Application security is difficult. Much of network security can be addressed by segmentation, best practice default-deny firewall polices, and well-placed sensors. That’s an over-simplification of n...

Picking a name for anything can be hard, but we take a lot of time because it’s important. A name carries meaning, and often creates our first impression of a person, place, or company. When a marke...

If you follow technology news, then it’s almost impossible to avoid some mention of “the Internet of Things” or IoT, for short. With the proliferation of smart home devices ranging from lighting...

The 20th edition of Black Hat USA (BHUSA) did not disappoint, if your expectations were the largest exhibit floor, the most lasers, and the biggest attendance ever. Black Hat USA has become one of the...

As a student of web application security over the last decade, a constant touchstone has been all of the educational tools and projects available from the Open Web Application Security Project (OWASP)...

A lot has been written about the explosion in information or cyber security jobs now and in the coming years. For the infosec analyst role alone, he Bureau of Labor Statistics predicts 18% growth thro...

Complexity is the enemy of security. I first heard this truism from an interview with Bruce Schneier way back in 2001. In the years since, infrastructures have only grown more complex. Virtualization...

As part of our expert panel question series, we have the following question for the month of April 2017 to our expert panel members. Companies can build an excellent security system, but until their...

At BC Aware Day in Vancouver this past February, I was lucky enough to attend Jack Daniel’s InfoSec Survival Skills talk. Check out the recording or find Jack at a local security conference near you...

By now, you’ve seen some breakdown of SaaS vs. PaaS vs IaaS, with respect to security. You’ve also probably seen the most common piece of security advice, which is “patch your (stuff)”. For So...

Perfect Forward Secrecy. The term sounds like something out of the latest Bond film. When I first checked how to configure PFS ciphers several years ago, I couldn’t find much documentation because I...

Today F5 Networks released its third annual State of Application Delivery report. Data comes from a customer survey of over 2,000 IT professionals across the networking, application, and security real...

This column is now in its third year with Information Security Buzz. As a result, there are now two past “security predictions” entries for 2015 and 2016. For 2015, I predicted that HTTP/2 and TLS...

Recently, I attended AppSecUSA, which was held in Washington, DC from October 11th through the 14th. I last attended AppSecUSA in 2013 in New York City, and was fortunate enough to participate in Web...

DevOps is now being met by the OpsDev movement, which some say is just NetOps with SDN thrown in. But what of our old friend, security? SecDevOps (or is it DevSecOps) just doesn’t roll off the tongu...

Growing up, I think every kid heard a parent or teacher or coach tell them to sit or stand up straight. At the time, it was never quite clear why good posture was so important at the dinner table, in...

When it comes to encryption, there are usually two perspectives in any organization outside of IT or infosec. Those who are concerned with compliance/SSL Labs/green padlocks, and those who are mostly...

One of the biggest challenges in information security is adapting to change. While you might say this is true in any profession, allow me to explain why it is particularly true in infosec. Security mu...

For most of us, when we think “encryption,” we do not immediately think “high performance” or “easy.” However, advances in TLS (the successor to obsolete SSL) and other protocols as well a...

Over the past two years, everyone has become much more acutely aware of not only encrypting all HTTP traffic, but also how that traffic is encrypted. Thanks to great tools like SSL Labs and more trans...

Denial of service attacks are so common now that “DoS attack” hardly needs explanation, even to the lay person. The phrase “DoS attack” instantly conjures images of banking sites that refuse t...

The exasperating attempt to bring seemingly uncontrollable and chaotic forces into step with one another is often referred to as “herding cats.” Examples range from chaperoning kindergarteners on...

Predictions for the coming new year always abound. While no one has a crystal ball, I have the benefit of talking to a lot of security teams. Last year around this time, I held forth that HTTP/2 and T...

The Domain Name System, or DNS, is arguably the most important system on the Internet. Without it, we’d all have to memorize IP addresses the way we once did the phone numbers of our friends and fam...

Threat modeling is vital to any security practice. For example, we can understand the OWASP top 10 vulnerabilities, but we can easily misspend our efforts and dollars defending against exploits of vul...

Smartphones are powerful devices, and a constant reminder that we are “living in the future.” We can take high-resolution photos, edit those photos, and upload them to the Internet in less time th...

Web application security is hard to implement and harder still to maintain. The application layer is also the top attack vector for data loss, via such well-known vulnerabilities as SQL injection. Nee...

Spending on cyber security solutions is exploding. Security startups like Crowd Strike are attracting investment funding to the tune of $100M, and enterprises are hiring security engineers as quickly...

While the debate rages on whether SSL everywhere is necessary and/or good for the Internet, the number of sites and services supporting SSL and TLS encryption continues to soar. The focus of the SSL E...

Attending conferences and trade shows is a luxury many of us cannot afford, both from the time and expense perspectives. Compounding that fact is that many of the larger events have devolved into long...

Many people in the information security field strongly suspected that government eavesdropping was pervasive. But Edward Snowden’s leaks about the NSA and programs such as PRISM have thoroughly conf...

Almost seven years ago, I sat in a steakhouse in Manhattan listening to Jeremiah Grossman of WhiteHat Security hold forth on the serious nature of web application security and how Web Application Fire...

In the onward rush to software-defined things in the cloud, it seems the concept of network function virtualization (NFV) is beginning to catch up with the more mature (and some might say commoditized...

F5 Networks released their 2015 State of Application Delivery report this week. When we think of application delivery and the associated appliance, the Application Delivery Controller (ADC), we instan...

It’s the time of year when everyone is making predictions and top 10 lists. Even top 10 lists of top 10 lists. Looking back at the past year, some might say that 2014 was the Year of Encryption, an...

Whether it’s an Internet data center hosting web applications serving up millions of pages per day or a corporate data center hosting hundreds, if not thousands, of internal applications, nothing is...

Web application security is hard. It will never be as simple as scanning for open ports and applying the correct source and destination IP address filters. I don’t mean to say that network security...

Usability is pervasive. Not just in high tech, but in daily tasks ranging from taking out the garbage to doing the dishes. Wheeled garbage cans and dishwashers provide big improvements in efficiency...

The amount of encrypted traffic on the Internet has grown at least twice as much in the past year[1], and this figure will continue to grow at even faster rates as new protocols such as SPDY and HTTP...