Company Blog
Mobile: Different or Same Sh*t Different Day?
Is mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile Thought Leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about [...]
Business Logic: High Frequency Trading’s Security Lessons
A quick’un: When the Associated Press’s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*). This event is instructive to security folk. Building security in requires understanding it as an emergent property (let’s avoid the often misused term “business logic [...]
Threats Threatening with Threats
(Special thanks to Sammy Migues, who helped with this post) By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you [...]
Securing Password Digests -or- How to Protect Lonely Unemployed Radio Listeners
As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a [...]
Caching Security Architecture Knowledge with Design Patterns
Cigital has always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to Cigital for: Standards/Policy JEE Platform Security Guide JEE Security Specification (Requirements) Technology-specific standards Reference Architecture [...]
Open Source and Software Maturity Models
I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be perfect but at least you can [...]
Suggestions for ESAPI 2.1 and Beyond
This year’s ESAPI Summit, organized by Chris Schmidt and other contributors, represented a marked improvement over previous conversations. A clear evolutionary path for the family of security toolkits lies ahead. In order to achieve broader adoption and greater effect in larger enterprises the project’s participants must focus not just on API-level design but also on [...]
An OWASP Interaction Model
Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve: Integration with standard-fare open [...]
Threat Modeling – Vocabulary
A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or [...]
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
