Research

If you are a developer reading this series, you probably have a feel for what Agile development means. For those of you who don’t live it every day, or have read the exceedingly poor Wikipedia page on Agile software development, you are probably wondering what this is all about. In the simplest terms, Agile software development is a set of techniques for building the intended software with fewer errors and better predictability. Each technique is intended to address common failures in ‘waterfall’ development: complexity, poor communication, and infrequent code validation. So Agile approaches embrace simplicity of task, fast turnaround for smaller pieces of working code, and a preference for human interaction over email/document/process oriented interaction. Simpler tasks make it harder for developers to misunderstand what the code is meant to do. Faster iteration produces working code more often, with three distinct benefits: early confirmation that you are building the correct solution, quicker detection of breakage, and more accurate project completion estimates. Face-to-face human interaction helps clarify what everyone on the team is building, and greatly reduces communication errors – which are far too common with ambiguous documentation and code specifications. Smaller, simpler, and faster. The most popular flavor of Agile today, by a large margin, is Agile with Scrum. Each characteristic of this approach has been selected to support agility. For example short development ‘sprints’, typically 1-4 weeks, are used rather than the 18-month cycles common to traditional waterfall development. Agile with Scrum relies on daily ‘scrum’ meetings, where all the developers meet face-to-face to discuss what they will be working on that day. Developers receive their tasks on 3×5 cards, which quite effectively limits task complexity. Each sprint focuses on iterative improvements rather than complete feature delivery. This ensures that only functional code modules are checked in – unlike waterfall where every feature is typically crammed in on deadline. If you need more information, Ken Schwaber’s book Agile Project Management with Scrum is the best reference we have found, so pick up a copy if you want detailed information. So why do security professionals care? Because development has shifted focus to smaller, simpler, and faster – effectively excluding slow, indeterminate, and complex security tasks. Over the past 15 years development processes have evolved from waterfall, to rapid development, to extreme programing, to Agile, to Agile with Scrum, to the current darling: DevOps. Each evolutionary step was taken to build better software by improving the process of building software. And each step embraced changes in tools, languages, and systems to encourage Agile processes while discouraging slower and cumbersome processes. The fast flux of development evolution deprecated everything that did not mesh well with the new Agile model – including security. Agile got a bad rap with security because the aspects that promoted better software development (in most ways) broke conventional approaches to building security into code. There are several areas of conflict. Tests that do not fit the Agile process: The classic example is development teams moving to a 2-week Agile ‘sprint’, when security relied on 2 months of automated fuzz testing. Security data that does not integrate with development systems: The classic example is external penetration testers who identify thousands of instances of hundreds of vulnerabilities, then dump unexplained findings onto development teams, who have no idea what to do with the results. Security tools that do not integrate with development realities: The classic illustration is testing tools which required 100% of code, with all supporting libraries, to be fully built before tests can be conducted. This prerequisite breaks small iterative code changes, delivered weekly or daily. Insufficient knowledge: Just a few years ago most developers did not understand XSS or CSRF, and when they did, it was unclear how these issues should be addressed across the code base. Understanding threats and remediation were not common skills. Getting security into the work queue: The move from waterfall to Agile meant the removal of specific security testing phases, or ‘gates’ in the waterfall process. For security features or fixes to be integrated, they must now be documented as tasks, and then prioritized over other features – otherwise security gets ‘starved’ off the development queue. Policies: A big book of security policies, vulnerabilities, and requirements is extremely un-Agile. One of waterfall development’s most serious issues is large complex specifications that confuse developers. Agile development is an effort to protect developers from such confusing and unwieldy presentation of essential information. During this amazing period of advancement in software development, we have seen an equally amazing evolution among hackers and attacks against applications of all sorts. Security has largely remained static, but there are plenty of ways to integrate security into software development, provided you are willing to make the necessary adjustments. Our next post will help you do so. Share:

