What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-05-31 15:22:00 | The DREAD Pirates (lien direct) | Then he explained the name was important for inspiring the necessary fear. You see, no one would surrender to the Dread Pirate Westley. The DREAD approach was created early in the security pushes at Microsoft as a way to prioritize issues. It’s not a very good way, you see no one would surrender to the … Continue reading "The DREAD Pirates" | |||
|
2018-05-25 14:55:03 | NTSB on Uber (Preliminary) (lien direct) | The NTSB has released “Preliminary Report Highway HWY18MH010,” on the Uber self-driving car which struck and killed a woman. I haven’t had a chance to read the report carefully. Brad Templeton has excellent analysis of the report at “NTSB Report implies serious fault for Uber in fatality” (and Brad’s writings overall on the subject have … Continue reading "NTSB on Uber (Preliminary)" | Uber | ||
|
2018-05-24 15:03:00 | Threat Model Thursday: Google on Kubernetes (lien direct) | There’s a recent post on the Google Cloud Platform Blog, “Exploring container security: Isolation at different layers of the Kubernetes stack” that’s the subject of our next Threat Modeling Thursday post. As always, our goal is to look and see what we can learn, not to say ‘this is bad.’ There’s more than one way … Continue reading "Threat Model Thursday: Google on Kubernetes" | Uber | ||
|
2018-05-21 16:15:00 | 4 Common Missteps in Threat Modeling (lien direct) | Joan Goodchild has is looking at threat modeling for IBM’s Security Intelligence blog, and quotes me in “Ready to Try Threat Modeling? Avoid These 4 Common Missteps.” | |||
|
2018-05-15 00:30:02 | Joining the Continuum Team (lien direct) | I’m pleased to share the news that I’ve joined Continuum Security‘s advisory board. I am excited about the vision that Continuum is bringing to software security: “We help you design, build and manage the security of your software solutions.” They’re doing so for both happy customers and a growing community. And I’ve come to love … Continue reading "Joining the Continuum Team" | |||
|
2018-05-09 15:31:01 | Just Culture and Information Security (lien direct) | Yesterday Twitter revealed they had accidentally stored plain-text passwords in some log files. There was no indication the data was accessed and users were warned to update their passwords. There was no known breach, but Twitter went public anyway, and was excoriated in the press and… on Twitter. This is a problem for our profession … Continue reading "Just Culture and Information Security" | |||
|
2018-05-07 15:21:00 | Redzone Podcast on threat modeling (lien direct) | I enjoyed being a guest recently on Bill Murphy’s RedZone podcast. You can take a listen with a variety of tools at “ How CIOs Can Use Threat Modelling to Benefit Their Organization: Build Out Your Defenses!.” | |||
|
2018-05-01 12:24:03 | TESS Launch Closeup (lien direct) | John Kraus, via APOD. | |||
|
2018-04-30 15:53:04 | Best Cyber News Blogs, thanks! (lien direct) | CyberDB was kind enough to include us in their “Best Cyber Security News Blogs 2018. There’s some standbys and some I wasn’t familiar with on the list. Thank you for including us! | |||
|
2018-04-26 14:21:04 | Threat Model Thursday: Q&A (lien direct) | In a comment on “ Threat Model Thursday: ARM's Network Camera TMSA“, Dips asks: Would it been better if they had been more explicit with their graphics ? I am a beginner in Threat Modelling and would have appreciated a detailed diagram denoting the trust boundaries. Do you think it would help? Or it would … Continue reading "Threat Model Thursday: Q&A" | |||
|
2018-04-24 18:52:00 | $35M for Covering up A Breach (lien direct) | “The remains of Yahoo just got hit with a $35 million fine because it didn’t tell investors about Russian hacking.” The headline says most of it, but importantly, “‘We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be … Continue reading "$35M for Covering up A Breach" | Yahoo | ||
|
