Security defect triage in delivery projects

The guys at Recx asked me to look at a draft of their recent blog post The Business v Security Bugs – Risk Management of Software Security Vulnerabilities by ISVs where they describe some of the business constraints and influences on security defect triage for Independent Software Vendors and make the case that ultimately the triage decision is a business decision not a technical security decision.

I was happy to do it as I’ve known the guys at Recx for a long time and they are a great little British security company with some seriously deep technical security skills. They have a lot of experience working through ISV security defect triage processes both as external security researchers and as internal product security managers.
Read the rest of this entry »

44con and Uncon

It’s been a busy week again.

I helped out  a few weeks ago on the panel choosing speakers for the Infosec track for 44con and subsequently got roped in / volunteered to run that track during the days of the con. A week before 44con happened one of the speakers failed to get a visa and I volunteered to fill the gap and spoke on ‘Intelligence-Led Cybersecurity’. It was an interesting process working out what I could talk about, how I could squeeze it into a 45 minute slot (With questions)  and then convincing my employers to let me talk publicly.
Read the rest of this entry »

Cyber Cyber Cyber

The industrialisation of cyberwar and cyberespionage using techniques developed in the last decade of massive expansion in cybercrime has presented a serious challenge to the security industry.

The myriad breaches, whether at the lulz end of the scale or at the national security end of the scale, has highlighted the fact that while we as an industry may have been doing the component parts of information security for a long time we haven’t done it very well.
Read the rest of this entry »

Cyberwar what is it good for? Absoutely nothing?

Cybersecurity is a very hot topic right now, for example:

· A contact in the UK government agency responsible for government information security has reported anecdotally that they have had more ministerial visits in the last 12 months asking about cyber than in the last 10 years for any purpose.

· A friend who is an audit partner in a Big4 accountancy firm in the UK has spent many years trying to get boards to consider information security, in the last six months he has seen an unprecedented groundswell of interest from board members asking about cyber. It’s one of their hot topic items right now and every board is asking him his opinion.
Read the rest of this entry »

Zones of Trust

The key security design decision is the balance to be taken at every step of a system design between trust and inconvenience.

For every system to system, subsystem to subsystem and component to component connection a decision must be made as to whether either side of the connection will trust the other, and to what degree. Trust is in some ways analogous to coupling. The higher the level of trust, the more likely that a compromise of one side of the connection will lead to the compromise of the other.
Read the rest of this entry »

Twitter RSS