by Ramon Krikken | April 27, 2012 | Comments Off
It must be Friday, because it’s definitely FUD-filled! Hide your valuables, because the VMWare ESX code leak is sure to cause IT systems to go dark around the world (and thus your alarm company’s systems too, I’m sure). OK, so enough with the hyperbole. Let’s be fair: it’s certainly possible that source code availability will [...]
Comments Off
Category: Cloud Security Tags: cots, hypervisor, KVM, many eyes principle, open source software, oss, security, VMware, WMware ESX, XEN
by Ramon Krikken | April 25, 2012 | Comments Off
Security at the application-layer is getting ever more attention due to the large number of vulnerabilities that keep popping up in off-the-shelf and home-built software (although, in my opinion, it is still not getting enough attention). Aside from expanding security activities in the SDLC, we’re seeing calls for – amongst things – application monitoring. But [...]
Comments Off
Category: Applications Security Tags: application security, Database Security, middleware security
by Ramon Krikken | April 23, 2012 | Comments Off
I’m hoping you can all make it out to San Diego at the end of August this year. We’re planning to have another great Catalyst conference, featuring not only our Gartner for Technical Professionals analysts and content, but also a good number of awesome external speakers, too! Different from previous years, though, we won’t have [...]
Comments Off
Category: Uncategorized Tags: big data, cat12, catalyst, cloud, mobility, nexus, security, social media
by Ramon Krikken | April 19, 2012 | Comments Off
We’re always working on updating our software security / application security coverage, and the time has come to spend a few months on gathering new information for the application security program guidance document. To make it more than “here’s another general maturity model – do everything it says,” I’m looking for what makes and breaks [...]
Comments Off
Category: Security Tags: application security, developer training, security, security summit, security training, software security
by Ramon Krikken | April 17, 2012 | 2 Comments
In my last post, commenter Randall Gamby notes that “of course [tokenization is encryption]. ” I wholeheartedly agree. But unfortunately the current PCI guidance does not, and cannot support this notion (and, because of this, people who build and/or implement tokenization cannot do so either without creating a tokenization catch-22). When we look at the [...]
Category: Uncategorized Tags: code book, cryptography, encryption, insanity, PCI, PCI-DSS, politics, tokenization
by Ramon Krikken | April 11, 2012 | 2 Comments
It’s been a while since I blogged about tokenization. My last post on the subject drew some interesting comments – and conflicting comments at that: one commenter argued equating tokenization and encryption is bad for tokenization because tokenization is more secure per se. Another, however, commented that it’s in fact bad for encryption because encryption [...]
Category: Security Tags: code book, cryptography, encryption, PCI, PCI-DSS, tokenization
by Ramon Krikken | April 3, 2012 | 2 Comments
In an NY Times Op-Ed “How China Steals Our Secrets,” Richard Clarke notes: “Under Customs authority, the Department of Homeland Security could inspect what enters and exits the United States in cyberspace. Customs already looks online for child pornography crossing our virtual borders. And under the Intelligence Act, the president could issue a finding that [...]
Category: Security Tags: 4th amendment, border enforcement, intellectual property, privacy
