Opinion

Opinion

• Status quo: Data compromise holds steady in 2016

  Data breaches can point to issues with security tools and their implementation. Some companies that are putting personally identifiable information at risk may surprise you.  Continue Reading

• Q&A: Rethink compensating controls, says Warner Bros. CISO

  It is not hard to make the shift from independent controls for defense in depth to interlocking strategies, Ron Dilley tells Marcus Ranum, but careful planning is required.  Continue Reading

• Security incident handling: Prepare to find answers

  CISOs work in stressful scenarios. Before you face executives armed with questions about security incident handling, it's time to formulate some of your own.  Continue Reading

• Threat defense, hybrid clouds and 'connections others miss'

  We often talk about shifts in information security from advanced threats to emerging technology defenses, but this year marks a few major turning points.  Continue Reading

• The futility of data breach notifications

  Olivia Eckerson discusses how her healthcare insurance provider was hacked, and why the data breach notification letter she received was less than helpful.  Continue Reading

• WMI tools make the perfect crime 'malware-free'

  Security researchers claim that attackers are abusing a longstanding administrative tool in the Windows operating system. With no telltale signs of malware, how can you stop it?  Continue Reading

• Ranum Q&A: The data behind cyberfraud with Anyck Turgeon

  Do we really have a good idea of how big a problem insider attacks are? A global data scientist, who is focused on fraud and money laundering, ponders the numbers.  Continue Reading

• Integrated IT security tools may hit the 'suite' spot

  Compilations of security tools and services make it hard for enterprises to figure out what some products offer, but efforts to avoid overlap can pay off.  Continue Reading

• Security startups tackle the art of deception techniques

  Distributed decoy systems aim to take deception by defenders to the next level. Will a network of traps and lies change the rules of engagement?  Continue Reading

• Q&A: Secure application development in the age of mashups

  How do you integrate the needs of the business and third-party services with security? Veracode’s Chief Strategy Officer Sam King has some answers.  Continue Reading

• The search for answers to ‘advanced threat’ defense

  Visibility into what is happening on your network may matter more than stopping an attack. Can technology keep up with advanced threats?  Continue Reading

• Can white-box cryptography save your apps?

  With the Internet of Things, software-based secure elements could hold the key.  Continue Reading

• Marcus Ranum Q&A: Aetna CSO Jim Routh on Agile security testing and challenges

  Why the health insurer pursues early prevention and detection strategies as part of its software security program.  Continue Reading

• The CISO role's evolution from IT security to policy wonk

  As the need for a dedicated information security officer catches fire beyond firewalls, how should companies engineer the expanding CISO role?  Continue Reading

• McGraw: Seven myths of software security best practices

  According to expert Gary McGraw, you're not helping yourself by believing the things -- all seven of them -- you've heard about secure software development.  Continue Reading

• Formal verification is the oldest new game in town

  Security gamification puts formal verification back in play.  Continue Reading

• Marcus Ranum chats with CGI Group's Terri Curran

  Information security metrics may be lost on some executives, Curran says. Keep their attention on security measures with the right portfolio.  Continue Reading

• Gary McGraw discusses the security risks of dynamic code

  Gary McGraw says secure software development gets tricky when your programming environment shifts like sand.  Continue Reading

• Sourcing threat intelligence services? Buy them by the box

  Security pros are too stretched to digest actionable intelligence on a continuous basis. Dedicated appliances may help ease their load.  Continue Reading

• Becoming jaded with Security BSides' Jack Daniel

  The financial success of the security industry has created "breach" ambulance-chasers. Can grassroots efforts still move InfoSec forward?  Continue Reading

• Cybersecurity skills shortage? Hackers wanted

  The problem-solving skills that many enterprises need to counter threats are hard to identity, let alone multiply.  Continue Reading

• Block chain startups signal new approaches to data integrity

  Bitcoin 2.0 is fueling technology development and services. The block chain mechanisms that secure the Bitcoin network hold real promise for security.  Continue Reading

• Software security assurance: Marcus Ranum chats with Oracle's CSO

  After decades in the hot seat, Oracle's CSO Mary Ann Davidson is still fighting systemic risk and the vulnerabilities of enterprise software.  Continue Reading

• Catfish, super users and USB drives: We do the math

  The data science that reprogrammed Wall St. trading models may offer lessons for security.  Continue Reading

• Waratek grabs RSA Innovation Sandbox honors

  Runtime application self-protection startup Waratek wins coveted RSA Innovation award.  Continue Reading

• Machine versus the bots: Does your website pass the Turing 2.0 test?

