Company Blog
Bubbles
I’ve lived in a bubble all of my life. My parents created a bubble to grow up in and then I wrote commercial software products. It’s only recently that I’ve stepped out of that bubble and seen just how messy the real world is. Yes, I’ve looked at bubbles from both sides now (sorry, but [...]
Cloud Risks When You Become A Service Provider
The European Network and Information Security Agency (ENISA) published their analysis of security risks from cloud computing. It’s a well thought through paper and it complements the work on cloud security guidance being written by the Cloud Security Alliance. What I like about both the ENISA report and the CSA Guidance (I’m an author of [...]
Marketing Will Kill Federated Identity on the Web
Warning: a fair amount of cynicism occurs in this post. Some of my buddies have been exchanging ideas of what keeps us interested and one friend was thinking about how he could use a user’s Facebook login on his site. This nudge along with some work I’m doing with federated identity and Amazon SSO all [...]
Do Cloud-based Apps Destroy Web App Security?
My colleague, Ben Walther, pointed me at this post about Cloud applications and Web-app security by Rich Mogull. The title is “How the Cloud Destroys Everything I Love (About Web App Security)”. The post talks about running Web apps on a cloud platform like EC2. I’m not sure I buy into everything they say. First, [...]
Securing Deployment for Cloud-based Applications
A recent thread about hardware and software requirements for development on the Google cloud forum made me wonder what cloud computing will mean for development, test and production environments. There are a lot of really interesting questions here, but my mind got stuck on the relationship between development and production. I’ve always been amused at [...]
13 reasons for UML’s descent into darkness
My buddy Jim Menard sent me this link when we were talking about comments Don Rippert made about the futility of MDA. Don Rippert’s comments were (in summary) that by the time you got to any level of specificity in the model that the complexity of the models made them harder to follow than code. [...]
CMP (PC), 4(SP)
A recent discussion about the virtues of the Chief Programmer method motivated me to re-read “The Mythical Man-Month”. What a great book. I read it while on vacation and kept on saying to my wife “Why don’t they make all computer science and software engineering undergrads read this book?” When I came back, I asked [...]
Externalizing Access Control Quandary
This entry started as an email to a co-worker: Will. I’ve edited to make it a bit more readable, but in an attempt to blog more often and less formally, I’m only applying the thinnest editing veneer. We were discussing whether (again) moving entitlement/access control decisions out of the application code really made sense. Will [...]
Mitigating XSS – Why Input Validation is Bogus
Ask any security guy/gal about how to best mitigate cross-site scripting (XSS) and what is the answer? It’s some variation on validating input. Look at my own writings about this topic and what will you find? Variations on the input validation theme. Input validation is a great solution for new applications, but it’s a horrible [...]
Security Testing – Do Bad Things Come in Threes?
My wife recently made the comment about how it seems as though bad things come in threes. I thought it was an odd thought to see random events as coming in sets, but then again she also thinks that there are a finite number of good weather days in New England. But then I realized [...]
