Author: Brian A. McHenry

Perfect Forward Secrecy. The term sounds like something out of the latest Bond film. When I first checked how to configure PFS ciphers several years ago, I couldn’t find much documentation because I didn’t realize that that PFS described a class of ciphers, which included Diffie Hellman Ephemeral (DHE) and Elliptic Curve DHE (ECDHE). Further complicating matters was that some implementations made reference to ECDH, EDH, and DHE. But I’m getting ahead of myself. First, let’s dissect the term itself and then what these ciphers are intended to achieve.  Ivan Ristic of Qualys SSL Labs balks at the notion of…

Today F5 Networks released its third annual State of Application Delivery report. Data comes from a customer survey of over 2,000 IT professionals across the networking, application, and security realms, and examines the vital role application services play in enabling enterprises to deploy applications faster, smarter, and safer. Survey responses came from around the globe, spanning industries like government, financial services, technology, and education as well as occupational roles from DevOps to the executive suite. Overall, the survey revealed how accelerated cloud adoption is increasing the demand for application services. The average enterprise is currently deploying 14 application services, up…

This column is now in its third year with Information Security Buzz. As a result, there are now two past “security predictions” entries for 2015 and 2016. For 2015, I predicted that HTTP/2 and TLS 1.3 would have a disrupting effect on the Internet. Perhaps because I missed the mark on Internet disruption, I was a little less bold in asserting that data center blind spots would continue to be a huge challenge for security teams when making 2016 predictions a year later. Fortunately, wait long enough, and some predictions can be vindicated. HTTP/2 finally started to see significant adoption…

Recently, I attended AppSecUSA, which was held in Washington, DC from October 11th through the 14th. I last attended AppSecUSA in 2013 in New York City, and was fortunate enough to participate in Web Application Defenders’ training led by Ryan Barnett. Each year, the talks and training improve dramatically for OWASP’s biggest meeting here in the United States. With that in mind, it was quite a surprise to have my CFP submission accepted for a 15-minute lightning talk. This article is less about AppSecUSA and more about my experience submitting to Calls for Papers at the myriad infosec cons that…

DevOps is now being met by the OpsDev movement, which some say is just NetOps with SDN thrown in. But what of our old friend, security? SecDevOps (or is it DevSecOps) just doesn’t roll off the tongue like any of the aforementioned movements in automation and infrastructure-as-code. The cynic in me feels like this digital transformation is once again trying to bolt security on after the fact, having learned nothing from 20 years shoehorning security into physical data centers. Dashboard visualizations and python scripts will no more save us than blinky lights in a rack, but integrating security policy and…

Growing up, I think every kid heard a parent or teacher or coach tell them to sit or stand up straight. At the time, it was never quite clear why good posture was so important at the dinner table, in the classroom, or on the field. However, as we grow up, the lesson is apparent: good posture helps us be more attentive, more respectful, and more able to react. Whenever I hear someone mention “security posture”, I always tend to think of sitting up just a little straighter. Unfortunately for information security organizations, assessing your security posture can be quite…

When it comes to encryption, there are usually two perspectives in any organization outside of IT or infosec. Those who are concerned with compliance/SSL Labs/green padlocks, and those who are mostly unaware of HTTPS encryption. Increasingly, consumers and businesses alike are choosing selecting services and partners based on HTTPS encryption. More importantly, tools like SSL Labs grading and more aggressive, detailed browser warnings and restrictions have made it very simple to determine whether a site or service employs strong encryption. We’re getting ahead of ourselves, though. The question we have to ask is: Why have browsers become more restrictive? Why…

One of the biggest challenges in information security is adapting to change. While you might say this is true in any profession, allow me to explain why it is particularly true in infosec. Security must be adaptable both on a macro level, as with changes to compliance standards like PCI. However, security must also be adaptable on a micro level, as with an individual  web application or desktop operating system. Since so many information security controls implemented as infrastructure (firewalls, intrusion prevention systems, log servers, antivirus and anti malware detection, etc.), adaptability becomes harder as the systems needed for thorough…

For most of us, when we think “encryption,” we do not immediately think “high performance” or “easy.” However, advances in TLS (the successor to obsolete SSL) and other protocols as well as cipher implementations have greatly reduced the workloads associated with encryption—all while commodity processing power and capabilities continue to increase, despite apparent slow-downs in Moore’s Law. The only reason we still associate TLS encryption with high overhead and complexity is that we’ve mostly been concerned with maintaining high grades on SSL Labs.com for strong and effective encryption. In speaking to many information security practitioners, SSL Labs grades and green…

Over the past two years, everyone has become much more acutely aware of not only encrypting all HTTP traffic, but also how that traffic is encrypted. Thanks to great tools like SSL Labs and more transparent alerting within browsers, end users and business partners have joined security practitioners in this awareness. As a result, effort is being spent to improve the configuration of SSL (or more precisely, TLS) termination points in the infrastructure. One of the biggest trends is the move to Elliptic Curve Cryptography or ECC ciphers. Without further ado, here are the top 10 things to know when…