked with There's lots of examples of these personality types in software security, introducing nonces to deal with CSRF is a nerd programming idea, http://www.secuobs.com/revue/news/386139.shtmlhttp://www.secuobs.com/revue/news/386139.shtml Secuobs.com : 2012-06-28 18:20:21 - 1 Raindrop - I have a paper at IANS that's on Cloud Identity Management Standards One of the main points is to communicate the need to understand the limitations of standards Standards like SAML, Oauth, OpenIDConnect have helped enterprises make a lot of progress on security issues in recent years, but there are no silver bullets and this is just another example of that CSA and other industry guidance is replete with pointers to interesting standards that can help enterprises on the journey http://www.secuobs.com/revue/news/384416.shtmlhttp://www.secuobs.com/revue/news/384416.shtml Secuobs.com : 2012-06-26 19:39:20 - 1 Raindrop - The analyst firm RedMonk in general and Stephen O'Grady in particular do a lot of great analysis on software, open source and other tech issues A recent post on the Microsoft Surface has some good examples of the firm's push the envelope thinking, in a nutshell software is waning and hardware is waxing However, the data framework used to justify the core point however valid it is or not, we'll see does not stand the test Price reflects what investors http://www.secuobs.com/revue/news/383892.shtmlhttp://www.secuobs.com/revue/news/383892.shtml Secuobs.com : 2012-06-25 17:23:54 - 1 Raindrop - Software development is about making things work, what infosec brings to the table is to account for what happen when things don't work as planned Years ago software security was mostly scanning apps right before they shipped, but most enterprise SDLCs have got better over the years about building at least some security into the process further upstream This has improved the access control, defensive programming and other key bits in the security of many systems Still Richard Bejtlich's question http://www.secuobs.com/revue/news/383592.shtmlhttp://www.secuobs.com/revue/news/383592.shtml Secuobs.com : 2012-06-14 23:12:28 - 1 Raindrop - The Index of CyberSecurity is one of the only instances of the use of the word cyber that doesn't make me immediately want to rip my own flesh off Its somewhat similar to the economic measure - Purchasing Manager's Index in that it gathers data from the people with their hands on the wheel Since the PMI shows the demand side, its interesting that the monthly question this month addressed the demand side for ICS, asking Given the current threat http://www.secuobs.com/revue/news/381676.shtmlhttp://www.secuobs.com/revue/news/381676.shtml Secuobs.com : 2012-06-11 16:46:50 - 1 Raindrop - After years of trying, Infosec has made some headway inserting some basic security disciplines into enterprise SDLC Sometimes its checklists, or threat models, and often its more toooling than process When I work on Security in SDLC, I like to start by analyzing how does the SDLC actually work Not how the managers think say it works, but follow the code from ideation to development to deployment These initial processes before coding end up being interesting from a security architecture standpoint http://www.secuobs.com/revue/news/380795.shtmlhttp://www.secuobs.com/revue/news/380795.shtml Secuobs.com : 2012-05-31 20:15:07 - 1 Raindrop - Agile is not an ideal development methodology from a security perspective, but then again - what is the Agile family of methodlogies represent the dominant approach to building software today In some ways they are quite helpful to security, not when compared to theoretical SDL approachs but when compared to real world alternatives So while Agile is not the be all end all from a security viewpoint, as your Mom told you - make the best of it Here are http://www.secuobs.com/revue/news/378824.shtmlhttp://www.secuobs.com/revue/news/378824.shtml Secuobs.com : 2012-05-15 16:18:55 - 1 Raindrop - My talk at Secure 360 was on Process Not Outcomes, we've limited control over otucomes, but we can all improve our processes One way to do this is with checklists Checklists help us navigate complex domains and avoid mistakes around things that we know but don't apply One of the things that makes infosec an interesting field is the situation that I characterize as 50pourcents gnarly, deep technical problems think Kerberos and 50pourcents