My Security Planet » Justice League » December 2010

Feeds

13614 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

• Opensourcetesting.org News

Justice League

• 

  A Cloud Security Discussion without FUD

  Posted: December 19th, 2010, 10:30pm CST by scott

  Tags:  Cloud Computing   [edit]

  I was happy to read a very measured viewpoint about Cloud Security in the first couple of articles of Nov/Dec issue of IEEE Security and Privacy. The introduction sets a very constructive tone. I really appreciate the measured tone because I’ve been dealing with a lot of “knee jerk reactions” within our client-base around Cloud Security. Some of the concern is FUD and some of it is real, but there’s no dark magic. The solutions are just engineering and a bunch more “lawyering.”

  The “Cloud Computing Roundtable” hits this “lawyering” topic pretty well. As long as you read the discussion with the “these guys mostly represent the perspective of service providers,” you’ll get good understanding of the macro issues involved: lack of technological sophistication of regulations, cross-border/jurisdiction regulation, and standards are still evolving to catch up. These are my macro takeaways. One perspective that I have had and was glad to have “confirmed” was Eric Grosse’s comment on the insider threat, “We [Google] have zero tolerance for the insiders abusing that trust…”. I’ve felt that for a XaaS vendor, they have a lot riding on protecting against the insider threat in their data centers.

  Mom wanted me to be a lawyer, but I became an engineer, so I’m more interested in some of the more technical aspects that we not talked about. These interests have been keeping me too busy to write about them. But here are some of the perspectives that are a bit more technical in nature. Each probably deserves a longer discussion. I guess that should be my first 2011 resolution.

  1. Cloud Security is more than worrying about your XaaS platform. See points 2 and 4. Many times Cloud = AWS and it’s the mere mention of AWS that sends chills up and down peoples’ spines.
  2. Application architectures are using Cloud as a component in an overall solution.
     1. The security problems from other parts of the application are often just as bad (if not worse) the ones in the Cloud components.
     2. The potential problems of “finger pointing” between the multiple organizations scares me more than the technical vulnerabilities.
  3. The application architectures are starting to be Cloud+Mobile and not Cloud and/or Mobile.
  4. The integration of “Security from Cloud” (SaaS security services) creates new security challenges – they are not “plug and play” for their traditional counterparts in all cases. One example is that cloud-based intermediaries necessitate the need to implement WS-SecureConversation rather than just WS-Security alone.
• 

  Howard Schmidt Keeps his eye on the Ball

  Posted: December 15th, 2010, 9:40pm CST by gem

  Tags:  Cyber Security   [edit]

  I was recently invited by our Corporate Counsel to attend a local Virginia networking event hosted by the Northern Virginia Technology Council. Howard Schmidt was the speaker. I’ve run into Howard a few more times than I expected to this year, and each time it is interesting to see what he has to say.

  Howard started his career as a policeman, and his approach to cyber security is informed by that experience. Don’t get me wrong, I think that’s an OK thing. I would much rather see a law enforcement angle focused on cybercrime than a warrior angle focused on the chimera of cyberwar. Of course, given my druthers, I would choose an architect (especially a software architect) over a law enforcement person to be in charge of cyber security. One of these years…

  Howard’s talk was fine. Nothing earth shattering and no major revelations unless you’re a government employee about to be bound by HSPD 12. Howard emphasizes deterrence (especially using economics and harsh punishments to deter cyber crime), accountability (focused mostly on criminality and sentencing), resilience (where his story needs some more work and could do with a good dose of technology), and privacy. I would like to see more emphasis on building security in in the first place, but the government still has some basic blocking and tackling to do.

  I wish I had a nickel for every time the political types say “public private partnership.” That dog failed to hunt long ago. Time for a new dog. Even making a joke out of it invokes groans. No more political pandering with public private partnerships please.

  I still believe that the government is WAY behind when it comes to cyber security. I also think that the Obama administration has made important progress since the days of the at-first-classified CNCI. They may have caught up to 1996! Only 14 years to go.

  Take home message from me: not one mention of cyber war the entire time, only a little about cyber espionage and IP, and plenty of focus on cyber crime. At least our executive branch is sane!

  Thanks for dragging me out of the sticks, Tom.

TOP RSS Gregarius 0.5.4 Tentatively valid XHTML1.0, CSS2.0 Last update: Wed May 23 08:13:48 2012