Research
Primary research papers from Securosis, released under Creative Commons licensing.
Securosis Research is developed under the Totally Transparent Research Process.
Research Papers
View all →Primary research papers from Securosis, released under Creative Commons licensing.
The Universal Cloud Threat Model
Rich · April 23, 2024The Universal Cloud Threat Model is a collaboration between PrimeHarbor Technologies and Securosis. It is a cloud-centric threat model to help organizations focus security efforts on the most-common attacks most organizations will experience. The UCTM is designed as an adjunct to other threat models. From the introduction:
Modernizing SecOps for Cloud
Rich · February 23, 2024Security Operations, SecOps for short, has been one of the more difficult security domains to modernize for cloud. It requires a combination of new subject matter expertise, new technologies, process updates, and even a slightly different mindset. Cloud impacts SecOps in ways both obvious and subtle, and because most organizations still have datacenters and offices, teams need to add new skills and update operations while still supporting everything already on their plates. It’s a daunting…
Data Security in the SaaS Age
Mike Rothman · June 26, 2021Data security remains elusive. You can think of it as something of a holy grail. We’ve been espousing the idea of data-centric security for years, focusing on protecting the data, so you can worry less about securing devices, networks, and associated infrastructure. As with most big ideas, it seemed like a good idea at the time.
Securing APIs: The New Application Attack Surface
Mike Rothman · June 26, 2021The way applications are built, deployed, and maintained in most organizations is being disrupted. Macro changes include the ongoing cloud migration disrupting the tech stack, new application design patterns bringing microservices to the forefront, and DevOps changing dev/release practices. As we’ve been slowly navigating this sea change, the common thread across these changes is increasing reliance on Application Programming Interfaces (APIs).
Security Hygiene: The First Line of Security
Mike Rothman · June 26, 2021After many decades as security professionals, it’s depressing to keep seeing the same issues and mistakes. It feels like we’re stuck in hacker Groundhog Day. Get up, clean up the mistakes made by users or administrators, handle a new attack, and fill out compliance reports, only to have to do it all over again the next day.
Presentations
View all →Presentations from Securosis analysts at conferences and events.
Tokenization Guidance Analysis: Jan 2012
Adrian Lane · January 19, 2012Our discussion of the PCI Council’s Tokenization Information Supplement.
Tokenization Guidance (PDF)
Attachments
![TokenGuidanceImg.png [354KB]](https://cdn.securosis.com/assets/library/presentations/TokenGuidanceImg.png){kind=link}
Security + Agile = FAIL Presentation
Adrian Lane · September 13, 2010From the AppSec US 2010 OWASP conference.
Database Audit Events
Adrian Lane · October 6, 2009This is a reference page for database events commonly captured in the Audit Logs for major relational database platforms.
XML Security Overview Presentation
Adrian Lane · September 11, 2009This presentation provides and executive summary of XML security issues: XML_SecurityOverview.pdf
Presentation: Web Application Security Program
Adrian Lane · July 24, 2009Our presentation on Building A Web Application Security Program. This was presented as supplementary material to the white paper of the same name.