I've had several discussions of late where people have wrestled with the problem of how best to secure their applications to a reasonable level of security, given that applications are increasingly integrated. Here's my take.
Continue reading "How do you measure the criticality of an interconnected system?"
While dealing with security decisions on a daily basis, I realised that the large majority of my decision making is based on compliance to a good architecture. Quite often, if the architecture has been well designed, the security work in minimal and related to specialist knowledge. On the flip side, when architecture is one of those copy-paste hacks from a vendor's white paper, the security work mostly revolves around the basics.
Continue reading "Security as a positive architectural investment"
The airports company of South Africa (ACSA) has decided to follow a cover your ass (CYA) security model by implementing the 'liquid ban' first implemented by the demented TSA.
Continue reading "ACSA puts on bigger pants"
One of the easiest ways to overcome security vulnerabilities, is to prevent them from being written into the code. Microsoft is doing a good (not great, but good) job stepping up to that challenge. The advances in FxCop/Code Analyzer look promising. Also, the anti-XSS library is looking good, and has benefited from some interaction with RSnake. Get your developers to start playing with these.
I need a way to pull a report of the amount of bandwidth used by local users on Linux boxes. I know this isn't natively supported and requires some sort of kernel patch. Does anyone have any suggestions?