Please join Gemini Security Solutions at AppSecDC 2010 where we will be delivering a 2-day “Software Security Best Practices” course based on the materials we support from KRvW Associates. The course is $1,495 and will run November 8-9 here in Washington, D.C. Course Description: This tutorial starts with a description of the security problems faced by today’s software developer, as well as a detailed description of how defective software can be exploited. It goes on to provide a thorough description of the best practices available to prevent, detect, and remediate security problems in software. Next, the tutorial includes hands-on design review exercises to reinforce each of the concepts presented, together with dozens of examples of common coding errors (primarily in[…]
Author: Ben Tomhave
The “big” news of the week (thus far), if you can call it that, is Google’s announcement of the availability of soft tokens for Google Apps as of today (read about in their post “Moving security beyond passwords“). From a security perspective I’m greatly underwhelmed. Maybe I’ve just become jaded in my old age, but this really strikes me as a big “so what?” announcement. AOL did this several years ago (unsuccessfully, I might add) using RSA hard tokens. The reason for their failure is myriad, ranging from a lack of promotion to requiring customers to pay for it, but ultimately it came down to one specific concern: usability. I don’t for a minute accept TechCrunch’s take on this announcement[…]
There has been much criticism of risk assessment and analysis over the past few years that amount to much ado about nothing. Why is it much ado about nothing? Well, because, quite simply, people oftentimes don’t understand what it is they’re criticizing, especially in the case of quantified risk analysis methods. Before we get into risk measurement, let’s first make one thing clear: risk analysis is nothing more than a decision-analysis (or decision-support) tool. It helps provide reasonably accurate data points that decision-makers can use when make decisions. It is not a panacea for all things risk or infosec, nor is it some sort of special magic-sauce voodoo with no grounding in reality (at least not in terms of well-considered[…]
Risk assessment gets a bad rap these days, thanks in large part to a checkered past colored by qualitative analyses. Historically, risk assessments have been fuzzy, at best, and down-right inaccurate and misleading at worst. You know the ones I’m talking about: some hot shot consultant comes in, pokes around, maybe runs a couple scans, and then churns out a report with a bunch of High, Medium, and Low findings. However, as you dig into the results – particularly the so-called “High Risk” findings – you start finding extreme squishiness with no connection to reality, rational thought, or logic. And this is what we’re supposed to use to “better manage” security? Don’t think so… Enter Factor Analysis of Information Risk[…]
In a busy news week, perhaps the most important bit is that Verizon has released their 2010 DBIR.
People are relieved. In what has quickly become one of the mainstream tech media’s darling stories of the day, the U.S. Library of Congress has apparently woken up to find itself a decade into the 21st century and has released an updated list of allowed circumventions that do not qualify for punishment under the Digital Millennium Copyright Act’s (DMCA) anti-circumvention clause. In a nutshell, you can rip (DeCSS) movie clips for fair use, you can jailbreak your iPhone (whether it be to install software or to hop providers), you can hack video games (for “good faith” security purposes, mind you, and consoles seem to be excluded), you can bypass hardware dongles that have become obsolete (fairly narrow ruling here), and[…]