2018-04-23 15:12:04 | Designing for Good Social Systems (lien direct) | There’s a long story in the New York Times, “Where Countries Are Tinderboxes and Facebook Is a Match:” A reconstruction of Sri Lanka's descent into violence, based on interviews with officials, victims and ordinary users caught up in online anger, found that Facebook's newsfeed played a central role in nearly every step from rumor to … Continue reading "Designing for Good Social Systems" | |||
|
2018-04-19 14:37:05 | Threat Modeling Thursday: #threatmodelhero (lien direct) | My friends at Continuum Security have some cool swag here at RSA. Go get some at South 2125 (the Spanish Pavilion). Their meet us blog post. | |||
|
2018-04-13 21:40:02 | 346,000 Wuhan Citizens\' Secrets (lien direct) | “346,000 Wuhan Citizens' Secrets” was an exhibition created with $800 worth of data by Deng Yufeng. From the New York Times: Six months ago, Mr. Deng started buying people's information, using the Chinese messaging app QQ to reach sellers. He said that the data was easy to find and that he paid a total of … Continue reading "346,000 Wuhan Citizens' Secrets" | |||
|
2018-04-12 23:42:01 | Threat Model Thursday: Talking, Dialogue and Review (lien direct) | As we head into RSA, I want to hold the technical TM Thursday post, and talk about how we talk to others in our organizations about particular threat models, and how we frame those conversations. I’m a big fan of the whiteboard-driven dialogue part of threat modeling. That’s where we look at a design, find … Continue reading "Threat Model Thursday: Talking, Dialogue and Review" | |||
|
2018-04-11 16:11:00 | Security Engineering: Computers versus Bridges (lien direct) | Joseph Lorenzo Hall has a post at the Center for Democracy and Technology, “Taking the Pulse of Security Research.” One part of the post is an expert statement on security research, and I’m one of the experts who has signed on. I fully support what CDT chose to include in the statement, and I want … Continue reading "Security Engineering: Computers versus Bridges" | |||
|
2018-04-10 16:55:03 | Gartner on DevSecOps Toolchain (lien direct) | I hadn’t seen “Integrating Security Into the DevSecOps Toolchain,” which is a Gartner piece that’s fairly comprehensive, grounded and well-thought through. If you enjoyed my “Reasonable Software Security Engineering,” then this Gartner blog does a nice job of laying out important aspects which didn’t fit into that ISACA piece. Thanks to Stephen de Vries of … Continue reading "Gartner on DevSecOps Toolchain" | |||
|
2018-04-05 14:50:00 | Threat Model Thursday: ARM\'s Network Camera TMSA (lien direct) | Last week, I encouraged you to take a look at the ARM Network Camera Threat Model and Security Analysis, and consider: First, how does it align with the 4-question frame (“what are we working on,” “What can go wrong,” “what are we going to do about it,” and “did we do a good job?”) Second, … Continue reading "Threat Model Thursday: ARM’s Network Camera TMSA" | |||
|
2018-04-03 20:39:05 | John Harrison\'s Struggle Continues (lien direct) | Today is John Harrison’s 352nd birthday, and Google has a doodle to celebrate. Harrison was rescued from historical obscurity by Dava Sobel’s excellent book Longitude, which documented Harrison’s struggle to first build and then demonstrate the superiority of his clocks to the mathematical and astronomical solutions heralded by leading scientists of the day. Their methods … Continue reading "John Harrison’s Struggle Continues" | Guideline | ||
|
2018-04-02 15:59:00 | Reasonable Software Security Engineering Podcast (lien direct) | ISACA has released a podcast that we did to talk about the “Reasonable Software Security Engineering” perspectives article. You can download the podcast at ISACA, or you can use: iTunes Google Play Soundcloud | |||
|
2018-03-30 15:49:03 | Blaming the User (lien direct) | Via Chad Loder. | |||
|
2018-03-29 17:50:00 | Threat Model Thursday: ARM Yourselves! (lien direct) | The response to my first Threat Model Thursday was almost uniformly positive. Thank you! I’m going to continue with the series, and have a second one ready. But as I think about how to maximize the value of the series, I want to try something. I want you to read the threat model without me, … Continue reading "Threat Model Thursday: ARM Yourselves!" | |||
