Perfect Forward Secrecy

Perfect Forward Secrecy. The term sounds like something out of the latest Bond film. When I first checked how to configure PFS ciphers several years ago, I couldn’t find much documentation because I didn’t realize that that PFS described a class of ciphers, which included Diffie Hellman Ephemeral (DHE) and Elliptic Curve DHE (ECDHE). Further […]

F5 Releases 2017 State Of Application Delivery Report

Today F5 Networks released its third annual State of Application Delivery report. Data comes from a customer survey of over 2,000 IT professionals across the networking, application, and security realms, and examines the vital role application services play in enabling enterprises to deploy applications faster, smarter, and safer. Survey responses came from around the globe, […]

High Speed Internet Security And Safety

This column is now in its third year with Information Security Buzz. As a result, there are now two past “security predictions” entries for 2015 and 2016. For 2015, I predicted that HTTP/2 and TLS 1.3 would have a disrupting effect on the Internet. Perhaps because I missed the mark on Internet disruption, I was […]

Breaking Through At AppSecUSA 2016

Recently, I attended AppSecUSA, which was held in Washington, DC from October 11th through the 14th. I last attended AppSecUSA in 2013 in New York City, and was fortunate enough to participate in Web Application Defenders’ training led by Ryan Barnett. Each year, the talks and training improve dramatically for OWASP’s biggest meeting here in […]

Injecting Security Into DevOps

DevOps is now being met by the OpsDev movement, which some say is just NetOps with SDN thrown in. But what of our old friend, security? SecDevOps (or is it DevSecOps) just doesn’t roll off the tongue like any of the aforementioned movements in automation and infrastructure-as-code. The cynic in me feels like this digital […]

Deciphering Security Assessment Jargon

Growing up, I think every kid heard a parent or teacher or coach tell them to sit or stand up straight. At the time, it was never quite clear why good posture was so important at the dinner table, in the classroom, or on the field. However, as we grow up, the lesson is apparent: […]

What Business Needs To Know About Ciphers

When it comes to encryption, there are usually two perspectives in any organization outside of IT or infosec. Those who are concerned with compliance/SSL Labs/green padlocks, and those who are mostly unaware of HTTPS encryption. Increasingly, consumers and businesses alike are choosing selecting services and partners based on HTTPS encryption. More importantly, tools like SSL […]

Security Service Chaining 101

One of the biggest challenges in information security is adapting to change. While you might say this is true in any profession, allow me to explain why it is particularly true in infosec. Security must be adaptable both on a macro level, as with changes to compliance standards like PCI. However, security must also be […]

Should SSL Slow You Down?

For most of us, when we think “encryption,” we do not immediately think “high performance” or “easy.” However, advances in TLS (the successor to obsolete SSL) and other protocols as well as cipher implementations have greatly reduced the workloads associated with encryption—all while commodity processing power and capabilities continue to increase, despite apparent slow-downs in […]

Encryption Curveballs: Top 10 Things to Know Before Enabling ECC Ciphers

Over the past two years, everyone has become much more acutely aware of not only encrypting all HTTP traffic, but also how that traffic is encrypted. Thanks to great tools like SSL Labs and more transparent alerting within browsers, end users and business partners have joined security practitioners in this awareness. As a result, effort […]