I got the opportunity to be at B-Sides in Nashville over the weekend. It was a great opportunity to mingle and meet people who had an interest in information security. One of the best parts was a great mix of old professionals and quite a few new people who were interesting in seeing what security is all about. It was a good time and I appreciate all the effort it took to make it happen.
We need a no-frills and roughly-right life-cycle to raise our level of software Security Assurance. Right now there are several security life-cycles both in the wild and available through vendors. None of those attend to the full spectrum of security and risk needs. Most are heavily centered around software testing but the security umbrella is much larger than that. Maybe more importantly development and delivery methodologies have changed drastically over the last couple of years.
You don’t read the glossary because no one reads that but how often do you jump straight to the end of a document to read an appendix? Be truthful. Well maybe you don’t but sometimes you really should. Building the Tower Information Security controls have been a hot topic lately. Actually the discussion has been more around the lack of controls or how poorly the controls were implemented. In the InfoSec industry there are lots of definitions for these controls.
Being Capable We talk a lot in security world. Most of the time we seem to talk about all the possibilities when we need to talk more about what we can actually do. What are we capable of doing? We do we need to be capable of doing? Being Capable with Capabilities When we want to talk with our partners, whether those partners are business-related, very technical or just your managers, you need some consistent way to describe what security does.
Well maybe not ecstatic but it is pretty exciting that I have been carrying around a way to house a strong static password and didn’t even realize it. I have had a Yubikey for over a year now and have used it successfully with LastPass. A YubiKey is a handy USB or Near Field Communications (NFC) device that can generate a variety of authentication responses. The default is a One Time Password (OTP) that can be verified via a server running the Yubico software.