[SecurityRatty] tag: do-it-yourself

IETF: Should we ignore the Kaminsky bug?

Wed, 19 Nov 2008 21:00:00 +0000

The Internet engineering community is grappling with what to do about a serious flaw in the DNS discovered this summer, and the ongoing debate brings to mind a famous quotation from Voltaire: "The perfect is the enemy of the good."

Navy Pursuing Dial-a-Blast Bomb

Tue, 18 Nov 2008 11:50:00 +0000

The Navy wants a smarter bomb. Not just a bomb that can land within a few meters of the bull's eye -- but a bomb that can do so, with just the right amount of blast.

AVG shows why its got class

Fri, 14 Nov 2008 12:48:29 +0000

Way to go AVG!
Set the bar higher for those who dont do as much for their customers, well done.

clipped from www.pcmag.com

AVG Offers Free Subscription for Deleting Key File

Security vendor AVG said Thursday that the company will offer a free year of service, after its antivirus software misidentified a key Windows system file as malware.

What should we expect from the Obama Administration and the 111th Congress on Cyber Security?

Thu, 13 Nov 2008 21:00:00 +0000

Given the seriousness of the financial crisis, growing job losses and the continued meltdown of global stock markets, it’s hard to imagine that the incoming Obama Administration or new U.S. Congress will be able to focus on much else during the first several months of 2009. When they do tackle other issues, healthcare reform, tax policy and energy policy are likely to emerge at the top along with national security priorities. Not to mention that many FY2009 spending bills still need to be approved by Congress and signed by the President as well, although that is expected to happen by March 2009 at the latest.

So where does this leave cyber security issues?

Don't just stand there... do something!

Wed, 12 Nov 2008 08:57:54 +0000

At some point, we the users of vulnerable technologies need to tell the experts to stop posturing and just do the right thing.

When insiders attack: How recessions make good people do bad things

Tue, 11 Nov 2008 21:00:00 +0000

Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.

Planes, Trains & Automobiles: Some Data Should Just Stay at Work

Tue, 11 Nov 2008 21:00:00 +0000

In recent security briefings, I’m often asked: “Should I protect sensitive information on my laptop by encrypting my laptop?”

My advice is to first ask WHY? Why do you as an employee have the business or security justification to transfer and store sensitive PII: (personally identifiable information) onto your mobile device? (A little of asking who, what, where and when about your information will help here too).

Vulnerabilities quickly mitigated by security-conscious vendors

Tue, 11 Nov 2008 17:10:00 +0000

As you are likely aware, I spend a fair bit of time heckling those I believe deserving due to their shortcomings with regard to protecting online consumers.
I do, however, continue to seek opportunities to shed positive light as well, and recent responses from a number of vendor/developers warrant an opportunity to do just that.
In the last 30 days, I've discovered vulnerabilities in products from four different vendors, and advised them all immediately upon discovery. Usually, that's where the story ends, as sadly, my repeated requests for action are often ignored. The last 30 days have proven to be entirely different, with swift responses and action from ALL vendors to whom I reported vulnerabilities. In all cases I received replies within 24 hours or less, and patches/fixes/updates were typically released within 24-72 additional hours. These are exemplary responses, and reflect why I choose to conduct vulnerability research. I believe we, as web application professionals (both developers and security practitioners), are beholden to the greater public and must endeavor to protect the online safety of the Internet consumer.
To each of these vendors/developers I'd like to issue a hearty "well done" and issue public kudos for their diligence and security consciousness, on behalf of consumers and website operators.
To Lukas of PlanetLuc, Jasper and Eric of Infrae/Silva, Alexander of CompactCMS, and Peter from ActiveCampaign may I say that your efforts are greatly appreciated. Where too few choose to do the right thing, your responses leave us with the perception of caring and integrity.
Thank you.

del.icio.us | digg | Submit to Slashdot

Podcast: Cloud Computing, Software Development, Testing and Security

Sun, 09 Nov 2008 08:57:10 +0000

Last month I was interviewed for a podcast with SearchSoftwareQuality.com.

We talked about some of the advantages Cloud Computing could bring to software development and testing. Notice I say ‘could’ - I continue to see great potential benefits but some of these require us to rethink how we do things as ‘end-users’ and depend on the Cloud Computing ecosystem maturing enough to deliver them (e.g. security monitoring of Cloud API calls).

This was recorded prior to the Microsoft Azure announcement hence the “software + services” model wasn’t covered.

Anyway, the podcast is broken into 3 x 8 minute segments (I think I broke the spoken word count ;-):

General benefits of cloud computing for software development
Cloud computing’s impact on agile development practices, software testing, and e-commerce
Security elements surrounding cloud computing, such as software monitoring, implementing security patches, and the reduction of data leakage.

You can access the podcast segments here.

My thanks to Michelle and Erick over at TechTarget for the opportunity.

What About You?

Apart from general feedback on whether the podcast was helpful or not, I’m interested to hear if you’ve started any Cloud based development projects - please share in the comments.

On Small Companies and PCI Compliance

Tue, 04 Nov 2008 08:42:00 +0000

Read this post ("E-Commerce Startups deal with PCI compliance" at "PCI Anwsers" Blog) and weeeeeeep: "I once was talking with a small business owner who was reading through the Self-Assessment Questionnaire (SAQ) and stopped at the first question, which basically said, Do you have a properly configured firewall? The business owner called into the back room and asked the store manager, “Hey, do we have a firewall?” The store manager replied that he thought they had a fire extinguisher which was up to date. I then watched as the store manger checked the “In Place” box on the form stating they had a properly configured firewall in place."

Wonna "sell PCI compliance" to small businesses? One need to get smart in a very special way! :-)