As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
Back when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to have good security.
When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let’s see how he’s doing! Enjoy.
I created this video for an internal Veracode video contest. It’s intended to poke fun at the abundance of “thought leaders” we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it’s meant to satirize any […]
I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood […]
Welcome, come on in, have a seat. There is a cold beer in the fridge, help yourself! I may be new to the team, but I’m (reasonably) old to the game. My name is Tyler Shields and I’m the latest addition to the Veracode research team. I started at Veracode in September 2008 as a […]
Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to […]
Assuming the mailbox hack is not an elaborate ruse, how did they do it? Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen: As you can see, you need to know the user’s birthday, country of residence, and postal code. […]
Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary: The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) […]
Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentations. I had a fantastic time catching up with old friends and finally getting the opportunity to meet more of the Security Twits and others in the […]