It seems that many organizations outsource mobile application development. Therefore, it is extremely important to ensure that security is a requirement enumerated in the contract (SLA, MSA, etc.) with said vendor.
Specifically, organizations should provide security requirements (logging, access controls, cryptography, IAM / IdM), perform threat modeling during design, perform static and dynamic analysis testing, as well as execute misuse cases during testing all with said vendor.
Malware in becoming more and more prevalent, especially on devices. So, organizations beware.
Tuesday, February 2, 2016
Monday, February 1, 2016
Build vs Buy Decisions w IT Security
In danger of oversimplifying, this post will discuss the potential for building versus buying security solutions.
Some vendors who shall remain anonymous come in awfully high for security solutions. Due to this, some smaller shops will want to go with building SIEM, GRC, or WAF solutions. With that said, SMBs must realize that these tools require TLC to remain secure.
Note that an organization may be able to report compliance with PCI, etc. though they may not be able to keep secure.
Some vendors who shall remain anonymous come in awfully high for security solutions. Due to this, some smaller shops will want to go with building SIEM, GRC, or WAF solutions. With that said, SMBs must realize that these tools require TLC to remain secure.
Note that an organization may be able to report compliance with PCI, etc. though they may not be able to keep secure.
Friday, January 29, 2016
SOAP/WCF...just die already!
To paraphrase Walter White's son in the TV show Breaking Bad, "just die" SOAP & WCF.
While RESTful and JSON APIs are not a silver bullet, they are certainly better than SOAP & WCF,
I am sure that AJAX and XML will live on, but SOA needs to pass the torch.
While RESTful and JSON APIs are not a silver bullet, they are certainly better than SOAP & WCF,
I am sure that AJAX and XML will live on, but SOA needs to pass the torch.
Thursday, January 28, 2016
WAF/MDM/2FA/CAPTCHA/DLP/SSL/... Bypass
It is extremely important to test out the effectiveness of your compensating controls.
Many organizations have rested on their laurels after implementing one of the tools above only to experience a data breach.
A cynic might say that this is the difference between compliance and information security.
Many organizations have rested on their laurels after implementing one of the tools above only to experience a data breach.
A cynic might say that this is the difference between compliance and information security.
Wednesday, January 27, 2016
More Than SIEM (VSOC, SOC) - Threat Intelligence
In contemporary times it is no longer enough for an organization to simply collect data in a SIEM (on-premise, cloud/VSOC, SOC).
This data must be analyzed and correlated with national, industry, and association-based threat intelligence to determine attack vectors and action items.
In other words, it is essential for us to move beyond security compliance to stop subsequent data breaches.
This data must be analyzed and correlated with national, industry, and association-based threat intelligence to determine attack vectors and action items.
In other words, it is essential for us to move beyond security compliance to stop subsequent data breaches.
Tuesday, January 26, 2016
DDoS Prevention: Build vs Buy
In light of the recent DDoS atatcks against the Irish government, it is prudent that organizations take steps to prevent DDoS attacks.
Such attacks may affect either layer 7 or layer 4 of an organization's technology stack, and therefore solutions should be put in place to cover both attack vectors.
Many organizations leverage cloud-based solutions, such as: Imperva Incapsula, Cisco OpenDNS, or F5 Silverline. However, an organization can leverage more cost effective solutions as well, like: ModSecurity (with a commercial license from SpiderLabs for layer 7 protections) and iptables (for layer 4 protections).
Such attacks may affect either layer 7 or layer 4 of an organization's technology stack, and therefore solutions should be put in place to cover both attack vectors.
Many organizations leverage cloud-based solutions, such as: Imperva Incapsula, Cisco OpenDNS, or F5 Silverline. However, an organization can leverage more cost effective solutions as well, like: ModSecurity (with a commercial license from SpiderLabs for layer 7 protections) and iptables (for layer 4 protections).
Thursday, September 24, 2015
Apple iOS Malware
As detailed here, http://appleinsider.com/articles/15/09/24/apple-lists-top-25-apps-affected-by-xcodeghost-malware-infiltration, a group of iOS apps have been published to the app store with malware.
The concern here is whether causation versus correlation is at play here, as many of these apps were for the Chinese market.
Did the malware exploit a more forgiving vetting process from Apple due to complexities with encoding for Mandarin and / or Cantonese? Or, is it a more general issue regarding the vetting of apps for the Asian market?
Regardless, Apple products are no longer under the radar for security concerns, and we should act appropriately.
The concern here is whether causation versus correlation is at play here, as many of these apps were for the Chinese market.
Did the malware exploit a more forgiving vetting process from Apple due to complexities with encoding for Mandarin and / or Cantonese? Or, is it a more general issue regarding the vetting of apps for the Asian market?
Regardless, Apple products are no longer under the radar for security concerns, and we should act appropriately.
Subscribe to:
Posts (Atom)