Associating Security Responsibilities Within Development Frameworks

by jOHN on Monday, July 28, 2014

Practicing software security builds on knowledge of tools, techniques, and technologies. I consistently harp on the importance of understanding development frameworks. These frameworks provide a foundation for technology knowledge — Instructors must speak developers’ language when training; frameworks form the vernacular. When assessing software, one needs to know where in the haystack to look for… Read More

Book Review: Reading Shostack’s Threat Modeling

by jOHN on Monday, March 17, 2014

Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?”. more generally, “How can I help developers think about our systems’ security properties?” Cigital has published a bunch of valuable threat modeling material but the biggest single body of work continues to come… Read More

Kickstarter Password Breach … #FTW?

by jOHN on Sunday, February 16, 2014

Last Wednesday I spoke about password storage security in a Cigital at the WhiteBoard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail and, with the hack of Yahoo’s 3rd party database more than a week in the rear-view, I was a bit self-conscious. Cue… Read More

SHA2 “vs.” SHA1

by jOHN on Tuesday, January 21, 2014

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help… Read More

TouchId: Yea or Nay?

by jOHN on Wednesday, September 25, 2013

Unsurprisingly, German hackers were able to produce a fingerprint prosthetic allowing an attacker to defeat Apple’s TouchID within days of the iPhone 5S release. Media coverage abounds, as has reaction to the attack and discussion about biometrics, multi-factor authentication, and-of course-death of the pin/password. Unfortunately, the password’s death has been reported early None of us… Read More

DtR Podcast: Threat Modeling

by jOHN on Thursday, May 30, 2013

For some time, Rafal Los (@Wh1t3Rabbit) has been asking me to discuss Threat Modeling on his Podcast. We were finally able schedule something and record. Listen to the podcast here: DtR Episode 42 – Threat Modeling w/ @m1splacedsoul Not surprisingly, the topic is meaty and we went over the allotted time We covered: Why threat… Read More

Mobile: Different or Same Sh*t Different Day?

by jOHN on Tuesday, April 30, 2013

Is mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile Thought leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about… Read More

Business Logic: High Frequency Trading’s Security Lessons

by jOHN on Friday, April 26, 2013

A quick’un: When the Associated Press‘s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*). This event is instructive to security folk.  Building security in requires understanding it as an emergent property (let’s avoid the often misused term “business logic flaw”)…. Read More

Threats Threatening with Threats

by jOHN on Thursday, March 14, 2013

(Special thanks to Sammy Migues, who helped with this post) By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you… Read More

Page 1 of 512345