Just the other day I was planning dinner for my family and thought it would be a great idea to bust out the Dutch oven I had to have, but rarely use, and make a nice stew. I ran to the grocery store to grab some fresh carrots, turnips, onions, a couple of Yukon Gold potatoes, and some fresh chicken (and a bottle of nice wine for the thirsty chef). I needed a quick start and an on-time finish. Or it would be another failed product delivery — followed by a rapid desire by my family to outsource.
Now that Heartbleed has become the new measuring stick for vulnerability disclosures, I have had several people ask me, “Is this OpenId/Oauth thing the next Heartbleed?” The long answer, as Run DMC once said, is “It’s Tricky, Tricky, Tricky, Tricky”. The TL/DR (too long/didn’t read) answer is “No”.
Like a good holiday the Verizon 2014 Data Breach Investigation Report (DBIR) is something I look forward to every year. Now that I’ve had some office time to digest this, I figured no better time to share my thoughts. I am not going to cover all sections, but do want to highlight a few things that stuck out to me
Today Sonatype and HP announced Sonatype’s Component Lifecycle Management (CLM) analysis technology has been integrated into HP’s cloud-based software security solution – HP Fortify on Demand.
It just wouldn’t be the holiday season without a report of another major security breach. This time Target is the victim and, true to form, the shame and blame game follows. At this point it shouldn’t come to anybody’s suprise that compliance doesn’t equal secure. Even though the full details of the attack are unknown, you […]
DevOps is certainly the buzzword of the year. Everywhere you turn, people are referring to DevOps and Continuous Delivery. It seems as though the final frontier to developer productivity has arrived. The reality, which is what large organizations deal with on a day to day basis, is like all development methodologies in the past; the […]
The latest news hitting the wire, the internet, the blogosphere and the social media circuit is the hack of the Apple developer site that was acknowledged by Apple. To no one’s surprise, this was followed by the typical shame and blame game. I don’t know about you but I am getting a little tired of the sensationalist […]
I recently attended and gave a brief talk at the Sofware Assurance Working Group. I spoke about the need for security folks to speak with developers – not at them. This is a frequent topic in the security space but I have to question, have we gotten any better? My answer – “Not so much”. […]
Do vulnerability counts from sources like the National Vulnerability Database (CVE data) and Open Source Vulnerability Database (OSVDB) really matter? A recent article by Robert Lamos at darkREADING, questioned the usefulness of the metrics generated by these reports since the counts don’t add up. Looking at the trends, it’s been easy to see that vulnerabilities are increasing, but […]
Over the past week, there have been several articles, blog posts and security institutes about the latest release of the OWASP Top 10. Now is the right time to join the discussion. All this chatter doesn’t come as a surprise to me or others that have been long time participants in the application security space. […]