George Hulme

Q&A: Database Security Expert David Litchfield

With all of the talk around the importance of web and application security, why is there so little focus on the corporate databases, which store the most valuable data? Last week, at the annual Computer Enterprise and Investigations Conference, Threatpost had the opportunity to sit down with noted security and database expert David Litchfield to find out. During his career, Litchfield has uncovered hundreds of vulnerabilities in software from IBM, Microsoft, and Oracle. He’s perhaps best known for his database security research.

Making an Application Security Program Succeed, Part Two

“Failure is only the opportunity to begin again, only this time more wisely,” is a quote attributed to legendary automaker Henry Ford. While it seemingly has nothing to do with secure application development, all you need to do is talk to a handful of enterprises who have tried to implement a secure development lifecycle – and you’ll certainly see how it applies.

Making An Application Security Program Succeed

After winning the attention, and hopefully the backing of executives, as we covered in The Challenge of Starting an Application Security Program,  it becomes much more straightforward to win the funding needed for the right tools, services, and training needed for secure application development.

SAN FRANCISCO–There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets.

SAN FRANCISCO–If you are in business long enough, you’re going to get hacked and you’re going to have to call the cops. Maybe you’ll need their help finding the perpetrators of a crime in which your business was victimized. Maybe employees will have conducted a crime involving IT, or maybe you’ll simply be asked to help investigate a crime conducted against someone else. The fact is: your business will engage with law enforcement at some point, and you better be prepared. Sadly, few businesses today are. 

You’ve been robbed. Maybe you don’t know to what extent. Perhaps the crook simply took the opportunity to snag a notebook sitting in the back of a car and doesn’t care about the data. Perchance it was a planned burglary and now a competitor or political activist group has gigabytes of potentially embarrassing emails from one of your top executives. Maybe attackers grabbed sensitive medical files, and are now extorting you: pay-up or the files are released publicly.