Posted in Security, tagged Adam Shostack, Adobe, Faith, Google, Michael Howard, Michal Zalewski, Microsoft, Ryan Naraine, SDL, Software Assurance, ZDnet on May 21, 2010|
2 Comments »
Michal Zalewski, a security researcher at Google, recently wrote a guest editorial for ZDNet entitled “Security Engineering: Broken Promises”. The article lays out a series of issues with the security industry, specifically looking at an inability to provide any suitable frameworks for software assurance or code security.
We have in essence completely failed to come up with even the most rudimentary, usable frameworks for understanding and assessing the security of modern software; and spare for several brilliant treatises and limited-scale experiments, we do not even have any real-world success stories to share. The focus is almost exclusively on reactive, secondary security measures: vulnerability management, malware and attack detection, sandboxing, and so forth; and perhaps on selectively pointing out flaws in somebody else’s code. The frustrating, jealously guarded secret is that when it comes to actually enabling others to develop secure systems, we deliver far less value than could be expected.
Read Full Post »
Posted in Security, tagged 451 group, Aaron Bawcom, Adam Shostack, Adobe Systems, Al HUger, Alex Hutton, Andy Purdy, antivirus, Arbor Networks, Ben Natan, beyond the perimeter, BigFix, Black Hat, Brad Arkin, Charles Dodd, Cisco, Concord Hospital, Conficker, Cyber Command, Dan Philpott, Dave Watson, David Mortman, Defcon, Doug Washburn, Dr. Peter Tippet, Economics, eIQ networks, EMA, EMC, Enterprise Management Associates, FAIR, FCRA, FIPS, FISMA, Forrester Research, Gartner, government security, Guardium, Hackers for Charity, HIPAA, IBM, Immunet, Information Security, ISS, Jack Daniel, Jeff Jones, Jeremiah Grossman, Johnny Long, Jose Nazario, Joshua Corman, Kaiser, Kaspersky, malware, Mark Starry, Mede Finance, Melissa Hathaway, Men in black, Michael Dahn, Michael Santarcangelo, Michael Smith, Microsoft, Mike Rothman, Nick Selby, NICOR, NIST, patch management, Patric Peterson, Paul Roberts, PCI, Peter Kuper, podcast, Project Quant, Reflex systems, Rich Mogull, Rick Wesson, Risk, RSA, Ryan Russell, Sam Curry, Scott Crawford, Scott Johnson, Sean Goings, Security b-sides, Securosis, Situational awareness, stelaing the network, Support Intelligence, TAC Americas, Technical Publishing, Timothy Mullen, Verizon Business Services, Virtualization, virtualizaton, Web Applicaiton Security, White Hat Security on September 21, 2009|
Leave a Comment »
Not too long ago I embarked on a creating a podcast series that would provide more regularity than the blog. Beyond the Perimeter has been a tremendous amount of fun and as we just posted our 50th podcast I wanted to reflect on some of the highlights and wonderful guests we have been honored to have joined us.
Beyond the Perimeter iTunes subscription
Beyond the Perimeter Direct XML Feed
Read Full Post »