Author: Brian A. McHenry

Application security is difficult. Much of network security can be addressed by segmentation, best practice default-deny firewall polices, and well-placed sensors. That’s an over-simplification of network security practice, but it covers the high-level areas most infosec teams can apply to an effective practice. Application security, on the other hand, seems to require not only a bespoke approach per application, but also much greater cross-functional collaboration and discipline. The DevOps philosophy was meant to solve much of this by fostering cooperation and collaboration between network, security, and developer disciplines at the design, engineering, and operational phases of any application deployment. The…

Picking a name for anything can be hard, but we take a lot of time because it’s important. A name carries meaning, and often creates our first impression of a person, place, or company. When a market segment is defined as “Identity & Access Management” or IAM, it’s no surprise that a technology professional might then seek a single vendor in this space. The reality, when attempting to deploy Identity federation and single sign-on (SSO) services, is that Identity management and Access Management are often separate, but complementary, practices within the application infrastructure. In one area, there are Identity providers…

If you follow technology news, then it’s almost impossible to avoid some mention of “the Internet of Things” or IoT, for short. With the proliferation of smart home devices ranging from lighting to garage door openers to thermostats to cameras and the use of other smart devices in enterprises, the challenges and growth in IoT can be very difficult to pin down. Usually, when conjuring an image of a botnet poised to mount a massively distributed Denial-of-Service (DDoS) attack, the thought of a small army malware- and virus-infected PC’s and servers controlled by some shadowy, anonymized command and control (C&C)…

The 20th edition of Black Hat USA (BHUSA) did not disappoint, if your expectations were the largest exhibit floor, the most lasers, and the biggest attendance ever. Black Hat USA has become one of the most anticipated infosec conferences of the year, and anchors a week that has become affectionately known as Infosec Summer Camp, bookended by Security B-Sides Las Vegas and DEF CON at the beginning and end of the week, respectively. Hats off to anyone able to attend all three events, as the sheer scope and size of Black Hat alone is enough to exhaust anyone over the…

As a student of web application security over the last decade, a constant touchstone has been all of the educational tools and projects available from the Open Web Application Security Project (OWASP). OWASP does a phenomenal job of publishing tools, promoting and funding projects, and fostering a community of students and professionals passionate about application security (AppSec). The most visible of these educational projects is the OWASP Top 10 Vulnerabilities. The first edition of the OWASP Top 10 was published way back in 2004, and has been re-evaluated and re-published every 3 years since then. 2017 marks the fifth edition…

A lot has been written about the explosion in information or cyber security jobs now and in the coming years. For the infosec analyst role alone, he Bureau of Labor Statistics predicts 18% growth through 2024, much higher than average. The median pay in 2016 was also near six figures. Thanks to high profile DDoS attacks and data breaches, I no longer have to explain what a security architect does to family, friends, and acquaintances. More often, the questions I get are about how to get into the information security field, due to the immense number and quality of opportunities…

Complexity is the enemy of security. I first heard this truism from an interview with Bruce Schneier way back in 2001. In the years since, infrastructures have only grown more complex. Virtualization in its many forms is a chief contributor to complexity. Containers within hypervisors within clouds within data centers. As we’ve seen the barriers to rapid deployment fall, complexity and sprawl of infrastructures has grown. Application-layer technologies continue to advance, creating vulnerabilities ripe for exploitation. In attempting to combat attacks on these complexity-related vulnerabilities, the complexity problem is worsened by adding one point security solution after another in the…

As part of our expert panel question series, we have the following question for the month of April 2017 to our expert panel members. Companies can build an excellent security system, but until their third-party partners achieve the same security maturity, their customers are at risk. How can companies effectively manage the risk posed by their partners and what approaches should be taken to minimize this risk?  Experts Responses: Rebecca Herold – CIPM, CIPP/IT, CIPP/US, CISSP, CISM, CISA, FLMI Co-Founder & President, SIMBUS; and Founder & CEO, The Privacy Professor Third party security and privacy risk management is an area I’ve…

At BC Aware Day in Vancouver this past February, I was lucky enough to attend Jack Daniel’s InfoSec Survival Skills talk. Check out the recording or find Jack at a local security conference near you. Jack’s talk focuses a lot on the stresses and triggers we deal with as security practitioners and the coping mechanisms his peers shared with him. All of this got me thinking about the other side of the equation, what keeps us interested in working the field of information security? Many people are interested in a career in information security, and part of that is the…

By now, you’ve seen some breakdown of SaaS vs. PaaS vs IaaS, with respect to security. You’ve also probably seen the most common piece of security advice, which is “patch your (stuff)”. For Software-aaS, the service provider handles patching and system maintenance. Your security concerns are going to be negotiated in all sorts of legal contracts such as the infamous SLA or MSA. For Platform-aaS, you’re responsible for patching the application code and possibly the application server software your organization runs on that platform. The databases, operating systems, and everything else is the provider’s responsibility. For Infrastructure-aaS, you’re responsible for…