Ok, maybe signing up for the clear pass (from my previous post) isn’t such a good idea
http://yro.slashdot.org/article.pl?no_d2=1&sid=08/08/05/1539231
It’s still unbelievable to me that so many place that store “sensitive” data, especially on “mobile” data like laptops, CDs, etc aren’t encrypted.  Seems like a sensible precaution and a no-brainer.

Posted in Industry, Security No Comments »

There’s been some talk about this, and no-one really knows what it means for the security industry just yet (at least not anything I’ve seen thus far), but the just passed Texas House Bill 2833 has the following paragraph
(b)  For purposes of Subsection (a)(1), obtaining orfurnishing information includes information obtained or furnishedthrough the review and [...]

Posted in Industry, Security 3 Comments »

Congrats to RSnake for working the the ’softies and breaking the news that IE8 will have anti-XSS technology built into the browser.
This is really very cool, and as RSnake says, a big step in the right direction - programmers will always make mistakes, and any methods we can help protect against buggy software from being [...]

Posted in Security No Comments »

So, it seems that the whole VA+WAF discussion is clearly the “hot” topic in webappsec this week.  First up we have the ts/sci post that I linked to earlier, Andre responded, and we also have a post from the guys at CGISecurity.
I’ll first address one of Andre’s comments before getting into the meat of this [...]

Posted in Musings, Security 1 Comment »

One more post before I really should head off to bed
Another blog that I’ve read on-and-off, but has just got a permanent place in my RSS reader is ts/sci security.  There been one post recently that although I don’t agree with 100%, certainly is “on the money”.
http://www.tssci-security.com/archives/2008/06/15/what-web-application-security-really-is
The only part I’m not sold on [...]

Posted in Security 2 Comments »

Ages back I met Rich Mogull at BlackHat/DefCon and we got on really well.  Turns out we have some strange shared background as he worked backstage on some of the same tours state-side that I did in Europe.
Anyway, Rich is blogging at http://securosis.com/
As an ex-Gartner security analyst he has great insight into the [...]

Posted in Industry, Security No Comments »

Through my RSS reader I discovered the above named article the other day, so took a quick look.  In some ways I wish I hadn’t, and I hope that not many other people did either. 
The first few tips are pure “security by obscurity”, and you should never “sanitize” user inputs - either they passes validation [...]

Posted in Industry, Misc, Security No Comments »

I ranted a little about data portability when I finally signed up for Facebook and did my "things change".  Little did I know that only a few days later, my concerns about security on social network sites were to be proven via this data sharing feature. 
Byron Ng seems to have a bit of a [...]

Posted in Industry, Security No Comments »

Very good article by Bruce Schneier on how selling security is difficult and fraught with cognitive bias.  A recommended read to anyone that has to sell security service both to other customers or internally in their own organizations.

Posted in Security No Comments »

Hot off the heals of the XSS silliness between the Obama and Clinton camps, the my.barackobama.com site is looking for a network security expert to wants to…
…play a key role in a historic political campaign and help elect Barack Obama as the next President of the United States.
Ok, no mention of security in that opening [...]

Posted in Misc, Security No Comments »