You all know by now that the BSIMM is a descriptive model and not a prescriptive one. We’re happy to give prescriptive advice about software security based on our experience as well. It’s what we do for a living. In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick like the BSIMM.
As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a roll-up of a great discussion we had internally on our Software Security Group mailing list. A Few Caveats
Posted in Software Architecture and Design | Comments Off on Securing password digests -or- How to protect lonely unemployed radio listeners
We have always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to us for:
Posted in Software Architecture and Design | Comments Off on Caching security architecture knowledge with design patterns