Securosis Blog

Adrian put up an insightful (as opposed to inciteful) column on Dark Reading, pointing out that that Simple Security Is A Better Bet. Though I quibble a bit with the subhead: “Complex security programs are little better than no security”. Of course any subhead taken out of context creates opportunity for misinterpretation. I would reword to say, “Complex security programs done poorly are little better than no security”. But that’s just me.

As I mentioned a few weeks ago, XX1 had her Bat Mitzvah recently. It was great to be surrounded for a weekend by almost all the people we care about. And XX1 really stepped up and made us very proud. There are few things more gratifying than seeing your child excel – especially on a big stage in front of a lot of people. Part of the ceremony is a blessing from the parents. Some parents provide an actual blessing. Others tell entertaining stories about the child. I chose to give her some life…

This is part five of a series. You can readpart one, part two, part three, or part four; or track the project on GitHub.

This is part four of a series. You can readpart one, part two, or part three; or track the project on GitHub.

As a reminder, this is the second half of our section on examples for adapting security to cloud computing. As before this isn’t an exhaustive list – just ideas to get you started.

I am teaching another cloud security class for Black Hat. There are two classes, one on December 9-10, and the other December 11-12.

This is part three of a series. You can readpart one or part two, or track the project on GitHub.

This part is split into two posts – here is the first half:

Given our severe skills gap in security, managed services and other security outsourcing tactics continue to be very interesting to end users. Either that, or non-security senior management gets frustrated by the inability of the internal team to get anything done, so they look at having someone else take a crack. As the NSS folks ask in their blog post, To Outsource or Not to Outsource, That is the Question!, but I don’t think that’s the right question.

As we have discussed through this series, many types of attacks can impact the availability of your applications. To reiterate a number of points we made in Defending Against Denial of Service Attacks, your defenses need to be coordinated at multiple levels: at the network layer, in front of your application, within the application stack, and finally within the application.

There is lots I want to talk about this week, so I decided to resort to some three-dot blogging. A few years ago at the security bloggers meet-up, Jeremiah Grossman, Rich Mogull and Robert Hansen were talking about browser security. After I rudely butted into the conversation they asked me if “the market” would be interested in a secure browser, one that was not compromised to allow marketing and advertising concerns to trump security. I felt no one would pay for it but the security community…

We looked at application denial of service in terms of attacking the application server and the application stack, so now let’s turn our attention to attacking application itself. Clearly every application contains weaknesses that can be exploited, especially when the goal is simply to knock the application offline rather than something more complicated, such as stealing credentials or gaining access to the data. That lower bar of taking the application offline means more places to attack.