CAST workshop on development security

We are holding our yearly security conference in Darmstadt on the 22nd of March – that’s next week – together with our partners from Fraunhofer SIT and CAST. This time, the focus subject will be DevOps and cloud technologies, including both operations and development…

Read on: https://holyhash.com/1062/cast-workshop-on-development-security/

A company with an SQL injection name

Finally, someone registered a company that is an SQL injection attack. We saw the license plates on cars doctored to execute SQL injection attacks but this is the first time, I think, that an attempt to crash all business SQL databases in a country is made.
The company name is: ; DROP TABLE…

Read on: http://holyhash.com/1058/a-company-with-an-sql-injection-name/

Don’t patch it, it’s fine?

I wrote back in 2013 about my shock at discovering that the companies are now publicly calling to stop the investment in security and avoid fixing security bugs in my article Brainwashing in security. There, we witnessed the head of Adobe security, Brad Arkin, tell us that the companies should…

Read on: http://holyhash.com/1053/dont-patch-it-its-fine/

Data breach at LinkedIn

Apparently, there was a serious data breach at LinkedIn and many customer records were stolen including “member email addresses, hashed passwords, and LinkedIn member IDs”. LinkedIn sent out a notification informing that the passwords were invalidated. What is interesting in the note…

Read on: http://holyhash.com/1047/data-breach-at-linkedin/

Position yourself on Security Maturity Grid

I wrote up the Security Maturity Grid the way quality management is usually presented. The grid is a simple 5 x 6 matrix that shows different stages of maturity of the company’s security management against six different security management categories (management understanding of security, p…

Read on: http://holyhash.com/1036/position-yourself-on-security-maturity-grid/

Worst languages for software security

I was sent an article about program languages that generate most security bugs in software today. The article seemed to refer to a report by Veracode, a company I know well, to discuss what software security problems are out there in applications written in different languages. That is an…

Read on: http://holyhash.com/203/worst-languages-for-software-security/

Backdoors in encryption products

After the recent terrorist attacks the governments are again pushing for more surveillance and the old debate on the necessity of the backdoors in encryption software raises its ugly head again. Leaving the surveillance question aside, let’s see, what does it mean to introduce backdoors to…

Read on: http://holyhash.com/1002/backdoors-in-encryption-products/

CAST Workshop “Secure Software Development”

We are organizing the workshop on “Secure Software Development” now for the third year in a row. As usual, the workshop is in Darmstadt and the logistics is cared for by the CAST e.V. The date for the workshop is 12 November.
This year most presentations seem to be in German, so…

Read on: http://holyhash.com/972/cast-workshop-secure-software-development/

Windows 10: catching up to Google?

Windows 10 has turned out to be a very interesting update to the popular desktop operating system. Apparently, Microsoft envies Google for their success in spying on everyone and their dog through the Internet. Accordingly, Microsoft could not resist turning Windows into a mean spying machine….

Read on: http://holyhash.com/967/windows-10-catching-up-to-google/

Continue the TrueCrypt discussion: Windows 10

I already pointed out previously that I do not see any alternative to the TrueCrypt for encrypting data on disk. TrueCrypt is the only tool that we can more or less trust so far. You will probably remember that Bruce Schneier recommended to use Windows encryption, the BitLocker, instead of…

Read on: http://holyhash.com/959/continue-the-truecrypt-discussion-windows-10/