OWASP Top 10 Logo

I have updated my talk that I’ve given internally at our company a number of times to reflect the 2021 version of OWASP Top 10… Normally I can give the whole talk in 10 minutes, but this was presented in Costa Rica, and I really slowed it down. Enjoy!

While I’m glad to see the use of Signal on the rise, I am afraid that current events will cause the “government should have access into all encryption” debate to come up again, and people may think it’s a good idea out of fear. It’s not. Here’s why: As the global pandemic has kept everyone at home, our interaction with everything and everyone has increasingly had more of a digital footprint than ever before. That digital footprint without encryption exposes a lot of information. Encryption is needed due to the way the Internet works. The Internet is a loose confederation of companies, educational institutions, and telecommunication providers. Everything passes through networks owned by others. Without encryption, any party along the[…]

After a long hiatus, Security Musings is returning to its roots. This blog is going to be equal parts education and entertainment – you’ll learn some things, and you’ll learn some things that make me angry. I won’t follow a set frequency although I intend to post at least twice a month. The look and feel has changed, and I’m sure some older posts may not look right. I’m not going to dwell on that unless specific requests are made to get certain posts working again. It’s time to move forward.

We’re located in the northern Virginia area – where Friday night brought a derecho which is basically a hurricane on land. Unfortunately, our county lost 911 service, and 3 days later, it’s still not quite back up. The 911 service is run by Verizon, which said that both primary and backup power was lost. Amazon Web Services lost Netflix, Foursquare, Pinterest, and other sites. So – assuming that these services were in a traditional data center, what happened? These buildings are supposed to have backup generators – why didn’t they kick in? Did they not test the generators, or the ATS (automatic transfer switch)? People pay data centers for continuous power – and most offer 5 9s of power (~5[…]

A few years back, I was working as a tech writer for a company which made medical software. We were trying to get an important certification that we’d need to sell our product. And a crucial part of that was good documentation: we had to show how it worked, what it did, how it tracked everything, how it was secure, etc. Well, that’s what you have a tech writer for, so all is good. It’s important to know, I didn’t have any existing documentation to work with. There was a wiki which had the developers’ notes in it, but that’s it. Nothing by way of formal hand-it-to-an-outside-entity documentation. Okay, that’s not too abnormal; tech writing is expensive, and many companies[…]

I recently had the pleasure of performing one of the best security assessments I’ve ever done. It was great: I didn’t find any gaps. Not a one. To some people, it might come as a surprise that I’d consider that a good assessment. And I’ll admit, it made me a bit suspicious. Nothing? Seriously? Well, I had to look into why, and I’ll get to that in a moment. But let’s cover something else first. I’ve been on both sides of the table for security audits. Being audited is Not Fun. You have someone coming in, looking over all your processes, and it’s up to you to prove that you’re doing what you’re actually doing, often for reasons that seem[…]