(The abstract:) Potentially dangerous cryptography errors are well documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programming Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic libraries that they claim are more…Read More “Comparing the Usability of Cryptographic APIs”
(Today) Wednesday, May 24th, 2017 at 1:00 PM EDT (17:00:00 UTC), Chris Wysopal and I are doing a SANS webcast, “Choosing the Right Path to Application Security.” I’m looking forward to it, and hope you can join us! Update: the webcast is now archived, and the white paper associated with it, “Using Cloud Deployment to…Read More Adam & Chris Wysopal webcast
That’s the subtitle of a new paper by Cormac Herley and Paul van Oorschot, “SoK: Science, Security, and the Elusive Goal of Security as a Scientific Pursuit,” forthcoming in IEEE Security & Privacy. The past ten years has seen increasing calls to make security research more “scientific”. On the surface, most agree that this is…Read More “…the Elusive Goal of Security as a Scientific Pursuit”
There’s a very interesting paper on the Cyber Grand Challenge by team Shellphish. Lots of details about the grand challenge itself, how they designed their software, how they approached the scoring algorithm, and what happened in the room. There’s lots of good details, but perhaps my favorite is: How would a team that did *nothing*…Read More Cyber Grand Shellphish
There’s an interesting report out from the Cyentia Institute, which is run by Wade Baker and Jay Jacobs. (Wade and Jay were amongst the principals behind the Verizon DBIR.) It’s “The Cyber Balance Sheet.” It’s interesting research and if you spend time with executives, worth your time.Read More Cyber Balance Sheet
In September, Steve Bellovin and I asked “Why Don’t We Have an Incident Repository?.” I’m continuing to do research on the topic, and I’m interested in putting together a list of such things. I’d like to ask you for two favors. First, if you remember such things, can you tell me about it? I recall…Read More Calls for an NTSB?
There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card…Read More Do Games Teach Security?
Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because they have information that the computer doesn’t. My favorite example is the Windows “new network”…Read More Usable Security: History, Themes, and Challenges (Book Review)
One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not available publicly. What if we had solid evidence to use in breach impact estimation? This…Read More Indicators of Impact — Ground Truth for Breach Impact Estimation
Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event. As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question. We use the WTP approach in a…Read More New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"