Securosis Blog

In the the last twelve months we’ve witnessed the highest rates of data theft disclosures since the record setting year of 2008 (including, for the first time in public, Rich’s credit card). So predictably there will be plenty of FUD balloons flying at this year’s conference. From Anonymous to the never-ending Wikileaks fallout and cloud fears, there is no shortage of chatter about data security (or “data governance” for people who prefer to write about protecting stuff instead of actually…

Just a little President’s Day update on the Malware Analysis Quant project. At the end of last month we packaged up all the process descriptions into a spiffy paper, which you can download and check out.

As we continue with our tour through the RSA Conference, we’re in the home stretch. Today we’ll hit both security management and compliance, since the two are intrinsically linked.

Those of you familiar with DAM already know that over the last four years DAM solutions have been bundled with assessment and auditing capabilities. Over the last two years we have seen near universal inclusion of discovery and rights management capabilities. DAM is the centerpiece of a database security strategy, but as a technology it is just one of a growing number of important database security tools. We have already defined Database Security Platform, so now let’s spend a moment looking at…

Just a quick announcement that this Wednesday I will be doing a webcast on how to reduce PCI-DSS scope and audit costs with tokenization. This will cover the meaty part of our Tokenization Guidance paper from last year. In the past I have talked about issues with the PCI Council’s Tokenization supplement; now I will dig into how tokenization affects credit card processing systems, and how supplementary systems can fall out of scope. The webcast will start at 11am PST and run for an hour. You can…

For a little bonus on a Sunday afternoon, let’s dig into the next section of the RSA Guide, Email and Web Security which remains a pretty hot area. This shouldn’t be surprising since these devices tend to be one of the only defenses against your typical attacks like phishing and drive-by downloads. We’ve decided to no longer call this market ‘content security’; that was a terrible name. Email and Web Security speaks to both the threat models as well as the deployment architectures of what…

Ah, the endpoint. Do you remember the good old days when endpoint devices were laptops? That made things pretty simple, but alas, times have changed and the endpoint devices you are tasked to protect have changed as well. That means it’s not just PC-type devices you have to worry about – it’s all varieties of smartphones and in some industries other devices including point of sale terminals, kiosks, control systems, etc. Basically anything with an operating system can be hacked, so you need to…

I managed to take a couple days off last week, and got out of town. I went camping with a group of friends, all from very different backgrounds, with totally unrelated day jobs – but we all love camping in the desert. Whenever we’re BSing by the camp fire, they ask me about current events in security. There’s almost always a current data breach, ‘Anonymous’ attack, or whatever. This group is decidedly non-technical and does not closely follow the events I do. This trip the question on their…

As you can tell from my TidBITS review of Gatekeeper, I think this is an important advancement in consumer security. There are a lot of in-depth technical aspects that didn’t fit in that article, so here’s an additional Q&A for those of you with a security background who care about these sorts of things. I’m skipping the content from the TidBITS article, so you might want to read that first.

Building security in? Bolting it on? If you develop in-house applications, it’s likely both. Application security will be a key theme of the show. But the preponderance of application security tools will block, scan, mask, shield, ‘reperimeterize’, reconfigure, or reset connections from the outside. Bolt-on is the dominant application security model for the foreseeable future. The good news is that you may not be the one managing it, as there is a whole bunch of new cloud security services and…