Back in 2009 Rich and I wrote a series on Building a Web Application Security program. That monstrous research paper discussed the new security challenges of building web applications, outlining how to incorporate security testing for specific types of web development programs. That research remains relevant today but issues of how to incorporate security into software development organizations – and most acutely into Agile development – remains a constant problem for clients. Knowing what tool to use and where does not address the fundamental issues of culture, goals, and process that make secure code development such a challenge. We have discussed many of the pitfalls of integrating security into Agile processes in the past, but never gone so far as to help security practitioners and CISOs learn to work with development teams. And that is about to change. Today we start a new research series on Secure Agile Development. Embedding security into development processes is hard. Not because developers don’t care about security – the majority of developers we speak with are both interested in security and would like to address security issues. But developers are focused on delivery of code, and spend a good deal of time trying to get better at that core goal. Development processes have undergone several radical evolutionary steps over the last 15 years, with tremendous efforts to deliver code faster and more efficiently. Agile frameworks are the new foundation for code development, with an internal focus on ruthlessly rooting out tools and techniques that don’t fit in Agile development. That means secure development practices, just like every other facet of development, must fit within the Agile framework – not the other way around. Our goal for this research is to help security professionals understand Agile development and the issues developers face, so they can work together better. We will discuss rapid development process evolution, feature prioritization, and how cultural differences create friction between security and development. Speed and agility are essential to both sides; tools and processes that allow security issues to be detected earlier, with faster recovery, are beneficial to both. We will offer advice and approaches on bypassing some of the sticking points, and increasing the effectiveness of security testing. The structure of this series will be as follows: Agile and Agile Trends: We will start by highlighting several key trends in development today, including the evolution of fast-flux development processes. We will offer a very basic definition of Agile development. We will use it to show both why security and development teams don’t easily mesh, and how Agile development gets a bad reputation for security. We will also shed some light on how the cloud and mobile devices add new wrinkles to application security, offering suggestions for how to “skate to where the puck is going”. Working with Development: Next we will discuss how security can work well with development, and how best to insert security into the development process to work more closely with development teams. We will list many of the core friction areas and how to avoid common pitfalls. We will discuss how to share information and expertise – with a particular focus on how external stakeholders can best support development teams within their process, including discussion of information sharing, metrics, and security training. Integrating Security into Agile: After considering how best to work with development, we will take a more process-oriented look at integrating security into Agile development. Agile may lack the neatly delineated architecture, design, QA, and implementation phases of waterfall development; but each of these remains a core development task, and an opportunity to promote secure software development. We will discuss functional security requirements, security in the context of different development phases, use of security stories, threat modeling, and prioritization of security among the sea of development tasks. Tools and Testing in Detail: We have covered the people and process aspects of Agile, so here we will consider some that automate security efforts. Every development team relies heavily on tools to make their job easier. Security testing tools are even more critical because they both make identification of defects easier; and also automate discovery, reporting, and tracking. Few developers are security experts, so we discuss which tools and testing methodologies fit within the various phases of the development process. We will cover unit tests, security regression tests, static and dynamic analysis, pen testing, and vulnerability analysis. We will discuss how these efforts are integrated with Agile management and bug tracking tools to help define what a legitimate security toolchain looks like to cover relevant threats. The New Agile – DevOps in Action: We will close out this series with a glimpse of where development trends are headed. We will offer our perspective on what DevOps is, why it helps, and how automation and software defined security weave security practices tightly into software delivery. We will discuss usage of APIs, as well as policies and scripts to automate continuous integration and continuous testing efforts. Next up: trends in Agile development. Share:

