Justice League Blog
Mobile: Different or Same Sh*t Different Day?
Is mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile Thought Leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about [...]
Business Logic: High Frequency Trading’s Security Lessons
A quick’un: When the Associated Press’s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*). This event is instructive to security folk. Building security in requires understanding it as an emergent property (let’s avoid the often misused term “business logic [...]
VIDEO: Gary McGraw Accepts Indiana University School of Informatics Career Achievement Award
Last night in Indianapolis, I was awarded the Career Achievement Award at my alma mater Indiana University. I am honored and grateful to get this award, though I am still very much in the middle of my career! During my brief remarks, I mentioned a handful of people who have helped to inspire and mentor [...]
Why Cyber War Talk (Often) Degenerates to Hype
TV works in 15 second chunks. Apparently most people who watch TV have no time to think?! Or they think in tiny little disconnected chunks? (I guess this is as good a reason not to watch TV as any I can think of.) Sometimes to produce a two and a half minute piece, producers shoot [...]
Threats Threatening with Threats
(Special thanks to Sammy Migues, who helped with this post) By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you [...]
The Trusted on Busted view of Mobile App Security
I spent a few minutes at RSA talking about mobile app security in a video interview. What I had to say at RSA reiterates what I wrote in this “trusted on busted” piece: McGraw’s mobile app security strategy: Three legs of ‘trusted on busted’ (February 13, 2013) Bottom line: time to dust off everything you know [...]
How real is the cyber war threat?
Sunday 2.24 I took part in a segment about Cyber War on MSNBC’s “Up with Chris Hayes.” Together with 4 other panelists, including David Sanger (who first published the Stuxnet as State-sponsored Cyber Attack story in the NY Times), we have a fairly long conversation about the ins and outs of cyber war. Visit NBCNews.com [...]
“Active Defense” is Irresponsible
Yesterday, NPR did a story about the idea of “Active Defense” which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?) At Cigital, we believe this is a recipe for disaster. The last thing we need in [...]
President Obama Acknowledges Cyber Threat and Signs Executive Order for Improving Critical Infrastructure Cybersecurity
Last night in the State of the Union speech, President Obama explicitly mentioned cyber security. He said: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail.
Vendor Control and Software Security
All modern companies rely on software to run at least parts of the enterprise. But often that software is created by others. What can you do to make sure that the software created by your vendors is secure? My monthly [in]security column for February 2013 is included in a special issue of Information Security Magazine [...]
