Cigital Security Blog

Analysis, news and insights from Cigital’s team of security experts

Internal CTO John Steven’s expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. Since joining Cigital as a security researcher in 1998, John has provided strategic direction and built security groups for many multi-national corporations, including Coke, EMC, Qualcomm, Marriott and Finra. John's keen interest in automation continues to keep Cigital technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine, and as the leader of the Northern Virginia OWASP chapter. John speaks regularly at conferences and trade shows.

July 28, 2014

Practicing software security builds on knowledge of tools, techniques, and technologies. I consistently harp on the importance of understanding development frameworks. These frameworks provide a foundation for technology knowledge — Instructors must speak developers’ language when training; frameworks form the vernacular. When assessing software, one needs to know where Read more

March 17, 2014

Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?”. more generally, “How can I help developers think about our systems’ security properties?” Cigital has published a bunch of valuable threat modeling material but the biggest single Read more

February 16, 2014

Last Wednesday I spoke about password storage security in a Cigital at the WhiteBoard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail and, with the hack of Yahoo’s 3rd party database more than a week in the rear-view, Read more

January 21, 2014
Categories: Threat Modeling

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet Read more

September 25, 2013

Unsurprisingly, German hackers were able to produce a fingerprint prosthetic allowing an attacker to defeat Apple’s TouchID within days of the iPhone 5S release. Media coverage abounds, as has reaction to the attack and discussion about biometrics, multi-factor authentication, and-of course-death of the pin/password. Unfortunately, the password’s death has Read more

April 30, 2013

Mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile Thought leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique Read more

March 14, 2013

(Special thanks to Sammy Migues, who helped with this post) By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the Read more

June 11, 2012

As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so Read more

November 15, 2011

I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be Read more

September 21, 2011

Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will Read more