They say when industries go nutty with consolidation and high-dollar M&A deals, the only folks who really make money are the bankers and the lawyers. Shareholders end up holding the bag, but these folks have moved on to the next deal. Given all the recent retail sector breaches (there are too many to even link), let’s take a look at who is going to profit. Mostly because we can. The forensicators are first in line. They are running the investigations and figuring out how many millions of identities and credit cards have been stolen. The next group feeding at the breach trough are the credit monitoring folks, who get a bulk purchase agreement each time to cover consumers who were compromised this time. The crisis communication PR folks also generate hefty bills. Customers are pissed and the retailer is on the evening news – not for the new store design. The company needs to start driving the message, which means they need PR heavies to start spinning like a top. Ka-ching. Of course security vendors win as well. There is no time to grab security budget like right after a breach. Senior management doesn’t ask why – they ask whether it is enough. Every security salesperson tells tall tales about how their products and services would have stopped the breach. Who cares if the offering wouldn’t have made a difference? Don’t let the truth get in the way of the new BMW payment! It’s a feeding frenzy for a few quarters after the breach. Sell, sell, sell! But it doesn’t end there – lawyers always get their piece of the action by launching a variety of class-action suits against the retailer. We haven’t yet (to my knowledge) seen a successful judgement against a company for crappy security resulting in lost identities, but it’s coming. Although it is usually just easier to settle the class action rather than fight it. The lucky winners in the class action might each get a $5 gift card. The lawyers walk away with 20-30% of the judgement. Yes, that’s a lot of gift cards. Internally the company needs to make sure this kind of thing doesn’t happen again. So they fire the existing CISO and look for another one. Then the security recruiters spring into action. The breached retailer is looking, but many others will either try to fill their own positions, or perhaps decide to make a change before they find themselves in the same unhappy place. Of course the new CISO had better take advantage of the first few quarters during the honeymoon, with a mandate to fix things. Lord knows that doesn’t last long. Soon enough retailers always realize they are still in a low-margin business, and spending on security technology like a drunken sailor hasn’t helped sell more widgets. But that flyer in the Sunday paper offering a 35% discount sure did. Finally, let’s not forget the shareholders. You’d think they’d be losers in this situation, but not so much. Wall Street seems to be numb to breaches by now. The analysts just build the inevitable write-down into the model and move on. If anything it forces companies to button down some leaky operational issues and might even improve performance. Of course the loser is the existing CISO and maybe the CIO, who get thrown under the bus. But don’t feel too bad for them. They will probably write a book and do some consulting while they collect the severance package and the road rash heals. Then they’ll get back in the game by being candid about what they learned and how they will do it differently next time. We have all seen this movie before. And we’ll see it again. And again. And again. Photo credit: “Pigs at trough, 1927” originally uploaded by King County, WA Share:

Sometimes life sneaks up on you. Often when I am introduced to new clients and professional contacts, it is as “Analyst and CEO of Securosis; he used to be at Gartner”. I am fully cognizant of the fact that not only is Gartner where I started my analyst career, but also that my time and title there are the reason I was able to start Securosis. Not only did I learn how to be an analyst, but the Gartner name (as much as it pains some people) still carries a lot of weight. Leaving as a VP carries even more (a gift from my former boss, who knew he could never get my pay where it needed to be). It still carries weight to this day. We have a hell of a good brand in Securosis, but large swaths of the world have never heard of us. “Former Gartner” still helps open those doors. Even though the kind of work we do today carries very little resemblance to what I did back at the G. To be honest, I’m not even sure we are analysts anymore. It’s still part of what we do, but only one facet. Recently I have run into more of my former colleagues at various events. Black Hat, Boxworks, and other random analyst days and conferences. Most of them still work there, and all are shocked when I mention that I have now been running Securosis longer than I was at Gartner. This summer we passed the 7-year mark as a company. That’s exactly as long as I was at Gartner, and I wasn’t even an analyst for my first year. It’s longer than any other professional job I have held, and almost as long as I spent at the University of Colorado (8 years for my undergrad – it’s a Boulder thing). I still remember the first few months of the company. How I could barely sleep at night because I was so excited