Robert Lemos has an excellent summary of the state of the debate on disclosure of exploit code in his column at Dark Reading. In it, I’m quoted briefly:
Software vulnerabilities are often discovered independently, suggesting that silencing the disclosure of a vulnerability and how to exploit the flaw would merely allow a bad actor more time to use an attack, says Darren Meyer, senior security researcher at Veracode, an application security firm.
In the penultimate episode of Talking Code the panel discuss standards-based and ad-hoc security protocols in regard to the inclusion of bluetooth technology in medical devices. Our experts seek to shed some light on a topical issue that ultimately concerns the security risks that come with added functionality.
One of my national cyber security month activities was participating in an employee awareness day at NYU Langone Medical Center. Kudos to the infosec team for putting on a nice event.
Since the audience was doctors, nurses and students my goal was to present mobile security statistics in a memorable way. I had two slides showing at a very high level how mobile malware works, but one of the main points I wanted to convey was an app doesn’t have to be malware to do you harm.
Backdoor, schmackdoor – it’s Christmas Shopping Season, y’all!
This morning my blog, The Security Ledger, ran a story about research from the firm Duo Security that provided more evidence (if any was needed) that the fast-emerging market for IP-enabled “stuff’ has a serious reckoning with the security and privacy crowd.
As information security professionals, we must pursue any opportunity to evolve our approach to Application Security. Most enterprises with in-house development teams do some kind of ad hoc AppSec testing, usually during the QA process. But maybe you think it’s time to do more than that, to get a bit more proactive in confronting the potential threats the organization faces from weak software security. Luckily there is a proven AppSec Program Maturity Curve that can help mature your existing effort, following a well-traveled road to overcoming common challenges along the way. Here’s the really good news: it’s easy to climb a few levels of the curve over a matter of months, not years.
We know that any type of software is bound to be hacked eventually, but Apple is claiming that nothing will get past its new fingerprint scanning technology. While its security implications far exceed those of a traditional PIN, could a hack of this nature truly be dangerous to high profile individuals? What would a hack like this mean for an enterprise or government agency? In part three of our discussion of Apple’s fingerprint scanning technology for the iPhone 5S, we discuss where these attacks are likely to come from and what this means for your mobile security.
The private sector is usually in the fortunate position of being able to ignore the National Institute of Standards and Technology (NIST)’s guidance as new special publications come out and affect change in the public sector. However, the latest draft on addressing supply chain security epitomizes a trend we are seeing in the industry. Everyone – public, private, non-profit, etc. – should heed this new guidance as a harbinger of what is to come.
Information systems have rapidly expanded in terms of capability and number, permitting an increased reliance on outsourcing and commercially available products. This has resulted in a loss of both visibility and understanding for how acquired technology is developed, integrated and deployed.
Talking Code episode 8 is here and it’s question time for Paul Roberts, Chris Wysopal and Joshua Corman. This week’s discussion centers around securing source code build servers in the SDLC – an issue that concerns both supply chain and operational security.
Apple’s making a lot of claims about how well they securely store that fingerprint and who can access it and what’s actually being stored. Nobody’s ever been really too deeply verify any of this yet. We do have a few hints from patent filings, from documentation of the company that makes the sensor, documentation of the trust zone technology that Apple says they’re using to store. Apple really put quite a bit of engineering effort into this, so they claim a couple of things.
Application development is really important, but rarely funny. This developer’s list of simple steps to make your application code totally unmanageable is the exception.
Application programming is really important, but it’s rarely very funny. Software developers are the freemasons of the digital age. And that makes application development … well … masonry. And that’s not typically the stuff of the late night talk shows.