brain dead mistakes think private keys in http://www.secuobs.com/revue/news/375607.shtmlhttp://www.secuobs.com/revue/news/375607.shtml Secuobs.com : 2012-05-11 23:36:52 - 1 Raindrop - James Montier talks about the flaws of finance that led to the 2008 crash - bad models, bad incentives and bad behavior Jeremy Grantham said that in response to 2008 we would learn a lot in the short term, a little in the mid term and in the long term nothing That's the historical precedent In the last six months we've had the trifecta come back only a few years removed from the staring into the abyss in 2008, here http://www.secuobs.com/revue/news/375171.shtmlhttp://www.secuobs.com/revue/news/375171.shtml Secuobs.com : 2012-05-08 17:59:23 - 1 Raindrop - I am a better Security Pr o because I am an Investor I am a better Investor Because I am a Security Pro - Why investing is important, and why Security Pros are uniquely suited to it Society of Information Risk Analysts Conference By Gunnar Peterson May 7, 2012 Thanks to Jay Jacobs for allowing me to speak on this topic I am going to take you a little off track but I hope the journey will be worthwhile from http://www.secuobs.com/revue/news/374308.shtmlhttp://www.secuobs.com/revue/news/374308.shtml Secuobs.com : 2012-04-25 16:35:31 - 1 Raindrop - Immunogen and Seattle Genetics are two fascinating biotechs, but they don't make antibodies as such Instead they link antibodies and deliver them so they can hit their target and make a heat seeking missile targeting cancers and other diseases What I find fascinating about this is that there are now antibodies that seemed to solve certain diseases but have sat on the shelf for 20-30 years because there was no way to deliver the drug to the right location Bilbo http://www.secuobs.com/revue/news/371931.shtmlhttp://www.secuobs.com/revue/news/371931.shtml Secuobs.com : 2012-03-27 16:18:12 - 1 Raindrop - Mark O'Neill asked a tough question - Who Manages Application Gateways , the heart of the matter is - So, breaking it down, there are two things going on here 1 moving integration and security tasks onto network infrastructure, and 2 managing the Gateway as a piece of network infrastructure It follows logically that there are two distinct roles involved here 1 The person configuring services and policies on the Gateway, and 2 the person operationally managing the Gateway Person 1 http://www.secuobs.com/revue/news/366400.shtmlhttp://www.secuobs.com/revue/news/366400.shtml Secuobs.com : 2012-03-26 21:26:45 - 1 Raindrop - As much as developer education in secure coding needs to improve, we cannot leave the invoice for all the issues on the developer's doorstep For one thing, there is basically no support for security in programming languages Allow me to dream a little dream, most people involved in appsec have a set of pet ideas they would like to see implemented to make major improvements Being in the appsec world for a long time, I am not sure there will http://www.secuobs.com/revue/news/366227.shtmlhttp://www.secuobs.com/revue/news/366227.shtml Secuobs.com : 2012-03-23 02:22:03 - 1 Raindrop - Well it took til 2012, but Apple is paying a dividend not quite actually they had paid one previously all the way back in 1995 But in honor of this latest entrant in the dividend paying companies lets look at the possibility of build a dividend index out of canyoubelieveit a set of tech companies Ten years ago tech companies were mocked as bogus and lumped under the heading of pets,com style flameouts and the real companies, Financial services, were http://www.secuobs.com/revue/news/365581.shtmlhttp://www.secuobs.com/revue/news/365581.shtml Secuobs.com : 2012-03-21 15:37:59 - 1 Raindrop - From Stephen Northcutt's remembrance of Hal Tipton I was asked to work with NASA as part of the getback into space after the Challenger disaster The project culminated with a series of briefings to senior management and I did one onsecurity In the evening there was a mixer Hal came up to me, pushed his finger into my chest and said, You have no idea what you are talking about OK, I thought to myself and waited Hal continued, Your http://www.secuobs.com/revue/news/365100.shtmlhttp://www.secuobs.com/revue/news/365100.shtml Secuobs.com : 2012-03-15 23:28:15 - 1 Raindrop - Richard Bejtlich can pack more depth into a tweet than most people can in a 2,000 word article Q What happens when you try to prevent