about what the next day would hold. Waking up early and jumping on my computer to blog, research, and spend entirely too much time on Twitter. Seven years is a long to maintain that enthusiasm. Since then I have added three children to my family, been through two major medical challenges, and built up the stress and overhead that comes from moving from a one-person shop with no clients… to one with partners, contributors, software platforms, and dozens of active clients (not counting all the one-off projects). I now literally lose entire days purely to dealing travel plans, invoices, and expenses. And really, no one with three kids under the age of five ever wakes up, on their own, with enthusiasm. But despite the overhead, chronic sleep deprivation, and stress of deadlines and commitments, this is the single most exciting time of my career. I may wake up a little rough around the edges, and feel like there is never enough time in the day, but I am engaged in my most compelling and challenging work since I first entered the workforce as an underweight security guard. About four or five years ago I placed a bet on cloud computing, and later on what is now known as DevOps. Those bets are paying off bigtime as those entangled disruptive forces trigger massive changes in how we deliver and consume technology. Aside from paying off financially (apparently there still aren’t that many people who really understand cloud and DevOps security out there), the work is… exciting. It’s a hell of a lot of fun. Every day I wake up not only with something new to learn, but with the confidence that I can use it to support my family as I gain and expand that knowledge. It is really hard to imagine a better job (without zero gravity or secret lairs). Although being interviewed by the Wall Street Journal on celebrity nudes was still kind of a surprise. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in the Wall Street Journal on the celebrity hacks. Rich’s article on the same issue at TidBITS. And a zillion other articles on the story. Mike quoted on context-aware security in SearchNetworking. Mike quoted on Wendy Nather being named a “Power Player” in Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted in the piece. Mike’s “Change Agent” – Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” that had an impact on how security has evolved… Check it out. Mortman Quoted about DevOps by the Hulminator. Chasing consistency across the wild seas of enterprise IT Favorite Securosis Posts Let’s be honest: we only had three posts by Mike this week, so we’ll call them all favorites. Other Securosis Posts Feeding at the Data Breach Trough. Incite 9/3/2014: Potential. PR Fiascos for Dummies. Favorite Outside Posts Mike Rothman: Infosec is a strange industry. Gunnar is right. There are many parallels between security and finance (another ‘strange’ industry). I’d add another to the list. Success in security is when nothing happens. If that’s not strange, I don’t know what is… Adrian Lane: 11 Reasons Email Is the Worst. This is fascinating – not for the insights into the limitations of email, but for its astute examination of human behavior. Worth the read! Rich: Not Safe for Not Working On by Dan Kaminsky. Dan really addresses the root issue here, at both psychological and practical levels. Must read. Gunnar: Hacker Breached HealthCare.gov Insurance Site. “If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official said.” Not the best excuse. Mortman: Bringing new security features to Docker. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of

It starts with a blank slate. Not entirely blank because some stuff has happened over the past few months, which offers hints to where things will go. But you largely ignore that data because you want to believe. Maybe this time will be different. Or maybe it will be the same. All you can see is potential. Yet soon enough the delusions of grandeur will be shown to be exactly that – delusions. No, I’m not talking about self-help or resetting your personal or professional lives. I’m talking about the NFL season. It starts on Thursday night and I’m pumped. I’m always pumped for football. Sure, there were some college games over the weekend, and I enjoyed watching those. But for me nothing compares to the pro game. Will my teams (the Giants and Falcons) recover this year? Will their off-season efforts be enough? Will the other teams, who have been similarly busy, be even better this year? Can I look forward to being excited about the NFL playoffs in January because my teams are in, or will I be paying attention to the bowl games to look for high draft picks for next year? Like I did this past January/February. So many questions, but all I have now is optimism. Why not? I’ve been following the beat reporters covering my teams every day. They tweet and file reports about practices and injuries and dissect meaningless pre-season games. It’s fun for me and certainly better than chasing down malware-laden sites claiming to have celebrity nudie pictures. My teams have holes, but that’s OK. You forget about those in the build-up to the first week. There is plenty of time over the next four months to grind my teeth and wonder why they cut this guy or call that play. No second-guessing yet – there isn’t much to second guess. Until