Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.

Tag Archives: Vulnerability Commentary

Hope, Fear and Objectivity in National Security: Obama and Chertoff

– Whether or not Barack Obama was your candidate of choice, his Presidency has ushered in a positive response from around the globe. His supporters call this the politics of hope. And, it is in direct opposition to the outgoing US President Bush who’s political tactics are called the politics…

The OCC and Application Security: Vindication at Last

– On May 8, 2008, the OCC (Office of the Comptroller of the Currency, part of the U.S. Department of the Treasury) issued Bulletin 2008-16, which you can find here. As the OCC states, there have been prior mentions of application security by the FFIEC (of which OCC is a member), NIST and others.…

Metrics Revisited – Application Security Metrics

– I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones. “How ridiculous!” you say, “We have two dozen application security metrics, which we report in real…

Fare Timing Attacks on the Long Island Railroad (LIRR)

– The Long Island Rail Road (map) is run by the MTA and is the primary way for the majority of people who live on Long Island commute into NYC for work. I noticed the same phenomena occurring a number of times and then realized that people were using timing attacks to get free rides on […] …

Why I no longer report website vulnerabilities that I stumble upon…

– I wrote this in July 2007 but decided against publishing it at the time. In July, I felt that I did not have a significant, publicly known case to help make the argument legitimized. The Dan Egerstad case prompted me to change my opinion. —- There was a time that if I found a vulnerability…