an attack by professionals A You lose So, fast detection response is best refuge Security is a loser's game where you aren't trying to win per se but rather trying to avoid losses however losses still happen Good engineering practice requries designing for failure and security mechanisms are no different In any SDLC http://www.secuobs.com/revue/news/363914.shtmlhttp://www.secuobs.com/revue/news/363914.shtml Secuobs.com : 2012-03-14 21:28:01 - 1 Raindrop - In God we trust, all others go through the access control matrix http://www.secuobs.com/revue/news/363576.shtmlhttp://www.secuobs.com/revue/news/363576.shtml Secuobs.com : 2012-03-12 17:48:43 - 1 Raindrop - Its pretty clear that we humans have a tenuous at best grasp on risk One reason I enjoy looking at market examples for risk-related behavior is that stock market provides a transparency that's lacking in infosec but the decisions and behavior are dervied from the same biases Today we are three years removed from generational stock market downturn where in March 2009, the S P Index touched 666 Take yoruself back to that time, collapseniks were the belles of the ball http://www.secuobs.com/revue/news/362972.shtmlhttp://www.secuobs.com/revue/news/362972.shtml Secuobs.com : 2012-03-09 20:08:19 - 1 Raindrop - There is a lot happening in the Federal space related to security standards I wrote a paper which you can get on Intel's blog on some of the more interesting standards - Federal ICAM Roadmap, NSTIC, FedRAMP, and HSPD-12 Federal ICAM Roadmap goal Increased security, decreased identity theft, data breaches, and trust violations NSTIC Why We Need It 1 Passwords are inconvenient and insecure 2 Individuals are unable to prove their true identity online for significant transactions FedRAMP The decision http://www.secuobs.com/revue/news/362615.shtmlhttp://www.secuobs.com/revue/news/362615.shtml Secuobs.com : 2012-03-08 16:43:07 - 1 Raindrop - Gillian Tett So we Super Seniored the entire financial system and just ignored it This is still going on by the way, but what I think it shows and what I think is instructive to technical risk such as infosec is the role of assurance and challenging assumptions There are huge pools of risk that get missed or ignored due to inside the firewall outside the firewall type grouping The interworking is poorly understood and layering on assumptions what controls can http://www.secuobs.com/revue/news/362256.shtmlhttp://www.secuobs.com/revue/news/362256.shtml Secuobs.com : 2012-03-07 06:09:30 - 1 Raindrop - Heartland's stock fell precipitously when the breach was announced from around 17 share to under 5 But anyone who bought the stock then has done quite well A little more than three years on, the shares closed today at 2843 good for a 568pourcents improvement who cares abotu Facebook IPO Too bad you didn't buy Heartland the day of the breach Of course, its easy to find winners after the fact - just like I can give you a great weather http://www.secuobs.com/revue/news/361861.shtmlhttp://www.secuobs.com/revue/news/361861.shtml Secuobs.com : 2012-02-08 17:34:49 - 1 Raindrop - Now that three different people have wistfully said to me that they wish they went to work at Facebook, I'd like to remind everyone of Charlie Munger's analysis - envy is the dumbest of the seven deadly sins, because you only feel bad All the others - gluttony, lust, etc - all have some upside as well as downside, but with envy there's only upside As an example Munger says you can pay someone on Wall St 2 million a http://www.secuobs.com/revue/news/356704.shtmlhttp://www.secuobs.com/revue/news/356704.shtml Secuobs.com : 2012-02-03 00:14:58 - 1 Raindrop - Today's Security 140 Conversation is with Craig Burton is a Distinguished Analyst at Kuppinger Cole, in his recent work, Craig explores the API Economy and how participating in the API economy reconfigures organizations' priorities GP Your work on the API economy has many implications, as a security guy I am particularly interested in the security and identity bits What do you think changes in the security architect's world when they're defending an API and the data and functionality behind http://www.secuobs.com/revue/news/355679.shtmlhttp://www.secuobs.com/revue/news/355679.shtml Secuobs.com : 2012-01-31 19:57:09 - 1 Raindrop - In this list of Ten Tech Companies that are more Profitable than Facebook, there are two infosec representatives Facebook has 40pourcents Operating Margins, very respectable even by tech company standards However, not to be outdone, infosec's 1995 innovation outperforms even the latest buzzworthy names like Facebook Checkpoint sports 56pourcents Operating Margins and the other tech tha's more profitable than Facebook tha happens to be an infosec company You guessed it - Verisign at 42pourcents Operating Margins All for companies making http://www.secuobs.com/revue/news/355075.shtmlhttp://www.secuobs.com/revue/news/355075.shtml Secuobs.com : 2012-01-30 18:46:06 - 1 Raindrop - I have followed Markel and Tom Gayner Markel's CIO for several years Markel is often classified as a Baby Berkshire in that they are an insurance company who invests their float the premiums before they are paid out in a conservative, long term stock portfolio Markel writes some pretty interesting policies they got started many years ago insuring jitneys including Data Breach insurance you will see why Tom Gayner spoke at Motley Fool on some of Markel's background and approach http://www.secuobs.com/revue/news/354850.shtmlhttp://www.secuobs.com/revue/news/354850.shtml Secuobs.com : 2012-01-27 03:37:46 - 1 Raindrop - One of the highlights for me in 2011 was when I got invited to speak at a leading university on the financial crisis This university is home to some of the most well known and influential economists The topic I planned to speak on is the fatal separation between academic theory and real world practice in markets The notion of risk is certainly at heart of this, Pat Dorsey recently wrote an insightful piece on this point Stipp You wrote http://www.secuobs.com/revue/news/354353.shtmlhttp://www.secuobs.com/revue/news/354353.shtml Secuobs.com : 2012-01-25 18:35:07 - 1 Raindrop - Part three of my three part series on Cloud Security Standards is available on the Intel blog Part 1, Part 2, Part 3 Part 1 examines four Identity and Access Anti-Patterns that occur regularly with enterprises moving to Cloud include Low no access control - we'll see if it works and add security later Replicating user accounts - copying enterprise directory in full or extract to Cloud Provider Copying credentials - copying or hardcoding credentials to Cloud based services Trusted proxy http://www.secuobs.com/revue/news/354071.shtmlhttp://www.secuobs.com/revue/news/354071.shtml Secuobs.com : 2012-01-12 15:44:47 - 1 Raindrop - Two years after saying they were going to be pulling out of China, Google renews its push into China Google's share of China's Web-search market fell to 172pourcents in the third quarter of 2011 from 36pourcents in the fourth quarter of 2009, largely to the benefit of rival Baidu Inc, according to Analysys International, a Beijing-based research firm Even during the APT hysteria of 2010 it wasn't particularly difficult to see that it would go this way The IMF predicts http://www.secuobs.com/revue/news/351703.shtmlhttp://www.secuobs.com/revue/news/351703.shtml Secuobs.com : 2012-01-09 17:01:16 - 1 Raindrop - Morningstar awarded Costco CEO Jim Sinegal its CEO of the year Like infosec, retail is a tough business, and Sinegal and Costco succeeded by following a core set of values and by doing things differently Several years ago a Costco clothing buyer was able to purchase a large quantity of high-end brand-name jeans at an extremely low price, and the pants showed up in the warehouses for 2999 The same jeans were selling for 50 at department stores It turns http://www.secuobs.com/revue/news/350987.shtmlhttp://www.secuobs.com/revue/news/350987.shtml Secuobs.com : 2011-12-08 19:21:10 - 1 Raindrop - Long before the shenanigans and financial collapse of 2007-8, Dan Geer said that in the financial world risk management works because there is zero ambiguity over who owns which risk and rightly fretted that here in infosec we suffer from nothing but ambiguity over who owns what risk First for the Good News, in infosec we're now a lot closer to the financial world in terms of risk management Now for the Bad News, the reason we're closer is that http://www.secuobs.com/revue/news/346147.shtmlhttp://www.secuobs.com/revue/news/346147.shtml Secuobs.com : 2011-12-07 18:04:36 - 1 Raindrop - Its December and so its the season for lists Here is my list of Top 5 Security Influencers, this is the list with the people who have the biggest good and or bad influence on your company and user's security The