Subscribe by Email

Your email:

Application and Cyber Security Blog:

a Security Innovation Blog covering software engineering, cybersecurity, and application risk management

Wednesday, Sep 14, 2011 Ed Adams
http://web.securityinnovation.com/blog/bid/72444/Sony-CISO-Reporting-to-Executive-Management-Maybe-Cyber-Security-Czar-will-follow-suit In my previous blog , I talked about how I was encouraged that Sony was going to create the CISO position, but disappointed that they’d be reporting to the  CIO (a position that I feel is inherently in a conflict of interest with the CISO position)....Read More
Friday, Aug 26, 2011 Joe Basirico
http://web.securityinnovation.com/blog/bid/70136/Why-responsible-disclosure-is-the-best-choice-for-Security-Innovation There is a wide range of ways to disclose vulnerabilities discovered in software. Some people believe it is best to immediately alert the public of a vulnerability as soon as it is found, while others feel it is best to quietly work with the software vendor to fix the...Read More
Wednesday, Aug 24, 2011 Ed Adams
http://web.securityinnovation.com/blog/bid/70713/Sony-appoints-CISO-in-response-to-PlayStation-attacks-but-reports-to-the-CIO A few months ago, Sony announced that it was created a new CISO position, reporting directly to the CIO, in response to the attacks against PlayStation.  I’m encouraged by the fact that Sony realizes they need someone focused on data security – but...Read More
Friday, Aug 5, 2011 William Whyte
http://web.securityinnovation.com/blog/bid/68364/Koblitz-and-Menezes-on-safety-margins-in-cryptography Neal Koblitz and Alfred Menezes are two pioneers in the field of Elliptic Curve Cryptography. In recent years, they’ve teamed up to write a series of papers (available at http://anotherlook.ca/ ) questioning some current practices in academic cryptography. The papers are stimulating...Read More
Wednesday, Aug 3, 2011 Ed Adams
http://web.securityinnovation.com/blog/bid/68363/Q-A-with-Myself-Thoughts-on-Sony-DOD-RSA-IMF-Lockheed-Martin Q: Are the recent hacks against Sony Playstation, RSA SecurID, IMF and Lockheed Martin caused by unrelated entities, or is this a coordinated attack? A: There are definitely different groups operating here, each with their own motivations for the hacks. Sony decided to press legal...Read More
Friday, Jul 29, 2011 Joe Basirico
http://web.securityinnovation.com/blog/bid/68050/Which-is-More-Secure-Windows-or-Linux Somebody on LinkedIn asked the above question to a group I'm part of. I decided to answer it thinking "Oh, I can chime in with a quick little answer", but the more I wrote the more complex the answer became. Here is my response : I think the question is far more complex right now actually. For...Read More
Wednesday, Jul 27, 2011 Tom Bain
http://web.securityinnovation.com/blog/bid/67872/When-is-Spam-Considered-a-Breach As a Marketing professional, I understand the need to promote products and services through a variety of ways. It’s part of business, and you want to help the sales organization sell as best you can. But as someone who’s been in the IT Security industry for a while, there are limitations on what you...Read More
Wednesday, Jul 20, 2011 William Whyte
http://web.securityinnovation.com/blog/bid/66738/Antisec-hacking-into-Booz-Allen-Web-site Can the hackers inflict more damage now that they have the password hashes? Antisec hacker movement, which targets the websites of governments and their agencies worldwide, hacked into the Booz Allen Hamilton web site, and posted a 130 MB file of data stolen from Booz Allen's servers on the Pirate...Read More
Tuesday, Jul 12, 2011 Tom Bain
http://web.securityinnovation.com/blog/bid/66382/To-err-is-human-to-hack-is-well-human-too If you think about all the bad stuff that happens that most IT Security vendors claim to either prevent, identify or analyze, you don’t typically think of a person. It’s a thing, maybe abstract in nature, some type of virus (what does a virus look like?). Or, a criminal gang, huddled in a...Read More
Friday, Jun 17, 2011 Ed Adams
http://web.securityinnovation.com/blog/bid/63825/My-Haystack-Is-finding-that-one-needle-really-all-that-important-Hint-Yes-it-is As the uptick in breaches continue to dominate headlines and increase the general paranoia around what might happen, there’s often a story lost in the shuffle. It seldom seems like there’s a bulletproof method to stop the invasive tactics of today’s...Read More
Wednesday, Jun 8, 2011 Joe Basirico
http://web.securityinnovation.com/blog/bid/63193/The-High-Cost-of-an-Application-Security-Data-Breach In the wake of the Sony   Security Breaches (breaches, you say? As in plural? Yes, read on for more information) I decided to update some of our instructor led training slide decks. The first few slides of our security awareness courses include a number of slides intended to scare...Read More
Monday, Jun 6, 2011 Fred Pinkett
http://web.securityinnovation.com/blog/bid/63170/Application-Security-in-the-Cloud-Dealing-with-aaS-holes As we all know, when you run things in the "Cloud" it’s "as-a-Service". There’s Software as a Service (SaaS), which started the terminology, Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), etc. Therefore, it would stand to reason that security holes in your...Read More
Wednesday, May 25, 2011 Fred Pinkett
http://web.securityinnovation.com/blog/bid/62320/Application-Security-ROI-The-Two-Towers In my first entry on Application Security ROI , I promised to delve into three areas of Application Security ROI a little more deeply. In this entry, which will now have to be the second of a trilogy given the title  and my propensity to eat six times a day and grow hair on my feet , I will talk...Read More
Friday, May 20, 2011 Joe Basirico
http://web.securityinnovation.com/blog/bid/62283/Doing-a-NET-Code-Review-for-Security After performing countless code reviews for clients I found myself performing the same tasks each time in order to get ramped up on the code and to identify major areas of concern. When performing a security code review, finding issues like Cross Site Scripting, SQL injection, Poor Input Validation, and...Read More
Monday, May 9, 2011 Fred Pinkett
http://web.securityinnovation.com/blog/bid/61466/How-Threat-Modeling-Saved-My-Life There’s been a joke in the software industry that goes something like this: If automotive technology had kept pace with Silicon Valley, motorists could buy a V-32 engine that goes 10,000 m.p.h. or a 30-pound car that gets 1,000 miles to the gallon — either one at a sticker price of less than $ 50....Read More

For more articles:

Follow Us