next Tuesday morning anyway. Soon enough we’ll know whether the teams are real. It’s always fun to see which teams will surprise and which will disappoint. Soon the suspense will be over. It’s time. And I’m fired up. I’ll be in the GA Dome on Sunday. You know, that guy losing his voice as the Falcons take on the Saints. Same as it ever was. –Mike Photo credit: “NFL Logo” originally uploaded by Matt McGee The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U Foole and Boobage: As alluded above, the Intertubes exploded over the weekend – not with news of things that matter, like global unrest, tentative ceasefires, NASCAR, college football, or even more ice-bucketry. Everyone was aflutter about seeing some celebrity boobies. Everyone now has an opinion about how the hack happened, even your general mass media sites chock full of security expertise. Yes, that was sarcasm folks. As usual, don’t believe everything you read on the Internet – a lot of speculation is wrong. I have no inside information and neither does our resident Apple Fan Boi, the Rich Mogull. Which means those folks probably don’t either, so they are coming up with plausible threat models that could have resulted in an attacker (or group of attackers) gaining access to the Photostreams of these celebrities, who evidently like to take pictures of themselves without shirts on. I’m certainly not judging that, despite the fact that folks get pretty uptight about seeing breasts in the US. I am judging the baseless speculation. At some point we may find out how it happened. Or we may not. At the end of the day, if you take nudie pictures and store them in a cloud service, other people may see them. Not that it’s right, but it’s reality. (PS: Dog yummy to anyone who gets the reference in the title.) – MR Customer centric: Owen Thomas discusses the gaps Apple needs to address before they can enter the payments market, but his arguments assume Apple wants to go all in. If their goal is to provide mobile payments Apple

If you are the head of communications for a big company and one of your executives goes off-script and says something … ill advised … and puts the foot in the mouth, what can you do? You curse the gods for putting you in that job and you long for the days when someone else was in the hot seat, when you have to go into damage control. What else could the head of Trend Micro’s marketing be thinking when CISO Tom Kellermann basically said Russians are smarter than Americans. Evidently he really said this. I don’t even know where to start and I’ve known Tom for years. He’s not dumb, but that’s a dumb statement. Thereby making a strong argument for his hypothesis: Tom, you see, is an American. The lengths people go to be proven right continue to astound me. Maybe he means that Russian attackers take a more strategic view of their jobs. And that they view hacking as a national area of focus (like the Chinese). But the money shot, where he states Russians are ‘smarter’ is not a conclusion you can legitimately draw. Not without coming off sounding like a jackass. If we are going to dabble in crass generalizations, it seems like Stuxnet was pretty strategic but didn’t come from Russia. So there’s that. But let’s be real and understand that kind of statement is bait for every clickwhore. Graham Cluley jumps on it and basically calls it what it is: an idiotic statement. Though I do take issue with Graham attributing the statement to Trend Micro as a whole, rather than just Kellermann shooting from the hip to hit himself in the head with a shotgun blast. Trend’s research seems to have been focused on Russia’s strategic approach to hacking – not a generic question about the intelligence of the American populace. But I’m sure Graham got lots of clicks for his assessment as well, so the beat goes on… Photo credit: “profile picture” originally uploaded by vtbrak Share:

Wendy (again) states things that we should already know in such an easy to understand way, that you smack yourself upside the head and wonder why you didn’t think of it. Her post on the 451 blog about The hierarchy of IT needs makes very very clear why you continue to have problems making the case for security in your organization. I won’t just pirate her image, but go look at it and it will feel like a gut punch. Of course there are exceptions to this hierarchy. Like in the few quarters after a high-profile breach. Then blow up the pyramid and spend all the money you can. It won’t last long. Soon enough senior management will forget the pain and get back to allocating resources based on your business needs. Wendy also offers a secret that can help get funding for those security projects you know you need to do, but can’t get senior management to understand. If you can tie security to one of the lower requirements (lower than compliance, that is), you’ll have a much better chance at getting it incorporated more frequently. And to net it out, more wisdom: This hierarchy of needs also explains why security is an afterthought, and how even in the most mature of environments, it gets abandoned if one of the lower layers is suddenly threatened. It’s why holes get left in firewalls, why the accounts of terminated employees are still running services, and why back doors are left in systems. It’s all about keeping things working. This is our reality. You can certainly resist it and bang your head against the wall repeatedly. But the only thing that will accomplish is to give you a headache. You won’t get any more funding, because the hierarchy of IT needs is alive and well. Photo credit: “Hierarchy of Letter Boxes” originally uploaded by Michael Coghlan Share:

