Regulation can fix security, except you can’t regulate security

Every time I start a discussion about how we can solve some of our security problems it seems like the topics of professional organizations and regulation are where things end up. I think regulations and professional organizations can fix a lot of problems in an industry, I’m not sure they work for security. First let’sContinue reading “Regulation can fix security, except you can’t regulate security”

Security will fix itself, eventually

If you’re in the security industry these days things often don’t look very good. Everywhere you look it sometimes feels like everything is on fire. The joke is there are two types of companies, those that know they’ve been hacked and those that don’t. The world of devices looks even worse. They’re all running oldContinue reading “Security will fix itself, eventually”

Security isn’t a feature, it’s a part of everything

Almost every industry goes through a time when new novel features are sold as some sort of add on or extra product. Remember needing a TCP stack? What about having to buy a sound card for your computer, or a CD drive? (Does anyone even know what a CD is anymore?) Did you know thatContinue reading “Security isn’t a feature, it’s a part of everything”

Trusting, Trusting Trust

A long time ago Ken Thompson wrote something called Reflections on Trusting Trust. If you’ve never read this, go read it right now. It’s short and it’s something everyone needs to understand. The paper basically explains how Ken backdoored the compiler on a UNIX system in such a way it was extremely hard to get ridContinue reading “Trusting, Trusting Trust”

Can we train our way out of security flaws?

I had a discussion with some people I work with smarter than myself about training developers. The usual training suggests came up, but at the end of the day, and this will no doubt enrage some of you, we can’t train developers to write secure code. It’s OK, my twitter handle is @joshbressers, go tell meContinue reading “Can we train our way out of security flaws?”

Software end of life matters!

Anytime you work on a software project, the big events are always new releases. We love to get our update and see what sort of new and exciting things have been added. New versions are exciting, they’re the result of months or years of hard work. Who doesn’t love to talk about the new coolContinue reading “Software end of life matters!”

What happened with Badlock?

Unless you live under a rock, you’ve heard of the Badlock security issue. It went public on April 12. Then things got weird. I wrote about this a bit in a previous post. I mentioned there that this better be good. If it’s not, people will get grumpy. People got grumpy. The thing is, this is aContinue reading “What happened with Badlock?”

Cybersecurity education isn’t good, nobody is shocked

There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won’t be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security. Every nowContinue reading “Cybersecurity education isn’t good, nobody is shocked”

Security is really about Risk vs Reward

Every now and then the conversation erupts about what is security really? There’s the old saying that the only secure computer is one that’s off (or fill in your favorite quote here, there are hundreds). But the thing is, security isn’t the binary concept: you can be secure, or insecure. That’s not how anything works.Continue reading “Security is really about Risk vs Reward”