To my North Carolina readers, I wanted to share an upcoming event with you. OWASP NC is hosting Jim Tiller to come share details about the Cloud Security Alliance. This is great opportunity to get some great information locally. The CSA is led by an amazing group of people, several of which I’m happy to say are friends and colleagues in the security industry. (more…)
No CommentsJust a quick note to those of you planning to attend the CSO Executive Seminar in DC this Thursday. Due to the rather ominous forecast for an additional 10-20 inches of snow in the DC area, the CSO event is being postponed. As soon as I know the rescheduled date, I’ll pass it along!
# # #
No CommentsI was excited recently when I learned a group of trustworthy, security-minded people had committed to a meme to promote the ideas and culture of secure coding. We hear talk daily among practitioners and victims alike, musing about secure applications, secure programming and building security into code from the foundation.
Here, my friends is an opportunity to BUY IN to the program and WALK the WALK instead of just talking the talk. Ladies and gentleman, I introduce to you The Rugged Software Manifesto.
What’s in a meme?
A rose called by any other meme.. No, seriously. A meme is a postulated unit of cultural ideas, symbols or practices, which can be transmitted from one mind to another through speech, gestures, rituals or other imitable phenomena. (The etymology of the term relates to the Greek word ?????????? (pronounced /m?met?smos/) for “something imitated”.) … so says Wikipedia
The Rugged Software Manifesto
- I am rugged… and more importantly, my code is rugged.
- I recognize that software has become a foundation of our modern world.
- I recognize the awesome responsibility that comes with this foundational role.
- I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
- I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
- I recognize these things – and I choose to be rugged.
- I am rugged because I refuse to be a source of vulnerability or weakness.
- I am rugged because I assure my code will support its mission.
- I am rugged because my code can face these challenges and persist in spite of them.
- I am rugged, not because it is easy, but because it is necessary… and I am up for the challenge.
Join
If you want Rugged Software, join us and help define the principles, and technologies that will help others become Rugged too. Our first project is to define how people and organizations can know if they are Rugged.
Learn more and join at http://www.ruggedsoftware.org/.
Follow on twitter http://twitter.com/ruggedsoftware.
OWASP Rugged page at http://www.owasp.org/index.php/Rugged.
# # #
No Comments
If you’re up for a bit of audible Friday humour, check out the SFSP (Southern Fried Security Podcast) Episode 5, where I try to terrorize Martin with off-the-wall responses while he’s interviewing me. I definitely caught him off guard on a few early replies. While I was mildly successful in that piece, I was even more successful in dodging Andy’s harassment by confirming the scheduling on super short notice.
Martin caught me on a day when absolutely nothing was going as it should. I was at the office late, fighting with what seemed to be a firmware issue and what turned out to be a VM issue, after two days of wrestling with it.
All I have to say for myself is:
1. Who doesn’t like Asian women, really?
2. Newfirmware is only two words if you add space there. It’s like Newfoundland; that’s one word.
3. Sorry Andy, I was working on a tight schedule. *cough*
4. I slipped Valentino Rossi into my security interview.
5. NAC isn’t dead. NAC isn’t dead. NAC isn’t dead.
What did we talk about? We started with their customary (non-IT) 10 preliminary questions, followed by more serious discussions of information security, dealing with management, and of course NAC.
Interview with Jennifer Jabbusch
– Martin sits down with JJ to talk about life, security, and Asian women
– Notice how Martin conveniently schedules interviews when Andy isn’t available. :)
– Notice how Martin is the person all of the nice interviewees *want* to talk to… ;-)
– In all seriousness, the audio quality of the interview isn’t 100% (Skype drops and Martin thinking he was muted) but what Jennifer has to say is so good we want to be sure you get a listen
Here are the links you’ll be looking for:
# # #
No CommentsHi everyone. Some of my friends over at Securoris are putting together what I’m sure will prove to be an insightful user panel to participate in information security discussions and surveys. As part of the user panel, you will have access to the data results; all the goodness, no marketing crap.
If you read my blog, you’re probably just the kind of person they need. Please read the info below, visit the Securoris site and join the panel by emailing survey <at> securosis.com if you’re interested.
From the Securosis Post:
Need Brains. User Brains
As part of our support for the Open Web Application Security Project (OWASP), we participate in their survey program which runs quarterly polls on various application security issues. The idea is to survey a group of users to gain a better understanding of how they are managing or perceiving web application security.
We also occasionally run our own surveys to support research projects, such as Project Quant. All these results are released free to the public, and if we’re running the survey ourselves we also release the raw anonymized data.
One of our ongoing problems is getting together a good group of qualified respondents. It’s the toughest part of running any survey. Although we post most of our surveys directly in the blog, we would also like to run some closed surveys so we can maintain consistency over time.
We are going to try putting together a survey board of people in end user organizations (we may also add a vendor list later) who are willing to participate in the occasional survey. There would be no marketing to this list, and no more than 1-2 short (10 minutes or less is our target) surveys per quarter. All responses will be kept completely anonymous (we’re trying to set it up to scrub the data as we collect it), and we will return the favor to the community by releasing the results and raw data wherever possible. We’re also working on other ideas to give back to participants — such as access to pre-release research, or maybe even free Q&A emails/calls if you need some advice on something.
No marketing. No spin. Free data.*
If you are interested please send an email to survey@securosis.com and we’ll start building the list. We will never use any email addresses sent to this project for anything other than these occasional short surveys. Private data will never be shared with any outside organization.
We obviously need to hit a certain number of participants to make this meaningful, so please spread the word.
*Obviously we get some marketing for ourselves out of publishing data, but hopefully you don’t consider that evil or slimy.
—Rich
# # #
No Comments
