July 31, 2006
New "Silver Bullet Security Podcast" up - An Interview with... me!
Nothing like stroking your own ego by listening to yourself on the Internet.
Seriously though, I had a lot of fun with Gary McGraw when he interviewed me for his Silver Bullet Security Podcast. You can listen to the interview by going here.
After enjoying that episode, make sure you go to the main page and listen to the other interviews. I am in good company with security gurus smarter than me, such as Avi Ruben, Dan Geer and Marcus Ranum.
Thanks to Gary, Cigital and the folks over at IEEE Privacy and Security for a fun interview!
July 26, 2006
Bribery to get identity integration into more open source software?
Now this is interesting. The people over at OpenID are offering a bounty of $5,000 to the first 10 open source applications that meet the following criteria:
So basically if you integrate OpenID Authentication 2.0 into you OSS project and have the traction, you have a chance of cashing in on it. With sponsors like Verisign and SXIP at the table, you know they are good for it. This is the perfect opportunity for apps like phpBB, mailman or wordpress to get a cash influx into their team. That could buy a lot of beer, or the very least a nice laptop :)
Working on OSS these days? Nothing like an easy $5,000 to put into your coffers. Make sure you read the Bounty FAQ, and then get coding!
July 18, 2006
Well, well. Congrats to Mark and the gang are in order.
Microsoft, please don't kill off Sysinternals. And don't kill Mark either ;)
The Six Dumbest Ideas in Computer Security
When I first read this last year, I remember thinking it would be SO nice if people actually accepted this. Now a year later, I notice not much has changed. Don't believe me? Consider the six dumb ideas Marcus mentioned:
You will have to go read his article if you want more depth into each dumb idea, but even on the surface you can get a glimpse at a commonality... those designing secure software have the opportunity to avoid each and every one of them. Yet most do not. In actuality, many software companies BANK on some of those ideas to make money. ESPECIALLY computer security companies! *sigh*
If you haven't had a chance, listen to Marcus and Gary talk about this and other fun security topics in the most recent Silver Bullet Podcast.
Great read, and a great listen. Enjoy.
July 06, 2006
Microsoft Threat Analysis and Modeling Tool v2 reaches RTM
I have been using Frank Swiderski's original Threat Modeling tool for some time. If you search for "threat model" on my blog you will see plenty of stuff over the last few years on how Microsoft has matured the whole process, and how I have matured in my understanding of that process at the same time. Well, I am pleased to announce that alongside their maturing in the threat modeling process, they have gone out of their way to make the original threat modeling tool 100x better.
I am just floored by the release of the RTM version of the Threat Analysis and Modeling Tool v2.0. You would be amazed about some of the features in this version of the tool. Taking the bulleted list from Anil's post over on the Threat Modeling Team blog, check out some of these features:
It's the last bullet that just pushed it over the edge for me. When you download and install this tool (and you REALLY should), make sure you go through the Video Tutorials. The Launchpad that starts with the tool has in depth video tutorials ranging from the reason why to threat model to instructions on just how to approach it. You owe it to yourself to spend a bit of time and go through each tutorial.
On top of that, the UI is beautiful. Compared to the original tool, its just amazingly slick. And a few of the bugs I talked to Frank about are finally fixed! When you build your first threat model using this of the tool, make sure you use the Wizard. Microsoft has done a great job to simplify the whole threat modeling process through that tool.
Great job Microsoft. Kudos to the ACE Services group for completing an excellent rewrite of the Threat Analysis and Modeling Tool for us.