Nearly a decade ago Bruce Schneier wrote “Security is a process, not a product.” His statement helped us advance as a profession, but with the benefit of hindsight, we can see he’s only half right. Security isn’t about technology.
Browsing Category: Compliance
Many SMB IT administrators face a serious challenge when it comes to delivering serious security to their users. They may not have the budget or expertise they need and outsourcing can be expensive and troublesome if it’s not approached in the right way. As Mike Chapple writes on SearchMidmarketSecurity.com, asking a few key questions up front can be the difference between success and failure.
Software security expert Neil Daswani of Google discusses the key things that every Web developer, and developers in general, should know about security, including how SQL injection attacks work.
From DarkReading (Tim Wilson)
Despite recent headlines and instances of insider attacks, many companies still are not acting to protect themselves [darkreading.com] from insider threats, according to two new analyst reports.
Although 88 percent of the respondents to a Forrester Research study said they consider data security a “challenging issue,” some 40 percent of respondents said they had no interest in, no plans for, or no knowledge of emerging tools for information leak protection. Read the full story [darkreading.com] See related story from Matt Hines [eweek.com]
Dennis Fisher t[img_assist|nid=2479|title=|desc=|link=none|align=right|width=100|height=100]alks to Adam Shostack of Microsoft, about the evolution of thinking around “The New School of Information Security,” his new group blog and what surprised him most when he went to work at Microsoft.
Dino Dai Zovi has gained a reputation as one of the top Apple security researchers in the industry and is the author of a new book on Apple security, “The Mac Hacker’s Handbook.” In this interview, he talks about the state of Apple security, why the company hasn’t implemented better memory protections and his ‘no more free bugs’ meme.
Dennis Fisher talks with Ori Eisen, founder of 41st Parameter, about the roots of online fraud, how the credit card companies and banks could have done better and whether we need to start from scratch with a new Internet.
The openness and universal connectivity that helped break down the barriers between coporate networks has also turned out to be a security liability. Jon Oltsik, an analyst at Enterprise Strategy Group, writes that there’s now a need for open standards in security [Cnet news.com] to help make collaboration and data-sharing more efficient and secure.
By Andrew Jaquith
Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.
Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization. Read the full story [csoonline.com]
By Robert Lemos, SecurityFocus
A number of security-focused open-source projects have announced their participation as mentoring organizations in Google’s Summer of Code [google.com].
They include the NMap Project, the OpenSSH project and the Honeynet Project.
Read the full article [securityfocus.com]