  New Web security models use browser behavior and polymorphism to protect against data theft and fraud.  Continue Reading

• Marcus Ranum chats with Juniper Networks’ Chris Hoff

  Liquid computing may be a pipe dream. But context and deployment remain the biggest information security challenges, says Hoff.  Continue Reading

• Enterprises call on API management for better API security

  Poor API hygiene can put your organization’s health at risk.  Continue Reading

• NSA’s big data security analytics reaches the enterprise with Sqrrl

  Competition for Hadoop-based analytics may put tools and services within reach for large and midsize organizations, says Robert Richardson.  Continue Reading

• Q&A: Marcus Ranum chats with Privacy Professor CEO Rebecca Herold

  Organizations will be judged by the company they keep, warns Herold. Don’t let third parties skate, when your data security is at risk.  Continue Reading

• Lack of cybersecurity awareness linked to CIOs

  Widespread security “ignorance” may soon change as calls for executive accountability grow louder.  Continue Reading

• McGraw: How to build a team for software security management

  Software security expert Gary McGraw points out five ways member organizations in the BSIMM group are structuring their software security groups.  Continue Reading

• Q&A: Marcus Ranum chats with AT&T's CSO Ed Amoroso

  There's no shortage of new security technology, but enterprise integration is still a major hang-up, says AT&T's chief of security.  Continue Reading

• Is runtime application self-protection a shortcut to secure software?

  Editorial Director Robert Richardson says it's easy to question the RASP security model, as it joins the growing list of application security testing acronyms, but the self-monitoring approach may hold merit.  Continue Reading

• Is the bug bounty program concept flawed?

  Looking for security vulnerabilities? Tread lightly. The benefits of vulnerability rewards programs are great, but so are the risks.  Continue Reading

• Gary McGraw: When risk management goes bad

  Expert Gary McGraw suggests simple guidelines for risk analysis and risk management using software risk analysis as an example.  Continue Reading

• Cybersecurity education: Planting seeds for the future

  Southern Methodist University's Chang says the school's cybersecurity education program addresses the skills gap for trained staff in enterprises.  Continue Reading

• Ranum Q&A: Security metric best practices with IBM's Diana Kelley

  Marcus Ranum chats with IBM's Diana Kelley about security metric programs, risk appetite and the tradeoffs.  Continue Reading

• The politics of DDoS response

  Reports of a 'hack back' DDoS attack by Sony stirred up acceptable use questions.  Continue Reading

• Before and after: Don't neglect incident response management

  Incident response planning will define a CISO's -- and the company's -- survival after a breach, says legal counsel and CSO Chris Pierson.  Continue Reading

• Does your system design eliminate the top 10 software security flaws?

  Marcus Ranum chats with Gary McGraw about secure system design and the IEEE Computer Center for Secure Design’s top 10 list of what to avoid.  Continue Reading

• McGraw on why DAST and RASP aren't enterprise scale

  Expert Gary McGraw thinks the way to get software security right is to keep the testing close to the developer environment.  Continue Reading

• Ranum Q&A with Renee Guttmann: Thriving in the CISO role

  A Fortune 500 veteran chats with Marcus Ranum about her management career and what it takes to reach the top of the security pyramid.  Continue Reading

• Open source software security: Who can you trust?

  Fears of backdoors and heightened concerns about encryption software are running rampant.  Continue Reading

• Network security: Threat intelligence feeds parse a sea of data

  Threat intelligence feeds help you prioritize signals from internal systems against unknown threats. Security intelligence takes it a step further.  Continue Reading

• Data encryption, notification and the NIST Cybersecurity Framework

  Awkward? The NIST Cybersecurity Framework arrives as the U.S. government struggles to counter negative reports on its data privacy and encryption standards.  Continue Reading

• Ranum Q&A with Aaron Turner: Whitelisting is on enterprise blacklist

  An early proponent of Microsoft SRP, Aaron Turner says application whitelisting has finally taken hold in consumer app stores.  Continue Reading

• Mobile security report: Data on devices

  New survey shows the battle between corporate-issued devices versus personally owned smartphones and tablets is too close to call.  Continue Reading

• McGraw: Software [in]security and scaling automated code review

  Gary McGraw and Jim Routh talk through the pitfalls of scaling static source code review and offer some potential process improvements.  Continue Reading

• McGraw: Software [in]security and scaling architecture risk analysis

  Software architecture risk analysis doesn't have to be hard. Gary McGraw and Jim DelGrosso discuss an easier, more scalable process.  Continue Reading

• Return on security investment: The risky business of probability

  You are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong.  Continue Reading

• Opinion: Software [in]security -- software flaws in application architecture

  Many defects aren't found with code review. Gary McGraw and Jim DelGrosso think architectural risk analysis is a must to uncover software flaws.  Continue Reading

• Five major technology trends affecting software security assurance

  Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure.  Continue Reading

• New data on enterprise mobile security

  We polled readers in our annual Enterprise Mobile Security Survey and the 2013 results are in.  Continue Reading

• Ten years later: The legacy of SB 1386 compliance on data privacy laws

  A decade after becoming law, the ripple effects of California's SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws.  Continue Reading

