Justice League Blog
Building Versus Breaking: A White Hat goes to Blackhat
Is Blackhat worth attending? Kinda. My philosophy of software security and security in general has plenty of room for the art of the exploit. The icon that I have adopted to “brand” my work, the yin/yang with cowboy hats includes a black hat for a reason! Here’s what I said about the icon in the [...]
Art of InfoJacking – What Lies Beneath
This is a guest post by Aditya K. Sood, a Security Practitioner at Cigital. Information gathering is considered as one of the most critical step in performing aggressive penetration testing in all types of environment. With the proliferation of web vulnerabilities, the online world has introduced new protection mechanisms such as web applications firewalls. It [...]
Cloud Security Panel at NIST and informIT Reaction
On April 7th, NIST convened a conference on cloud computing in Gaithersburg, MD. One of the featured sessions was a panel on cloud security. I participated in the panel with Steve Lipner of Microsoft, JC Moses of Amazon, Jonathan Smith of Penn, and Jeremy Epstein of SRI. The panel was moderated by Donna Dodson and [...]
Improving Smart Grid Cyber Security
(This is a guest post by Evgeny Lebanidze, a managing consultant at Cigital.) Over the last couple of years Cigital had become more involved helping companies in the Energy sector get security right. As our nation’s traditional electric grid is modernized and upgraded to the smart grid, the associated cyber security challenges continue to increase [...]
US Policy, Cyber Security and the Future of Cyberspace
Because Cigital’s corporate headquarters are near Washington, DC, you might think that we’re deeply involved with the federal government. Surprise! Though we do have a federal subsidiary called (creatively enough) Cigital Federal, a vast majority of our business is with the private sector. Whenever we get the opportunity to interact with the federal sector we [...]
Threat Modeling – Vocabulary
A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or [...]
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
Automate security tests and build security in from day one
Or: The ugly baby phenomenon and why you should not focus on false positives Dr. Markus Schumacher has served as CEO and Co-Founder of Virtual Forge GmbH since 2006. The company specializes in the security of SAP applications. Dr. Schumacher was previously a representative of the Fraunhofer Institute for Secure Information Technology (SIT) and worked [...]
Slapping Your Forehead Tomorrow
As usual @oneraindrop has written an interesting article on the cost of things entitled looking-backwards-from-the-future. In his post he discusses the need to consider the cost of things in terms of the opportunity lost by doing them: “Jim Rogers has a great practice on saving – when you think of buying something today, simply multiply [...]
Marching for “False Positives” or “Focusing on What to Fix”
‘A short but important one, while I hop a train. Static analysis proponents, myself especially, have taken up the flag of “visibility” and paraded chanting “Customize to reduce False Positives”; I apologize. This provides tremendous benefit but misleads. Discussing the topic with @Wh1t3Rabbit, it occurred to me: time to change perception. So, why talk about [...]