As you are likely out of the office much of today, preparing for a long weekend, I will keep this week’s summary short and to the point. Another three-star set of nits to pick. *** With Apple’s new product announcements just a couple weeks away, Wired’s Will Apple Kill Off the Credit Card Like It Did the Compact Disc? asks the wrong question. I don’t claim any specific knowledge of what Apple is thinking when it comes to payments, but I am willing to bet they would not describe their strategy as replacement of credit cards. In fact, just asking whether Apple is looking to kill off credit cards is myopic. It’s like asking if smartphones were out to kill land lines – ultimately they did, but powerful mobile handheld computers transformed many facets of daily life, including basic things like our definition of ‘computer’ and how we use information. The move to mobile payments by Apple and other platform providers is more about fundamental long-term transformation of payments to something more convenient, more ubiquitous and…probably…more secure. *** The Opportunity Cost of Automating Database Auditing should have a big NOT in the title. Not in that Borat ‘NOT!’ way, but better to consider the opportunity cost of not auditing databases as an information source. As a former vendor of database monitoring and auditing products, I always felt it would have been prudent for some of the compliance mandates to include database infrastructure in their lists of required controls. The database offers more accurate information than most other sources, and can help bypass a lot of manual work if done correctly. And certainly the repository that holds the bulk of enterprise data – relational databases have been king of the data management platforms for a couple decades – warrants some special mention. But they don’t get it. PCI? Nope. CA-1386? Nope. Basel II? Nada. Not even Sarbanes-Oxley, which is a special case given that Worldcom – one of the law’s poster children – was convicted based on analysis of database transaction records. But database auditing is not part of the requirement. The key ROI cost discrepancy is not between different kinds of database auditing – it is between database auditing and other types of auditing which require more effort for lower-quality results. *** Tim Raines wrote recently on the Microsoft blog about Major Rights Management Update to Office on Azure. This is less about user entitlements than enforcement. Look at the provided examples: it is app-layer Digital Rights Management. Yes, platform providers (such as Apple and Google) have a unique advantage as they control the cloud servers and the mobile applications that use them. In essence this offers control over who can view/use data under what circumstances, but it is more interesting when the data owner can control rights in the data management solution context. Most existing DRM options require learning third-party products, and disassociate where you set policy from where the data is managed. This is essentially what many firms are attempting to accomplish with MDM solutions and various mobile containers. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences James Arlen quoted in Cybersecurity’s hiring crisis: A troubling trajectory. Favorite Securosis Posts Adrian Lane: Shipping Decent Breach Notification. David Mortman: Respect the Hierarchy. Mike Rothman: The Data Breach Triangle. This is a classic from back in 2009. And a concept I still use in almost every meeting, so it has aged pretty well. Other Securosis Posts Incite 8/27/2014: It takes a village. Friday Summary: STEM. Favorite Outside Posts Adrian Lane: Point-of-sale malware has now infected over 1,000 companies in US. A thousand that they know about. We could reach an inflection point with mobile devices where we simply move financial transactions out of retail establishments… Which should have happened a long time ago. Rich: Trolls drive Anita Sarkeesian out of her house to prove misogyny doesn’t exist. This upsets and depresses me beyond belief. Tech overall has a problem with how we treat women, and security is no exception. I’m not saying we are any better or worse, but this is an important read to see how extreme the problem is, and to remember we are far from immune. Gunnar: Sabermetrics vs. second-hand knowledge. Mike Rothman: Netflix releases home-grown DDoS detectors. I’m digging how Netflix continues to contribute their security tools to the community. This is great for everyone. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Update on reviewing our data practices and Bugzilla development database disclosure. Did Arizona turn over its counterterrorism database to a Chinese spy? It is difficult to tell whether this is political poop-flinging or there is real evidence of crime, but an interesting discussion. Cyber attack reveals data on at least 25,000 workers at the US Department of Homeland Security. FBI investigating Russian links to JPMorgan hacking. Don’t waste time on Code Reviews. Compromised Facebook accounts create scam events. Masscan does STARTTLS. Creators of New Fed-Proof Bitcoin Marketplace. DQ Breach? HQ Says No, But Would it Know? White House Going With ‘Security By Obscurity’ As Excuse For Refusing To Release Healthcare.gov Security Details. End to End. Espionage programs linked to spying on former Soviet targets. Share:

