http://blog.thesecurityconsortium.net Security Testing, Research, Counsel & Leadership Mon, 02 Aug 2010 22:57:25 +0000 http://backend.userland.com/rss092 en   I implore you to tell me the difference between Enterprise Security and Security.   It seems to me that Security of products and services is related directly to the actual item being tested for security purposes and Enterprise Security relates to security of an entire business and all its practices.   Consider for a ... http://blog.thesecurityconsortium.net/2010/08/enterprise-security-vs-security-pray-tell-whats-the-difference/   Over the past several months, I have spent many days in the lab performing Safety to Deploy (STD) tests on our customers' products.  Let me tell you, this has been an enlightening and immensely educational experience.  If you’re not familiar, the Safety to Deploy test is the first in our ... http://blog.thesecurityconsortium.net/2010/06/safe-to-deploy-whats-that-mean/ Sometimes this is just too easy! In my last post I whined that AT&T has pushed testing to the back burner by imposing a penalty for bandwidth-hungry applications. I postulated that they would create a situation where app creators would cut corners in order to cut bandwidth requirements, all in ... http://blog.thesecurityconsortium.net/2010/06/ipad-my-web-security-recommendations%e2%80%a6not/ I know you’ve seen the old science fiction B movies where the hero warns the antagonist that they should be careful because killing one butterfly in the past could alter the future in ways that can’t be imagined. But somehow the antagonist winds up smashing some poor defenseless butterfly and the ... http://blog.thesecurityconsortium.net/2010/06/smashing-butterflies/ In this land of phishing attacks, root kits, and ponzi schemes, it doesn’t surprise me a bit that the PCI QSA program has gotten as much traction as it has. Just so you know, I’m setting the rant bit to “on” here. As a point of reference, a ponzi scheme is ... http://blog.thesecurityconsortium.net/2010/04/ponzi-schemes-false-trust-and-pci-qsa/ A few days ago I sent out a tweet about an epiphany I had regarding Google. Why isn’t Google considered a utility? I think I know why but let’s start here: they’re considered part of the critical infrastructure, Google affects most of the world population, and Google can affect the ... http://blog.thesecurityconsortium.net/2010/02/googleland/ OK, calling it the apocalypse may be a bit alarmist – unless you’re a victim of evolving cyber crime. It’s really sad when it’s the very government and utilities that you rely on for live giving services that work erode your privacy and security. So, four events occurred to spur ... http://blog.thesecurityconsortium.net/2010/01/the-4-horses-of-the-cyber-apocalypse/ On January 4th as reported on DarkReading and DataBreaches, Lincoln National Corporation notified the New Hampshire Attorney General’s Office of a major security breach affecting 1.2 million people. In addition to the internal cost of investigating the breach and bringing in an external forensics team; in addition to planning and ... http://blog.thesecurityconsortium.net/2010/01/password-authentication-takes-another-poke-in-the-eye/ It’s nice to see the potential for things to go right. What I’m talking about is the appointment of Howard Schmidt to the position of U.S. Cybersecurity Czar. Now, there are those out there that think that this is a bad move. I happen to disagree and I’ll tell you ... http://blog.thesecurityconsortium.net/2010/01/life-the-universe-and-howard-schmidt/ So I was talking with the CTO of Intelliden (www.intelliden.com), a guy named Glen Tindal. I spend a lot of time talking with folks trying to understand what’s keeping them up at night and what’s working in their environments. Sometimes, like this chat with Glen, it’s just about why things ... http://blog.thesecurityconsortium.net/2009/12/chatting-with-the-cto-of-intelliden/