Company Blog
Evading WAFs and other forms of Input Validation
My colleague, David Lindsay, is one of the authors of a new book, Web Application Obfuscation, about obfuscation techniques. Even the title is somewhat obfuscated because the book is about obfuscation techniques that can be used to attack web applications. The set of techiques described in the book by David and the other authors is [...]
A Cloud Security Discussion without FUD
I was happy to read a very measured viewpoint about Cloud Security in the first couple of articles of Nov/Dec issue of IEEE Security and Privacy. The introduction sets a very constructive tone. I really appreciate the measured tone because I’ve been dealing with a lot of “knee jerk reactions” within our client-base around Cloud [...]
Input Validation and Data Dictionaries
Our internal discussion board brought up the topic of input validation last week. The discussion was around the regex for validating an email address. The message was that what seems like a very simple input validation can get complicated if the full standard is supported. As I read the discussion I started thinking about Data [...]
Identity Encapsulated Key Management
As part of my work on the Trust Cloud Initiative, I’ve had so discussions with they folks at PGP about their Key Management Server. At first, I was “ho-hum, key management”, but there’s more going on here than I had assumed. The way this software manages keys is more like a key ring. The implication [...]
Speaking at CISSE on 6/8
I’m speaking at the 2010 Colloquium in Baltimore on Tuesday 6/8 on Cloud Security. Here’s the abstract. Cloud Security: Don’t Be Late to the Party Cloud computing is here to stay. No amount of security whining will stop the cloud, and yet as the cloud revolution sweeps IT it behooves us to pay close attention [...]
Trusted Cloud Initiative
I just moderated a panel on security within Cloud Computing environments. Many of the questions from the audience were about how to trust cloud computing environments. Trust is such a loaded word and I couldn’t tell from the participants if they were looking for a bunch of bolt-on controls or something more holistic. At RSA, [...]
Is Digital Evidence the Forcing Function After Compliance?
My Saturday US Mail delivery (so sad if it goes the way of the dodo bird) arrived with several notifications of class action lawsuits for companies in which I’ve held equity positions. As I walked back from the mailbox, I had the thought: HIPAA and PCI protect the consumer, but who/what is protecting the business [...]
SDL, ARA and SAE
I don’t often make the time to write up some of the more interesting aspects of work we do for clients, but I was forced to make some time to do so last week (well perhaps encouraged is a more polite way to put it) . The effort culminated in a webcast with MSDN and [...]
There are only losers in Cloud federated IAM
I read a question on one of the cloud mailing lists asking which of the federated authentication protocols (SAML, OpenID, Oauth, WRAP, etc) would win. My initial reaction was to reply, “Isn’t the question which ones won’t lose?” Okay, that’s snarky and perhaps a double negative, but I find it a rather dubious notion to [...]
Cloud Hype and de-Hype
I had been reading about Gartner’s prediction that 1 out of every 5 businesses were going to dump all of their physical IT infrastructure when Sammy Migues sent me a thread from LinkedIn about it. The thread contained many of the common sense views about Cloud Computing that you’d expect: IT should be based on [...]
