Evan Schuman

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 
Posts by Evan Schuman

If Security Isn't A Priority For Appdev, What Chance Does A Deployed App Have?

September 1, 2016  | Secure Development

One of the biggest security threats is that enterprise mobile app testing is overwhelmingly focused on functionality and not security. Pen testing of apps to see what data they—or some third-party app it is integrated with—are actually retaining is hardly ever done prior to deployment, if then. Why? It's simply not in the mindset of line-of-business managers. They want/need the... READ MORE

When Bug Bounties Are Counter-Productive

August 18, 2016  | Security News

Crowdsourcing security holes—aka bug bounties—has become an increasingly-popular tech firm tactic, bordering on Silicon Valley standard-operating-procedure. But as tempting as such an approach is, it's not without serious drawbacks. What we're talking about is encouraging and incentivizing anyone and everyone to dig into your app/OS and beat up on it to try and find any... READ MORE

Forcing Monthly Password Changes Only Helps The Thieves

August 11, 2016  | Security News

When protecting app data, the default response for years has been passwords. And as long as a company's data is solely being defended by passwords, it makes sense to insist that they be changed regularly, no? Would not such mandated periodic changes shorten the life of the access-controls for thieves? Turns out that the answer is "no" to all of the above. To the extent that... READ MORE

Your Mobile Apps Retain A Lot More Than You Know. I Guarantee It

August 4, 2016  | Security News

Here's a fact about mobile apps that is as true for Fortune 100 companies as mom-and-pops: Rare is the company that understands what data its mobile app retains. I used to prove this theory routinely. All it requires is a security consultant who is willing to do some penetration testing on the app. In some cases, 20 minutes was all the time needed. We found passwords in the clear in Starbucks... READ MORE

To Weak Authentication, A Thief Looks Exactly Like A Cop

August 3, 2016  | Security News

Here's an uncomfortable truth for IT to internalize: enabling access for a friend facilitates access for an enemy. This is what was behind the anti-backdoor argument that Apple aggressively made, albeit for non-altruistic sell-more-hardware reasons. In effect, if you provide an easy way for government investigators to access data, there's no reason to believe that bad guys won't use a... READ MORE

Keeping Your Breach a Secret and Other Self-Destructive Decisions

July 21, 2016  | Security News

Here's a delightful bit of survey happiness out of Ireland: a vendor survey found that "almost half of Irish businesses wouldn’t disclose a data security breach to impacted third parties, including customers and suppliers." Even worse, these results likely underestimate how many execs agree with that thinking, but are shrewd enough to not share that with someone taking a... READ MORE

App Encryption Soaring, But How It's Being Done Is Where Things Get Interesting

July 14, 2016  | Security News

There's a very interesting new Ponemon Institute report on app encryption, which concludes that app encryption usage is sharply increasing, as it has consistently for years. The report found 37 percent of the companies examined this year embrace enterprise encryption, up from 15 percent in 2005. The report sees this as a good thing and the upward trend is certainly encouraging. But to find... READ MORE

Think Your Data Leaks Are Limited To Your Databases? Think Again

July 7, 2016  | Security News

Security professionals spend an awful lot of time trying to protect sensitive corporate information, locking it away in virtual vaults, as they should. But they often neglect to protect the people who have the keys/combinations to those virtual vaults—in some cases, protecting those key-holders from themselves. This comes to mind as a recent story in The Intercept reminded us of how easy we... READ MORE

Obscured Data Can Be A Psychological Security Trap

July 5, 2016  | Security News

Encryption and tokenization are great security tools—when executed properly—as they sidestep protecting data and instead attempt to make the data worthless to thieves. It's a great strategy. But when it's executed improperly, it can insidiously weaken security. This happens when IT gets cocky and overconfident that the data would indeed be worthless to attackers and starts to... READ MORE

How Can Enterprises Still Be Victimized By Attacks That We've Known About For Decades?

June 16, 2016  | Security News

As has become almost a weekly tradition, another major security hole was reported last week (June 8). This report, from Talos, is about a hole that allows malicious files to be launched when anyone clicks on a PDF from within the Google Chrome browser. The attack leverages "an exploitable heap buffer overflow vulnerability in the Pdfium PDF reader. By simply viewing a PDF document that... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu