Company Blog
Can Gadgets Betray Us?
The most recent episode of Silver Bullet features a chat with Robert Vamosi, a long time tech reporter who has written about computer security for years. Robert is the author of When Gadgets Betray Us, a book about what happens when the faith we put in our gadgets may not be justified. From a security [...]
IEEE Security & Privacy Magazine Tenth Anniversary Edition Loaded with Cigital
The January/February 2012 issue of IEEE Security & Privacy magazine, which is also the tenth anniversary edition (!), features three Cigital articles that you should read. Invincea CEO Anup Ghosh (who incidentally once ran Cigital Labs many years ago) and I collaborate on a point/counterpoint titled “Lost Decade or Golden Era: Computer Security since 9/11“. [...]
2011 CTO Year in Review
Part of my job as software security pundit and “hood ornament” of Cigital is spreading the word about software security far and wide. 2011 was a year like many others in that respect. Here is a “tripometer” graph showing talks I give and trips I take each year going back a decade. The good news [...]
Third-Party Software, Vendor Control, and the BSIMM Community
Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes. Firms participating in the BSIMM include: Adobe Aon Bank of America Capital One The Depository Trust & Clearing Corporation (DTCC) EMC Fannie Mae Fidelity Google Intel Intuit [...]
Building Versus Breaking: A White Hat goes to Blackhat
Is Blackhat worth attending? Kinda. My philosophy of software security and security in general has plenty of room for the art of the exploit. The icon that I have adopted to “brand” my work, the yin/yang with cowboy hats includes a black hat for a reason! Here’s what I said about the icon in the [...]
Cloud Security Panel at NIST and informIT Reaction
On April 7th, NIST convened a conference on cloud computing in Gaithersburg, MD. One of the featured sessions was a panel on cloud security. I participated in the panel with Steve Lipner of Microsoft, JC Moses of Amazon, Jonathan Smith of Penn, and Jeremy Epstein of SRI. The panel was moderated by Donna Dodson and [...]
US Policy, Cyber Security and the Future of Cyberspace
Because Cigital’s corporate headquarters are near Washington, DC, you might think that we’re deeply involved with the federal government. Surprise! Though we do have a federal subsidiary called (creatively enough) Cigital Federal, a vast majority of our business is with the private sector. Whenever we get the opportunity to interact with the federal sector we [...]
Automate security tests and build security in from day one
Or: The ugly baby phenomenon and why you should not focus on false positives Dr. Markus Schumacher has served as CEO and Co-Founder of Virtual Forge GmbH since 2006. The company specializes in the security of SAP applications. Dr. Schumacher was previously a representative of the Fraunhofer Institute for Secure Information Technology (SIT) and worked [...]
More on Malware (Including Bad Ads)
Just two months ago, I invoked the malicious code problem in a Justice League blog entry. The growth in malicious code is caused by the Trinity of Trouble (connectivity, complexity and extensibility) which incidentally is also what makes the software security problem more interesting to work on every day. My most recent informIT article, titled [...]
The Stuxnet Payload
I met Silver Bullet #59 victim Ralph Langner at Joe Weiss’s Applied Control Solutions Conference in Rockville last Fall. That was when (much to the surprise of the Siemens guys there) Ralph first revealed that the Stuxnet payload was aimed directly at physical control systems. In some sense, Stuxnet has changed the world by showing [...]