|
2018-03-27 20:11:05 | Ries on Gatekeepers (lien direct) | Eric Ries wrote the excellent book Lean Startup. In a recent interview with Firstround, he talks about how to integrate gatekeeping functions into a lean business. There is a tremendous amount of wisdom in there, and almost all of it applies to security. The core is that the gatekeeper has compassion for the work and … Continue reading "Ries on Gatekeepers" | |||
|
2018-03-23 16:09:01 | Star Wars Friday: Trek and CISSP (lien direct) | Larry Greenblat is releasing a series of videos titled “Passing the CISSP Exam with the help of Spock & Kirk.” I, of course, love this, because using stories to help people learn and remember is awesome, and it reminds me of my own “The Security Principles of Saltzer and Schroeder, illustrated with Star Wars.” Also, … Continue reading "Star Wars Friday: Trek and CISSP" | |||
|
2018-03-22 15:07:03 | Threat Model Thursday: Synopsys (lien direct) | There’s an increasing — and valuable — trend to publish sample threat models. These might be level sets for customers: “we care about these things.” They might be reassurance for customers: “we care about these things.” They might be marketing, they might serve some other purpose. All are fine motives, and whatever the motive, publishing … Continue reading "Threat Model Thursday: Synopsys" | |||
|
2018-03-20 15:00:05 | Threat Modeling Panel at APPSEC Cali 2018 (lien direct) | I really enjoyed being part of this panel. I felt we had a good mix of experience and some really interesting conversations. | |||
|
2018-03-15 15:44:04 | Speculative Execution Threat Model (lien direct) | There’s a long and important blog post from Matt Miller, “Mitigating speculative execution side channel hardware vulnerabilities.” What makes it important is that it’s a model of these flaws, and helps us understand their context and how else they might appear. It’s also nicely organized along threat modeling lines. What can go wrong? There’s a … Continue reading "Speculative Execution Threat Model" | |||
|
2018-03-14 17:09:04 | Citizen Threat Modeling and more data (lien direct) | Last week, in “Threat Modeling: Citizens Versus Systems,” I wrote: I think that was a right call for the first project, because the secondary data flows are a can of worms, and drawing them would, frankly, look like a can of worms. (and) Many organizations don't disclose them beyond saying “we share your data to … Continue reading "Citizen Threat Modeling and more data" | |||
|
2018-03-08 16:54:01 | Threat Modeling: Citizens Versus Systems (lien direct) | Recently, we shared a privacy threat model which was centered on the people of Seattle, rather than on the technologies they use. Because of that, we had different scoping decisions than I’ve made previously. I’m working through what those scoping decisions mean. First, we cataloged how data is being gathered. We didn’t get to “what … Continue reading "Threat Modeling: Citizens Versus Systems" | |||
|
2018-03-06 16:35:02 | “Reasonable Software Security Engineering” (lien direct) | I have a new Perspectives article at ISACA, Reasonable Software Security Engineering. It talks about the how, why and where you need to ground a software security engineering program. | |||
|
2018-02-22 17:04:04 | Threat Modeling Privacy of Seattle Residents (lien direct) | On Tuesday, I spoke at the Seattle Privacy/TechnoActivism 3rd Monday meeting, and shared some initial results from the Seattle Privacy Threat Model project. Overall, I'm happy to say that the effort has been a success, and opens up a set of possibilities. Every participant learned about threats they hadn't previously considered. This is surprising in … Continue reading "Threat Modeling Privacy of Seattle Residents" | |||
|
2018-02-19 17:31:01 | BlackHat and Human Factors (lien direct) | As a member of the BlackHat Review Board, I would love to see more work on Human Factors presented there. The 2018 call for papers is open and closes April 9th. Over the past few years, I think we’ve developed an interesting track with good material year over year. I wrote a short blog post … Continue reading "BlackHat and Human Factors" | |||
