Tag Archives: Vulnerability Commentary
The OCC and Application Security: Vindication at Last
June 17, 2008 – 6:00 am
–
On May 8, 2008, the OCC (Office of the Comptroller of the Currency, part of the U.S. Department of the Treasury) issued Bulletin 2008-16, which you can find here. As the OCC states, there have been prior mentions of application security by the FFIEC (of which OCC is a member), NIST and others.…
Metrics Revisited – Application Security Metrics
May 12, 2008 – 6:00 am
–
I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones. “How ridiculous!” you say, “We have two dozen application security metrics, which we report in real…
Fare Timing Attacks on the Long Island Railroad (LIRR)
January 31, 2008 – 6:00 am
–
The Long Island Rail Road (map) is run by the MTA and is the primary way for the majority of people who live on Long Island commute into NYC for work. I noticed the same phenomena occurring a number of times and then realized that people were using timing attacks to get free rides on […] …
Why I no longer report website vulnerabilities that I stumble upon…
November 19, 2007 – 6:00 am
–
I wrote this in July 2007 but decided against publishing it at the time. In July, I felt that I did not have a significant, publicly known case to help make the argument legitimized. The Dan Egerstad case prompted me to change my opinion. —- There was a time that if I found a vulnerability…
Hope, Fear and Objectivity in National Security: Obama and Chertoff