Justice League Blog
Input Validation and Data Dictionaries
Our internal discussion board brought up the topic of input validation last week. The discussion was around the regex for validating an email address. The message was that what seems like a very simple input validation can get complicated if the full standard is supported. As I read the discussion I started thinking about Data [...]
Identity Encapsulated Key Management
As part of my work on the Trust Cloud Initiative, I’ve had so discussions with they folks at PGP about their Key Management Server. At first, I was “ho-hum, key management”, but there’s more going on here than I had assumed. The way this software manages keys is more like a key ring. The implication [...]
Cigital Participates in White House Discussion on the Progress of the President’s Cybersecurity Efforts
On Wednesday July 14, 2010, US Cyber Security Coordinator Howard Schmidt convened a hastily called meeting of around 100 public and private sector security experts at the White House to explain the progress he has made in the six months since he joined the administration. I was there. In an unexpected and exciting surprise, President [...]
Speaking at CISSE on 6/8
I’m speaking at the 2010 Colloquium in Baltimore on Tuesday 6/8 on Cloud Security. Here’s the abstract. Cloud Security: Don’t Be Late to the Party Cloud computing is here to stay. No amount of security whining will stop the cloud, and yet as the cloud revolution sweeps IT it behooves us to pay close attention [...]
Silver Bullet Turns 50
It’s hard to believe that the Silver Bullet Security Podcast has been running for 50 consecutive months! Silver Bullet has thousands of listeners, and it’s always fun to produce. Writing the script usually takes an hour or two, and requires some advance research from Brandi Ortega of IEEE S&P fame. Then we do recording (almost [...]
BSIMM2
In March 2009 we announced the publication of the BSIMM—a measuring stick for software security. We’re pleased today to announce the publication of BSIMM2. We have tripled the size of the data set to thirty firms, including: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, [...]
Trusted Cloud Initiative
I just moderated a panel on security within Cloud Computing environments. Many of the questions from the audience were about how to trust cloud computing environments. Trust is such a loaded word and I couldn’t tell from the participants if they were looking for a bunch of bolt-on controls or something more holistic. At RSA, [...]
Is Cyber War Inevitable?
Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who [...]
With apologies to Peter Deutsche…
A long time ago, when distributed computing was in its infancy, and the promise of new technology made early adopters of us all, a fellow named Peter Deutsche found himself pulling out his hair. There was, he reasoned, an unimaginable amount of positivity about this new “distributed” technology. Accordingly, Deutsche decided to record the “Fallacies [...]
Is Digital Evidence the Forcing Function After Compliance?
My Saturday US Mail delivery (so sad if it goes the way of the dodo bird) arrived with several notifications of class action lawsuits for companies in which I’ve held equity positions. As I walked back from the mailbox, I had the thought: HIPAA and PCI protect the consumer, but who/what is protecting the business [...]