|
2018-02-15 21:30:01 | Keep the Bombe on the Bletchley Park Estate (lien direct) | There’s a fundraising campaign to “Keep the Bombe on the Bletchley Park Estate.” The Bombe was a massive intellectual and engineering achievement at the British codebreaking center at Bletchley Park during the second world war. The Bombes were all disassembled after the war, and the plans destroyed, making the reconstruction of the Bombe at Bletchley … Continue reading "Keep the Bombe on the Bletchley Park Estate" | |||
|
2018-02-06 16:17:23 | Doing Science With Near Misses (lien direct) | Last week at Art into Science, I presented “That was Close! Doing Science with Near Misses” (Google, pptx.) The core idea is that we should borrow from aviation to learn from near misses, and learn to protect ourselves and our systems better. The longer form is in the draft “Voluntary Reporting of Cybersecurity “Near Misses”” … Continue reading "Doing Science With Near Misses" | |||
|
2018-01-30 20:32:06 | Jonathan Marcil\'s Threat Modeling Toolkit talk (lien direct) | There’s a lot of threat modeling content here at AppSec Cali, and sadly, I’m only here today. Jonathan Marcil has been a guest here on Adam & friends, and today is talking about his toolkit: data flow diagrams and attack trees. His world is very time constrained, and it’s standing room only. Threat modeling is … Continue reading "Jonathan Marcil’s Threat Modeling Toolkit talk" | |||
|
2018-01-30 19:28:49 | AppSec Cali 2018: Izar Tarandach (lien direct) | I’m at the OWASP AppSec Cali event, and while there’ll be video, I’m taking notes: Context for the talk What fails during the development process? Incomplete requirements, non-secure design, lack of security mindset, leaky development These failures are threats which can be mitigated. (eg, compliance and risk requirements address incomplete requirements) We keep failing in … Continue reading "AppSec Cali 2018: Izar Tarandach" | |||
|
2018-01-26 16:34:27 | Star Trek\'s Astromycologist (lien direct) | This is very cool: “Star Trek’s secret weapon: a scientist with a mushroom fetish bent on saving the planet.” On Star Trek: Discovery, the character Lieutenant Paul Stamets is an “astromycologist” - a mushroom expert in outer space who is passionate about the power of fungi. Stamets is actually named after a real U.S. scientist … Continue reading "Star Trek’s Astromycologist" | |||
|
2018-01-23 17:34:51 | AppSec California TM Panel (lien direct) | I’m participating in the threat modeling panel at AppSec California. Before talking about what we want to talk about, we decided to ask the audience what we should talk about. Please take a minute to fill out our three question survey if you’ll be there. | |||
|
2018-01-19 16:27:34 | Fire and building codes (lien direct) | What’s more primordial than fire? It’s easy to think that fire is a static threat, and defenses against it can be static. So it was surprising to see that changes in home design and contents are leading to fires spread much faster, and that the Canadian Commission on Building and Fire Codes is considering mandates … Continue reading "Fire and building codes" | Guideline | ||
|
2018-01-11 18:49:09 | The Resistance Has Infiltrated This Base! (lien direct) | In a memo issued Jan. 4 and rescinded about an hour later, Deputy Defense Secretary Pat Shanahan announced a new “Central Cloud Computing Program Office†— or “C3PO†— to “acquire the Joint Enterprise Defense Infrastructure (JEDI) Cloud.†“C3PO is authorized to obligate funds as necessary in support of the JEDI Cloud,†Shanahan, a former … Continue reading "The Resistance Has Infiltrated This Base!" | |||
|
2018-01-05 17:05:11 | Not Bugs, but Features (lien direct) | “[Mukhande Singh] said “real water†should expire after a few months. His does. “It stays most fresh within one lunar cycle of delivery,†he said. “If it sits around too long, it'll turn green. People don't even realize that because all their water's dead, so they never see it turn green.†(Unfiltered Fervor: The Rush … Continue reading "Not Bugs, but Features" | |||
