Software Security
Can Gadgets Betray Us?
The most recent episode of Silver Bullet features a chat with Robert Vamosi, a long time tech reporter who has written about computer security for years. Robert is the author of When Gadgets Betray Us, a book about what happens when the faith we put in our gadgets may not be justified. From a security [...]
Caching Security Architecture Knowledge with Design Patterns
Cigital has always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to Cigital for: Standards/Policy JEE Platform Security Guide JEE Security Specification (Requirements) Technology-specific standards Reference Architecture [...]
IEEE Security & Privacy Magazine Tenth Anniversary Edition Loaded with Cigital
The January/February 2012 issue of IEEE Security & Privacy magazine, which is also the tenth anniversary edition (!), features three Cigital articles that you should read. Invincea CEO Anup Ghosh (who incidentally once ran Cigital Labs many years ago) and I collaborate on a point/counterpoint titled “Lost Decade or Golden Era: Computer Security since 9/11“. [...]
2011 CTO Year in Review
Part of my job as software security pundit and “hood ornament” of Cigital is spreading the word about software security far and wide. 2011 was a year like many others in that respect. Here is a “tripometer” graph showing talks I give and trips I take each year going back a decade. The good news [...]
UK Spooks’ Recruiting Tactic: Very Low Pound to Genius Ratio
(This is a guest post by Adam Zabrocki, a consultant at Cigital.) The UK intelligence agency, GCHQ, (roughly analogous to the US’s NSA) posted an online challenge recently at http://canyoucrackit.co.uk/ (read more). Given essentially no information other than what are pretty obviously hex digits, candidates are invited to attempt to “crack” an opaque puzzle. It [...]
Third-Party Software, Vendor Control, and the BSIMM Community
Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes. Firms participating in the BSIMM include: Adobe Aon Bank of America Capital One The Depository Trust & Clearing Corporation (DTCC) EMC Fannie Mae Fidelity Google Intel Intuit [...]
Training by the Numbers
1992: Cigital (then Reliable Software Technologies) gets started and also delivers some training on software quality “a few hundred”: ILT days delivered from 1992 through 2006 5,000: ILT students trained from 1992 through 2006 575: ILT and tutorial days delivered from 2007 through today 9,000: ILT students trained from 2007 through today 100,000: current students [...]
Cigital helps to create cyber security plans
(This is a guest post by Evgeny Lebanidze, a managing consultant at Cigital.) Cigital has been working one-on-one with Rural Electric Co-ops across the US to help them raise their cyber security bar, starting with the creation of their own custom cyber security plan. To facilitate this process, Cigital provided the Co-ops with several artifacts, [...]
Announcing BSIMM3
We announced BSIMM in March 2009 and BSIMM2 in May 2010. It’s now time for BSIMM3. Long live the BSIMM. Since the first BSIMM interview in October 2008, we’ve progressed from nine to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—about 19 months between measurements on average—and that [...]
BEAST and SSL/TLS
This is a guest post by Amit Sethi, Technical Manager at Cigital. There has been a lot of talk about BEAST (Browser Exploit Against SSL/TLS) lately. The attack against SSL 3.0 / TLS 1.0 was recently publicized by Thai Duong and Juliano Rizzo. Do you know what the risks are, and how to protect yourself? [...]