Person Coding Your App Your DBA Your Testers Your Ops team You Except for perhaps the last one, what do these all have in common None of them are in the Security Department We shouldn't look at security as a http://www.secuobs.com/revue/news/345884.shtmlhttp://www.secuobs.com/revue/news/345884.shtml Secuobs.com : 2011-12-06 22:49:39 - 1 Raindrop - Over on the Intel Cloud Access 360 blog I have series on Understanding Cloud Security standards In part one, I looked at Cloud Security Anti-Patterns The four Anti-Patterns that occur regularly with enterprises moving to Cloud include Low no access control - we'll see if it works and add security later Replicating user accounts - copying enterprise directory in full or extract to Cloud Provider Copying credentials - copying or hardcoding credentials to Cloud based services Trusted proxy - Gateway is http://www.secuobs.com/revue/news/345714.shtmlhttp://www.secuobs.com/revue/news/345714.shtml Secuobs.com : 2011-12-05 18:18:36 - 1 Raindrop - One of the complicating factors in AppSec these days is access control in distributed systems Dividing up the roles and responsibilities for authN, authZ, attribution and identity management is a daunting taskA typical enterprise is used to putting a ring fence around its assets and managing everything within the fence with RACF TopSecret, AD, and other technologies But this is insufficient by themselves for today's integrated applications Identity has made a tremendous amount of progress in the last ten years, standards http://www.secuobs.com/revue/news/345405.shtmlhttp://www.secuobs.com/revue/news/345405.shtml Secuobs.com : 2011-11-15 20:28:29 - 1 Raindrop - Recently George Hulme interviewed me on Why healthcare IT security is harder than the rest There are a number of reasons - the overall domain complexity of healthcare versus financial services, the amount of resources that healthcare companies allocate to security and the collission of privacy and security We also discuss some ideas for healthcare companies and what they can practically do about improving their security posture http://www.secuobs.com/revue/news/340837.shtmlhttp://www.secuobs.com/revue/news/340837.shtml Secuobs.com : 2011-11-11 22:07:23 - 1 Raindrop - A new cybersecurity reseach agenda from Dan Geer in three minutes or less - some snippets We would need a lot less research if we put into practice what we already know But we don't Ergo, why we don't put into practice what we already know is itself a research-grade topic Comment the main blocking factors are usability and integration As to integration, security is not just put in the policy and everyone will implement it , its integration engineering to http://www.secuobs.com/revue/news/340252.shtmlhttp://www.secuobs.com/revue/news/340252.shtml Secuobs.com : 2011-10-31 16:35:21 - 1 Raindrop - I have heard the term Harvard stupid used for the last several years, and loved it because it conveys so much meaning in a simply way I never knew its origin until recently when I found out that it was traced back to one of my favorite Motley Fool writers, Bill Mann, who wrote about it in October 2008 Harvard stupid comes from thinking that you're smarter than everyone without recognizing that you still might not be smart enough to http://www.secuobs.com/revue/news/337829.shtmlhttp://www.secuobs.com/revue/news/337829.shtml Secuobs.com : 2011-10-19 19:16:09 - 1 Raindrop - The role of assessment in security is to provide some evidence that the reality of the implementation meets the security goals You can't just rely on paper documents and standards or even reading source code alone As the spooks like to say - we don't break standards, we break implementations Confirmation bias and perverse incentives are two of the biggest enemies for assessments, because they direct the assessment's bias in the wrong direction - away from reality and towards wishful http://www.secuobs.com/revue/news/335756.shtmlhttp://www.secuobs.com/revue/news/335756.shtml Secuobs.com : 2011-10-14 16:54:36 - 1 Raindrop - I guess everyone has read the rant, I didn't see anything in there that I have not frequently heard in many dev arch ops security discussions over the years I wanted to make a couple of comments as it relates to security Lots of people working in Fortune 500 type companies assume that their world is different from the big tech companies like say Google, but you can see