Quoted in the Wall Street Journal this week

I was quoted in the Wall Street Journal (Tuesday May 21 edition)...it's a piece written by Gregory Millman talking about how senior executives are often at the root of information security problems. Check it out:

Corporate Security's Weak Link: Click-Happy CEOs 
Top Bosses, Exempt From Companywide Rules, Are More Likely to Take Cyber-Attackers' Bait

As I've written in the past, this is a big problem in businesses both large and small based on what I see in my work:

The BYOD Security Loophole


What to do when the CIO gets in the way of enterprise IT security

Read More

The next time you're feeling bullied...

Ever have a psychopathic executive (in IT or otherwise) try to force you to do something you simply can't support, railroad you down the wrong path, or attempt to make you feel inferior? You're not alone - I see and hear about this a LOT. There are many people pretending to be leaders who are simply insecure in their jobs so they try to flex their muscle to put up a "strong and capable" facade. Ironically it does just the opposite.

Well, when it happens to you, listen intently (people love that) but keep this bit from Henry Wadsworth Longfellow in mind:

"He that respects himself is safe from others; he wears a coat of mail that none can pierce."


Much of what we do in IT and infosec is merely playing the game of politics. If you understand people and why they act the way they do (it's all based around self esteem), you can simply play along and attain some semblance of peace at work.

Read More

Web security answers are changing - a frustrating, challenging, and humbling journey

In reading one of Brian Tracy's books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: "Dr. Einstein, wasn't that the same exam that you gave to this physics class last year?" Dr. Einstein replied "Yes, it was the same exam as last year." The student then asked "But Dr. Einstein, how could you give the same test two years in a row?" Dr. Einstein replied "Because, in the last year, the answers have changed."

This story illustrates the complexities around web application security: how much it changes, how complex it can be, and, most certainly, how no one has all the answers.

I've been fortunate to have the opportunity to test the security of many websites and web applications over the past decade. It's what I love doing the most in my work because every new site/application is a new experience. Of course, some of the security flaws are the same across the board but every new project brings unique challenges. The enormity of the matter is very humbling.

The things that defined web application security flaws (and fixes) last year may not be true this year. The answers are continually changing. Given these factors, I wanted to share with you some of my recent experiences and ideas on how you can get a better grip on this ever-changing target:

Your Scanning Experience Determines Your Scanning Success

What can Developers do to Better Protect PII?

Finding Web Flaws is not Point and Click

Responding to DoS attacks at the web layer

Should you Test Development, Staging or Production?

Read More

Is your approach to application security based in reality?

I know I say this a lot here - I've been so busy writing that I've been remiss in posting my actual content. So...I've got some content on web and mobile application security and penetration testing this time around.

You see, there are so many researchers, theories, and academic approaches to web and mobile security that it's simply overwhelming. Much of it doesn't apply to what businesses really need to be addressing anyway. Taking the 80/20 approach, what do you really need to focus on that's going to provide the highest payoffs?

Well, in the spirit of my book Hacking For Dummies (be sure to check out the new 4th edition), here are some tips I've written for my friends at TechTarget and Acunetix on some important web and mobile application security issues you need to be tuned in to beyond all the noise that's out there:

Don’t Let Problems Stop You From Carrying Out Web Application Testing  (before 'Too Scared to Scan' was cool ;-)

Mobile app software: Avoid the perpetual cycle of insecurity

Hybrid security: Beyond pen testing and static analysis

Mac Malware Underscores Why You Can’t Ignore Web Security Threats

Do You Scan with Network Security Controls Enabled or Disabled?

Take Care in Handling the Results of Your Web Application Testing

Much more to come on web and mobile security testing...It's what I love doing and I've learned a tremendous amount while doing it over the past decade.

In the meantime, check out my website for links to all of my other information security-related content.


Cheers!

Read More