Put four CSOs together and sooner or later they’ll start talking about Advanced Persistent Threat (APT). Now imagine the conversation with 20 CSOs together. I recently hosted a session at a security event at Microsoft and the two dozen security executives started discussing APT. Each of them had a different description of APT’s and opinions [...]
Archive for the ‘Application Security’ category
Advanced Persistent Threat (APT): Real or just hype?
January 11, 2011Shrinking Budgets: Application Security Tools vs Process Tradeoff
May 10, 2010An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget.
Note to Fannie Mae: Dealing with Logic Bombs
January 31, 2009Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So [...]
The InfoSec X Prize: Fundamental Change Through Competition
January 22, 2009Today I had a thought provoking conversation with Dr. Peter Diamandis, Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental change for gradual advance. Arguably the Ansari X Prize (and others in the hopper) have achieved some [...]
Application Security Development Lifecycle 5A: Is Threat Modeling Right For You?
June 14, 2008Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches. As a result, some enterprises with nascent appsec programs have turned to threat modeling as a panacea [...]
Application Security Development Lifecycle 4: Finding the right security talent
June 1, 2008After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, ” Great!! Now where do I find another 20 people like these?” (pointing to my team)… I thought about it a while and so Mr. B here is your answer: Information security [...]
How Microsoft IT does Secure Application Development: Webcast
May 26, 2008I will be discussing Microsoft IT’s approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft’s IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT [...]
Increase the TCO, kill the project: An ad-hoc analogy
May 13, 2008The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn’t. The IT security org needs to understand what threats the business faces from its technology systems. [...]
Application Security Development Lifecycle 3: Funding Models
May 8, 2008Technorati Tags: Security,SDLC,Business Now that you’ve decided (or battled) to set up an application security program you realize that it actually needs to get funded. You must master the art of delicately drinking from the fire hydrant of line of business applications. In my experience helping organizations set up their application security programs funding was [...]
Front Range web application security summit in Denver
May 5, 2008I will be speaking at the Front Range OWASP Conference ( FROCo08 ) in Denver on June 10th. The focus of the conference to share the experiences that the speakers had around solving technical and management issues surrounding application security. I’ll be sharing the podium with luminaries like Ed Bellis, Jeremiah Grossman, Melissa Tondi, Laz, [...]