that all the same challenges an undermanned, underfunded, underempowerd security team has at say http://www.secuobs.com/revue/news/334812.shtmlhttp://www.secuobs.com/revue/news/334812.shtml Secuobs.com : 2011-10-14 16:54:36 - 1 Raindrop - I am pleased to announce that Ken van Wyk and I are teaching Mobile App Sec Triathlon, it covers Mobile Security in depth - aimed at people developing and deploying Mobile Apps The class is in San Jose November 2-4 The course is built in a 3-day format, with different options for different interests The first day is cross-platform, while days 2 and 3 are run as parallel tracks on iOS and Android topics This allows application architects, IT security http://www.secuobs.com/revue/news/334811.shtmlhttp://www.secuobs.com/revue/news/334811.shtml Secuobs.com : 2011-10-06 17:37:09 - 1 Raindrop - I am doing a webinar on Federal Cloud Security initiatives such as FedRAMP, NSTIC, and FICAM, with Tim Grance from NIST and Andy Thurai who is Intel's Application Security Identity Products Chief Architect More info on registration is here http://www.secuobs.com/revue/news/333117.shtmlhttp://www.secuobs.com/revue/news/333117.shtml Secuobs.com : 2011-10-06 16:50:17 - 1 Raindrop - Anyone who is in technology has been there, there is a battle on your project on doing it the right way and shipping the product on time and budget while getting the right balance of features and ilities These forces collide often enough that there are whole schools of various project management disciplines and their disciples evangelize Agile, Rational and a host of other methodologies Steve Jobs had three remarkable careers, any one of which would be enough to propel http://www.secuobs.com/revue/news/333095.shtmlhttp://www.secuobs.com/revue/news/333095.shtml Secuobs.com : 2011-10-05 23:08:37 - 1 Raindrop - This is part 2 of a Security 140 Conversation with Marcus Ranum GP You recently published a series on the Fabius Maximus blog, and I want to drill down on a number of the points you raised In one post you speculated Perhaps, in cyberspace, the best defense is a strong defense , one of the examples you gave was from IT in IT you run into a problem, which is that something can be deeply broken but still appear http://www.secuobs.com/revue/news/332967.shtmlhttp://www.secuobs.com/revue/news/332967.shtml Secuobs.com : 2011-10-05 01:26:43 - 1 Raindrop - Globalization is something lots of people talk about at a high level, and its typically focused on manufacturing I blogged about Zach Karabell's notion of Chimerica which is not a single place but rather a cross border supply and demand chain, where is a GE washing machine made for example But the type of trading that's occuring now is, in addition to manufatcuring, at a much deeper, cultural level YUM brands owns a number of familiar chains - KFC, Pizza http://www.secuobs.com/revue/news/332717.shtmlhttp://www.secuobs.com/revue/news/332717.shtml Secuobs.com : 2011-09-30 17:27:31 - 1 Raindrop - I have a post on Intel's Cloud Access Security blog on Understanding Cloud Security Standards, this is part 1 of a series Before diving into the standards and patters, I discuss four Anti-Patterns that have emerged in Cloud Security Low no access control Replicating user accounts Copying credentials Trusted proxy These examples of Anti-Patterns, ie things to avoid are discussed further in the blog, and we'll look at how remedy these in your Cloud Security Architecture read it here http://www.secuobs.com/revue/news/331975.shtmlhttp://www.secuobs.com/revue/news/331975.shtml Secuobs.com : 2011-09-29 20:42:57 - 1 Raindrop - Today's Security 140 is with Tenable CSO Marcus Ranum who needs no introduction to readers of this blog GP During the financial crisis a lot of the failures in financial firms were a direct result of financial instruments that were supposed to make things more safe not less safe In 2008 it was derivatives that supposedly made it easier to manage risk, but this increased confidence in the big banks who leveraged up 30 to 1 and 40 to http://www.secuobs.com/revue/news/331808.shtmlhttp://www.secuobs.com/revue/news/331808.shtml Secuobs.com : 2011-09-29 19:55:05 - 1 Raindrop - Vanguard founder Jack Bogle invented the Index Fund in 1975, the most famous of which is the S P 500 which is widely used as the bogey against which people judge their investment success or failure Bogle describes the value of taking