• Why information security education isn’t making the grade

  Security experts explain why a holistic approach to security is critical to training computer engineers and computer scientists for a career in information security.  Continue Reading

• Well-rounded information security education benefits IT professionals

  A security-savvy IT staff can help reduce risk. Learn about information security training and education options for IT professionals.  Continue Reading

• Testing, assessment methods offer third-party software security assurance

  No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors.  Continue Reading

• Thirteen principles to ensure enterprise system security

  Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades.  Continue Reading

• Chief information security officer skills go beyond customary technical roles

  A trusted advisor and a strong communicator and promoter, a good CISO should be a jack-of-all-trades to rally the IT security team to support the business needs by minimizing risk.  Continue Reading

• Protecting Intellectual Property: Best Practices

  Organizations need to implement best practices to protect their trade secrets from both internal and external threats.  Continue Reading

• Pros and Cons of Information Security Certifications

  Educating the security professional requires far more than a certification exam.  Continue Reading

• Data supports need for security awareness training despite naysayers

  Claims that security awareness training doesn't work are unsubstantiated, explain software security experts Gary McGraw and Sammy Migues.  Continue Reading

• Gary McGraw on software security assurance: Build it in, build it right

  If the field of computer security is to be fixed, the only hope we have is building security in, says software security expert Gary McGraw.  Continue Reading

• Secure remote access? Security-related remote access problems abound

  Is there really such a thing as secure remote access? Editor Eric B. Parizo says there are too many security-related remote access problems to ignore.  Continue Reading

• (ISC)2 at a crossroads: CISSP value vs. security industry growth

  Should the (ISC)2 look to grow the pool of CISSPs to meet demand, or boost CISSP value for those who already have it? Eric B. Parizo looks at both sides.  Continue Reading

• Vulnerability testing with Open Vulnerability Assessment Language

  Learn how the Open Vulnerability Assessment Language (OVAL) can help organizations improve vulnerability testing processes.  Continue Reading

• SSO benefits: Security booster or improving end user experience?

  Enterprise single sign-on all about simplicity and improving end user experience, security is just a side benefit. Learn why this is true, as well as other technologies that both reduce complexity and improve security.  Continue Reading

• Firewall and system logs: Using log file analysis for defense

  Log analysis is the most under-appreciated, unsexy aspect of infosecurity, yet Marcus Ranum says it's one of the most important.  Continue Reading

• Using tax depreciation to increase security budgets

  The depreciation of capital assets, such as security hardware and software, is a tax benefit that every infosec manager should take into consideration.  Continue Reading

• Cyberwar myths: Are cyberwarfare and cyberterrorism overblown?

  Marcus Ranum explains why the whole notion of cyberwarfare is a scam.  Continue Reading

• Database security tools for preventing SQL injection attacks

  An emerging breed of database security tools is helping security teams spot attackers' favorite techniques, like SQL injection.  Continue Reading

• Review: Implementing Biometric Security

  David Bianco explains why Implementing Biometric Security is a useful but flawed book.  Continue Reading

• Proactive security: Make offense your best defense

  Information Security editorial director Andrew Briney outlines three measures that will help enterprises turn their reactive security into proactive security.  Continue Reading

• Commercial firewalls vs. Open source firewalls

  Learn the advantages and disadvantages of commercial and open source firewalls in a side-by-side comparison.  Continue Reading

• The four P's of information security success

  Although information security success relies on all parts of the four P's -- people, policy, process and product -- there is one that may really drive the profession.  Continue Reading

• Examining device-based authentication

  Combining device-based authentication technology with existing user-based authentication would be appealing for many organizations, but technical details remain unclear.  Continue Reading

• Examining identification friend or foe technology

  Identification friend or foe technology is a crucial aspect of the information security community, but not all networks are ready for the change.  Continue Reading

• Opinion: It's time to teach the consequences of hacking

  Hacking is becoming a national concern at the hands of high school students. Learn why it's time to teach kids about the dangers -- and consequences -- of hacking.  Continue Reading

• How to learn IT security in your spare time

  When considering how to learn IT security, never underestimate the power of a few minutes of downtime.  Continue Reading

• Network packet analyzers enable enterprise 'packet peeking'

  Marcus Ranum explains how network packet analyzers offer a worm's-eye view of what's traversing an enterprise network.  Continue Reading

• CISSP requirements: Can (ISC)2 verify its applicants?

  While CISSP requirements are extensive, some unqualified applicants are slipping through. The way in which potential candidates are evaluated for the CISSP is going to change.  Continue Reading

• Next-generation IDS brings less false positives, more intelligence

  An effective next-generation IDS can detect malicious attacks by integrating protection, analysis and response technologies, givubg users better security intelligence.  Continue Reading

• Simplify defense-in-depth security with redundant security controls

  Synergistic and redundant security controls are a more effective and more realistic defense-in-depth strategy than cashing out on a single line of protection.  Continue Reading