Company Blog
Threat Modeling
Last week, I gave a talk at QCON‘s inaugural US conference, as part of Gunnar Peterson’s security track. There were some pretty serious speakers giving talks and I was thrilled to be amongst a set of developers with such deep quals. I spoke about threat modeling because I think its a reasonable first-step towards implementing [...]
Confusion between “Logging and Debug”
I was talking with one of my consultants the other day about a common confusion Developers sometimes have regarding a pretty mundane piece of security guidance. Specifically, “What does it mean I have to turn off logging/debug in production?” In my mind, these two separate issues exist here, intertwined. Almost every logging framework has an [...]
Additional Thoughts on “The Risk of Too Much Risk Management”
My previous post sparked comments from Mike Rothman, Alex, Christofer Hoff, Arthur, and perhaps others I haven’t seen. I sincerely appreciate everyone’s considered feedback. In this case, the feedback was to tell me I’m off-base on terminology, and that’s all good. I’m happy to take lumps when I mess something up. I really meant it [...]