an overwhelmingly simple approach to buying stocks, don't pick stocks - you may guess right but you may guess wrong and either way you incur fees and taxes which make it next to impossible to beat the market for http://www.secuobs.com/revue/news/331801.shtmlhttp://www.secuobs.com/revue/news/331801.shtml Secuobs.com : 2011-09-27 23:04:11 - 1 Raindrop - BSIMM has reached version 3, Building Secuirty In the BSI part remains relatively new field, there is a lot of learning as the field evolves Ed Bellis pointed this out in a blog post about New School Security In the post Ed called the book New School Security the Moneyball of Infosec note - Adam says he would want Anthony Hopkins not Brad Pitt to play him in the inevitable movie adaptation of New School Security I consider the its http://www.secuobs.com/revue/news/331379.shtmlhttp://www.secuobs.com/revue/news/331379.shtml Secuobs.com : 2011-09-26 19:38:52 - 1 Raindrop - Every time I write UBS Rogue Trader blog post I think its the last one and then something else happens That something in today's post is that UBS' CEO is stepping down the reason given is the rogue trading scandal Is one rogue trader's actions even losing 32 billion enough to bring down a CEO Up to this point Oswald Grübel's reign atop UBS has generally been given high marks so its does not appear to be a case of http://www.secuobs.com/revue/news/331126.shtmlhttp://www.secuobs.com/revue/news/331126.shtml Secuobs.com : 2011-09-23 16:48:47 - 1 Raindrop - Many times safety and security mechanisms simply move risk from one place to another Sure sometimes we manage to reduce risk, but sometimes we increase it Perception of the problem we are solving and how we go about solving it has a lot to do with this A question comes to mind - how many legs does a three legged dog have if you call a tail a leg Answer three Just because you call a tail a leg doesn't http://www.secuobs.com/revue/news/330633.shtmlhttp://www.secuobs.com/revue/news/330633.shtml Secuobs.com : 2011-09-22 19:57:58 - 1 Raindrop - The DigiNotar breach is being called the worst breach so far Breaches come in all shapes and sizes, but when they occur on the very systems that are supposed to protect us, the impact is more widespread Certainly this is not the first Certificate Authority breach, Comodo is just one recent example of SSL Certificate Authorities breaches Engineers know that there is far more to learn from failure than success Bridge engineers study famous failures such as the Tacoma Narrows http://www.secuobs.com/revue/news/330427.shtmlhttp://www.secuobs.com/revue/news/330427.shtml Secuobs.com : 2011-09-20 04:56:06 - 1 Raindrop - Well its happened again, UBS announced that a rogue trader is responsible for 2 billion 23 billion in losses Apparently a Swiss currency hedge gone wrong was the culprit Or was it This was not a senior trader, he was by all accounts early in his career having worked his way up from the back office Where have we heard this before Societe Generale where Jerome Kerviel worked his way up from IT to trading and due to what appeared http://www.secuobs.com/revue/news/329807.shtmlhttp://www.secuobs.com/revue/news/329807.shtml Secuobs.com : 2011-09-14 17:07:41 - 1 Raindrop - Here is Part 2 of the Security 140 Conversation with Ken vn Wyk discussing Mobile App Security tools, technologies and what developers can do to make improvements to their mobile apps' security Note, Ken and I will lead Mobile App Sec Triathlon training class in San Jose November 2-4 If you are interested in Mobile Apps - check it out GP Is the lack of mobile security tools simply a case of security being behind the curve of the http://www.secuobs.com/revue/news/328826.shtmlhttp://www.secuobs.com/revue/news/328826.shtml Secuobs.com : 2011-09-13 00:20:23 - 1 Raindrop - Ken van Wyk is an internationally recognized information security expert and author of the popular O'Reilly and Associates books, Incident Response and Secure Coding Principles and Practices, as well as a monthly columnist for Computerworld Among his numerous professional roles, Ken serves on the boards of two non-profit organizations, FIRST and SecAppDev Ken is also the project leader of the Open Web Application Security Project OWASP iGoat project, an interactive tool designed to help iOS app developers learn how to http://www.secuobs.com/revue/news/328448.shtmlhttp://www.secuobs.com/revue/news/328448.shtml