Security Balancetrying to bring balance to the Force |
 |
There is a new security magic solution! It’s called Extended Validation SSL certificates.
For me, this is extremely dumb. First, do you really know what kind of security a SSL certificate can provide?
SSL certificates can’t provide security by themselves. The certificate role during a SSL session is to provide a way to ensure the identity [...]
Reading this is almost clear that PCI is really the standard of the moment. However, I’m still impressed about how security professionals and vendors dealing with it seem to be missing the point about what is really important and needs to be done first.
One of the main security concepts is risk management. As you can’t [...]
Post from Anton Chuvakin, commenting a post from another blog, is one of those to hang on the wall.
The posting that he talks about got a point when it says that there are lots of people trying to follow best practices and standards instead of doing real security. I think it’s partially right. If the [...]
Symantec bought some time ago a company called Whole Security, which has a very interesting malware detection product that wasn’t signature based (it was behaviour based). It happened so much time agor that I thought Symantec was going to simply kill the product. But now there are news that they are putting WS technology in [...]
After reading the first part of The Pragmatic CSO I’m convinced that Mike Rothman is just like Scott Adams: THEY ARE WATCHING US!!!
Daily Dilbert from last week shows this power of Mr. Adams here and here.
Two parts from P-CSO caught my eye today. The first was one of those “addicted CSO” dialogues that Mike built [...]
I’ve just read in Network World that MS is developing a new VPN protocol that works over HTTP, to avoid the known problems of making tunnels work through networks with NAT, firewalls and Proxies in place.
I don’t question the need for this when talking about the tunnel functionality. The SSL VPNs grew so much [...]
My job to comment on security things is much easier now that I’m reading Mike Rothman’s news. From today’s posting:
“There is no compliance “solution”Maybe I’m just grumpy, but the anonymous CJ Kelly is annoying me. Yesterday it was her jumping on the printing security risk bandwagon and today it’s making some silly statements about compliance. [...]
Bruce Schneier mentioned in his blog this post in Slashdot about security theater. I’ve saw some discussions about it mainly over the point of removing people from physical security points of control. But what really caught my eye was the comment about different audit procedures for code related to new releases and patches.
Has anyone conducted [...]
Sometimes we are so excited about an idea that we forget to check if someone has got the same one first. Well, I was thinking about removing the dust from my programming books to build something, but suddenly I decided to check Google first.
Here is exactly what I thought: Tools to help on classifying [...]
We can see a very good example of Defense in Depth being used in Microsoft by reading this note from Michael Horward.
They are not only training the developers to produce better code, they are also using tools to avoid the residual mistakes becoming vulnerabilities. Smart.