The first couple weeks when the kids are back in school can be a little rough. We don’t have the routine down so there is some inevitable confusion and miscommunication. There are just so many details. Who is picking up which kid, from where? We drive that carpool which night? What is the address of the 3rd kid to grab for LAX practice? You know, that kind of thing. And that’s just the logistical stuff the Boss and I need to figure out. Complicating matters is the alternative schedules we have to maintain. One when I’m in town, and the other for when I’m on the road working with clients. Obviously things are a bit easier when I can lend a hand and grab this kid from there and/or take the other kid to the dance studio. We have found it really does take a village to raise kids nowadays. I remember when I was growing up and my Mom worked in a retail pharmacy. Some nights she would have the afternoon shift and then have to close the store. I was a latchkey kid, so once we were old enough to go home and fend for ourselves for a couple hours (probably late in elementary school for me) I would take my brother home and we’d play until Mom got home. Sometimes I’d go to a friend’s house and play a game of pick-up football. Another kid had an Intellivision so we went to his house a lot. I became pretty self-sufficient. My Mom would cook a bunch of meals over the weekend, and I’ll pull one out of the freezer and throw it (whatever it was) into a pan and boom! Dinner. If my clothes were dirty I put them in the wash. She would get home after a long day of work standing in the pharmacy and make sure we got our homework done, and we all had to lend a hand to get everything done. That’s just the way it was for us. Nowadays that wouldn’t work very well. Sure my kids can do laundry and probably even warm up their food (through the magic of the microwave!) But the kids can’t get themselves to dance practice 4 days a week. I guess the Boy could walk down to his tennis practices in the neighborhood, but he can’t walk the 10 miles to LAX practice Monday nights. Actually he could, but probably not in time for 6pm practice. So we work it out with the other parents. We drive some nights and pick up others. With 3 kids and overlapping activity schedules, there isn’t really any other way – especially given my travel schedule. Though we got a little smarter this year. I put the kid’s schedule in my phone, so I know which practices are what days and where. We discuss who is doing what at the beginning of the week, so I know where I’m expected to be, and I put it in my calendar. The goal is to minimize confusion and so far it’s working. And we took another step towards what emancipation looks like for 10-year-olds this year. We got them pre-paid cell phones, so when they are tooling around the neighborhood or at their various practices, and we make the inevitable mistakes, they can just call. It’s very helpful to just dial them up and figure out where they are. My Mom didn’t have that option – she sometimes had to drive around the neighborhood to figure out which back yard I was playing in. Yes, things are more complicated now, but we have much better tools to handle them. But the thing that hasn’t changed? The relationships you build with people who can lend a hand when you need one. And where you lend a hand when they need one. No magic device or web-based service can replace that. –Mike Photo credit: “The Village Store and Tea Shop” originally uploaded by Alison Christine The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management

Many folks have strong opinions about the right way to perform breach notification. More to the point, many folks think they know what not to do. But that’s okay – the great thing about opinions is that everyone gets their own. Recently the UPS Store, a franchised chain of shipping stores, reported a breach. In the incident information they detailed about how many of their stores were impacted. They listed dates when they determined the store systems were breached, and dates the systems were cleaned up. They also provide a fairly comprehensive FAQ about what happened and what affected consumers should do. Additionally they are providing credit monitoring services for the impacted. As a security guy, it would be great to have learned more about the specific malware and other technical details of the incident and the cleanup. But that level of detail would be lost on most folks impacted by this breach. The notification and FAQ told consumers what they need to know and to do. Complicating matters is the fact that the franchises are independently owned, and UPS doesn’t control their networks. So the fact that they clearly investigated all 4,470 stores is impressive as well. Kudos to UPS and the UPS Store folks. Among all the breach notification fiascos we see, it is good to see one done well. Photo credit: “UPS Store” originally uploaded by Mike Mozart Share: