Software Integrity Blog

Archive for 2012

 

The 10 commandments for software security

You all know by now that the BSIMM is a descriptive model and not a prescriptive one.  We’re happy to give prescriptive advice about software security based on our experience as well.  It’s what we do for a living.  In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick like the BSIMM.

Continue Reading...

Posted in Maturity Model (BSIMM), Web Application Security | Comments Off on The 10 commandments for software security

 

Securing password digests -or- How to protect lonely unemployed radio listeners

As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a roll-up of a great discussion we had internally on our Software Security Group mailing list. A Few Caveats

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Securing password digests -or- How to protect lonely unemployed radio listeners

 

Caching security architecture knowledge with design patterns

We have always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to us for:

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Caching security architecture knowledge with design patterns