Outside our posts on ROI and ALE, nothing has prompted as much impassioned debate as Web Application Firewalls (WAFs). Every time someone on the Securosis team writes about Web App Firewalls, we create a mini firestorm. The catcalls come from all sides: “WAFs Suck”, “WAFs are useless”, and “WAFs are just a compliance checkbox product.” Usually this feedback comes from pen testers who easily navigate around the WAF during their engagements. The people we poll who manage WAFs – both employees and…
Keeping track of 10,000+ of anything is a management nightmare. With ongoing compliance oversight, and evolving security attacks taking advantage of vulnerable devices, getting a handle on what’s involved in managing endpoints becomes more important every day. Complicating matters is the fact that endpoints now include all sorts of devices – including a variety of PCs, mobiles, and even kiosks and other fixed function devices. We detailed our thoughts on endpoint security fundamentals a few…
What is normal? It changes most every day, especially when you are 8. We picked up the Boy from a month away at camp last weekend and we weren’t sure how he’d respond to, uh, real life. After seeing him on Visiting Day the week before, we knew he was having a great time. Maybe too great a time, as the downside is the inevitable adjustment period when times aren’t as fun or active or exciting or anything besides 16 hours of non-stop playtime.
You remember agents, right? Those ‘lightweight’ pieces of code vendors provided to install on all your servers? The code you pushed out to endpoints? The stuff that gathered all sorts of data and provided analysis without any impact on server performance? Agents monitored activity, enforced policies, killed viruses, and foiled botnets, all from a central location, while making you a steaming espresso? Yeah, marketing hyperbole aside, agents are the ubiquitous pieces of code that got installed on…
At the Cloud Identity Summit last week, Craig Burton stated the SAML – the security assertion language that helps thousands of enterprises address single sign-on – is unequivocably dead. Kaput. He presented the following data points to support his argument (I will link to his presentation when available):
It probably does not need to be said, but just about the entire Securosis team will be at Black Hat this week. And no, not just for the parties, but there will be some of that as well. I want to see a boatload of sessions this year – and I am betting Moss, Schneier, Shostack, Ranum, and Granick on stage together will be entertaining.
“WTF? There are no security people here! I’m at a security conference without security folk. How weird is that?”
I just got back from the Cloud Identity Summit in Vail, Colorado. Great conference, by the way. But as I walked around during the opening night festivities, I quickly realized I did not know anyone until Gunnar Peterson showed up. 400 people in attendance, and I did not know anyone. I’ve been in security for something like 16 years. When I go to a security conference – say RSA or…
21 days. It doesn’t seem like a long time. In the day to day grind of my routine, 3 weeks is nothing. I basically blink and that much time passes. But when your kids are away at camp it is a long time. For us day 21 is a lifesaver because it’s the first visiting day. So last weekend we packed up the car and made the trek to Pennsylvania to see the kids.
Our friend Richard Stiennon put his promotional engine in gear this week to push his new book, UP and to the RIGHT. So my Twitter stream has been blown up by all sorts of folks praising Richard’s work. Which is great for Richard. I know what kind of commitment is required to write a book and what’s involved in self-publishing one. Including the Herculean task of getting your buddies to write glowing reviews and generating buzz in the echo chamber.
The summer conference season has begun, and for those of us living in Phoenix, going to conferences is a great way to get out July’s blast furnace heat. I’m heading out tomorrow to the Cloud Identity Summit in Vail, Colorado. I’m not speaking – just going to hang out and learn. And there is a lot to lean about with new developments in identity management. Many of the basic tools are not actually new – SAML has been around for about a decade – but the rate of product evolution in this field is…