Sunday, October 16, 2016

This site has moved!

Set your blog site bookmarks to,  Please update any article bookmarks since those links have changed as well.

Monday, October 10, 2016

Top Security Expert, IoT Security is a Market Failure

Photo (click to enlarge)

In a recent blog post, Security Economics of the Internet of Things on Schneier on Security, security expert and cryptologist Bruce Schneier describes economics related to securing IoT devices.  The post was written due to unprecedented DDOS attacks against investigative security journalist Brian Krebs and his web site  Schneier describes an interesting situation in IoT security where neither the purchaser or seller has a business stake in security quality.  As a result, IoT security across industry is very weak or non-existent.  This is far different than the smart phone or computer markets where there is strong business interest, security patching, and devices are replaced every two to three years.  Schneier notes weak and sometimes non-existent IoT security creates an "externality", a sort of invisible pollution, impacting many individuals and businesses broadly.  So while purchaser and seller don't share a business interest in security quality other innocent parties may be harmed by those decisions which is like environmental pollution.  Schneier takes a strong stance describing IoT security as a market failure and that government involvement is the only way to correct failed markets.

Related posts
Security Sucks - Who's to Blame?
A Few Thoughts on Security as a Public Health Issue
Woodsy Owl 2016 - Don't Pollute Software!

Tuesday, October 4, 2016

Why Yahoo's Previous Security Chief Left for Facebook

There is seldom transparency around executive departures but this one is particularly interesting.

[Yahoo's Response] "Yahoo is a law abiding company, and complies with the laws of the United States," the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

The original story, Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence

Wednesday, September 28, 2016

OWASP WordPress Security Implementation Guide

An email came across the OWASP leaders list today about securing WordPress.  If your interested to strengthen your WordPress server there are some free and helpful tools you may not be aware that exist.

OWASP WordPress Security Implementation Guide
The OWASP guide describes security cross-domain techniques and tips for strengthening security on your WordPress servers.  The guide is not version specific so you should check to see if there are any version specific vulnerabilities you need to be aware of for your particular version.

WordPress Nuke
Project by Munir Njenga (OWASP Chapter Leader, Kenya) applies some the techniques described by the OWASP WordPress security guide and applies them to a plugin that you can install on your WordPress server.  The plugin is being tested with WP version 4.6.1 and work in progress.

WordPress is an amazing application for managing your blog.  WordPress packs some powerful extensibility features for integrating 3rd party tools.  There is also a lively community of developers working on these tools and there's virtually a plugin for almost anything you want to do.  Like many highly extensible and useful software products, WordPress is challenging to secure and my reason to post.

Monday, September 19, 2016

OWASP 2016 Board Election Interviews

Following are the linkings for OWASP's 2016 Board of Directors.  I'm running for the board this year so I have indexed each of the links to start at my response but feel free to listen to all the responses.

OWASP Podcast Interview Part 1 of 4, Developer Participation [Audio]
OWASP Podcast Interview Part 2 of 4, Vendor Neutrality [Audio]
OWASP Podcast Interview Part 3 of 4, Most Important Issues [Audio]
OWASP Podcast Interview Part 4 of 4, Members, Projects, Conferences, and Chapters [Audio]

Share It!