The WAF Is Not Enough

Application security is difficult. Much of network security can be addressed by segmentation, best practice default-deny firewall polices, and well-placed sensors. That’s an over-simplification of network security practice, but it covers the high-level areas most infosec teams can apply to an effective practice. Application security, on the other hand, seems to require not only a […]

Access Management, With A Side Order Of Identity

Picking a name for anything can be hard, but we take a lot of time because it’s important. A name carries meaning, and often creates our first impression of a person, place, or company. When a market segment is defined as “Identity & Access Management” or IAM, it’s no surprise that a technology professional might […]

The Internet of Thingbots

Internet

If you follow technology news, then it’s almost impossible to avoid some mention of “the Internet of Things” or IoT, for short. With the proliferation of smart home devices ranging from lighting to garage door openers to thermostats to cameras and the use of other smart devices in enterprises, the challenges and growth in IoT […]

Black Hat USA 2017: Bigger and Better (?)

The 20th edition of Black Hat USA (BHUSA) did not disappoint, if your expectations were the largest exhibit floor, the most lasers, and the biggest attendance ever. Black Hat USA has become one of the most anticipated infosec conferences of the year, and anchors a week that has become affectionately known as Infosec Summer Camp, […]

What’s New In The OWASP Top 10 And How TO Use It

As a student of web application security over the last decade, a constant touchstone has been all of the educational tools and projects available from the Open Web Application Security Project (OWASP). OWASP does a phenomenal job of publishing tools, promoting and funding projects, and fostering a community of students and professionals passionate about application […]

Securing A Spot In The InfoSec World

A lot has been written about the explosion in information or cyber security jobs now and in the coming years. For the infosec analyst role alone, he Bureau of Labor Statistics predicts 18% growth through 2024, much higher than average. The median pay in 2016 was also near six figures. Thanks to high profile DDoS […]

Balancing Simplicity in Security

Complexity is the enemy of security. I first heard this truism from an interview with Bruce Schneier way back in 2001. In the years since, infrastructures have only grown more complex. Virtualization in its many forms is a chief contributor to complexity. Containers within hypervisors within clouds within data centers. As we’ve seen the barriers […]

Keep The Security Light On Without Burning Out

At BC Aware Day in Vancouver this past February, I was lucky enough to attend Jack Daniel’s InfoSec Survival Skills talk. Check out the recording or find Jack at a local security conference near you. Jack’s talk focuses a lot on the stresses and triggers we deal with as security practitioners and the coping mechanisms […]

To The Cloud, But Securely

By now, you’ve seen some breakdown of SaaS vs. PaaS vs IaaS, with respect to security. You’ve also probably seen the most common piece of security advice, which is “patch your (stuff)”. For Software-aaS, the service provider handles patching and system maintenance. Your security concerns are going to be negotiated in all sorts of legal […]