|
2018-01-01 21:19:36 | Pen Testing The Empire (lien direct) | [Updated with a leaked copy of the response from Imperial Security.] To: Grand Moff Tarkin Re: “The Pentesters Strike Back” memo Classification: Imperial Secret/Attorney Directed Work Product Sir, We have received and analyzed the “Pentesters Strike Back” video, created by Kessel Cyber Security Consulting, in support of their report 05.25.1977. This memo analyzes the video, … Continue reading "Pen Testing The Empire" | |||
|
2017-12-28 21:25:07 | Threat Modeling Tooling from 2017 (lien direct) | As I reflect back on 2017, I think it was a tremendously exciting year for threat modeling tooling. Some of the highlights for me include: OWASP Threat Dragon is a web-based tool, much like the MS threat modeling tool, and explained in Open Source Threat Modeling, and the code is at https://github.com/mike-goodwin/owasp-threat-dragon. What’s exciting is … Continue reading "Threat Modeling Tooling from 2017" | |||
|
2017-12-27 17:33:29 | Portfolio Thinking: AppSec Radar (lien direct) | At DevSecCon London, I met Michelle Embleton, who is doing some really interesting work around what she calls an AppSec Radar. The idea is to visually show what technologies, platforms, et cetera are being evaluated, adopted and in use, along with what’s headed out of use. Surprise technology deployments always make for painful conversations. This … Continue reading "Portfolio Thinking: AppSec Radar" | |||
|
2017-12-08 15:47:49 | Gavle Goat Gallantly Guarded (lien direct) | ‘Secret’ plan to protect Gävle Christmas goat from arsonists. Previously: Gavle Goat, now 56% more secure!, 13 Meter Straw Goat Met His Match, Gavle Goat Gone, Burning News: Gavle Goat, Gävle Goat Gambit Goes Astray, The Gavle Goat is Getting Ready to Burn!. | |||
|
2017-12-04 15:34:00 | Learning from Near Misses (lien direct) | One of the major pillars of science is the collection of data to disprove arguments. That data gathering can include experiments, observations, and, in engineering, investigations into failures. One of the issues that makes security hard is that we have little data about large scale systems. (I believe that this is more important than our … Continue reading "Learning from Near Misses" | |||
|
2017-11-28 22:54:29 | The Carpenter Case (lien direct) | On Wednesday, the supreme court will consider whether the government must obtain a warrant before accessing the rich trove of data that cellphone providers collect about cellphone users' movements. Among scholars and campaigners, there is broad agreement that the case could yield the most consequential privacy ruling in a generation. (“Supreme court cellphone case puts … Continue reading "The Carpenter Case" | |||
|
2017-11-25 17:05:13 | 45 Years (lien direct) | I had not seen this amazing picture of Harrison Schmitt near Shorty Crater. Via Astronomy Picture of the Day. If you enjoy these, Full Moon is a gorgeous collection of meticulously scanned Apollo images. There are various editions; I encourage you to get the 11″x11″ one, not the 8×8. | |||
|
2017-11-22 18:05:15 | Averting the Drift into Failure (lien direct) | This is a fascinating video from the Devops Enterprise Summit: “the airline that reports more incidents has a lower passenger mortality rate. Now what’s fascinating about this … we see this replicated this data across various domains, construction, retail, and we see that there is this inverse correlation between the number of incidents reported, the … Continue reading "Averting the Drift into Failure" | |||
|
2017-11-20 19:37:01 | Vulnerabilities Equities Process and Threat Modeling (lien direct) | The Vulnerabilities Equities Process (VEP) is how the US Government decides if they’ll disclose a vulnerability to the manufacturer for fixing. The process has come under a great deal of criticism, because it’s never been clear what’s being disclosed, what fraction of vulnerabilities are disclosed, if the process is working, or how anyone without a … Continue reading "Vulnerabilities Equities Process and Threat Modeling" |
To see everything:
Our RSS (filtrered)
