research papers

  (The abstract:) Potentially dangerous cryptography errors are well documented in many applications. Conventional wisdom suggests that many of these errors are caused by cryptographic Application Programming Interfaces (APIs) that are too complicated, have insecure defaults, or are poorly documented. To address this problem, researchers have created several cryptographic libraries that they claim are more…

Read More “Comparing the Usability of Cryptographic APIs”

(Today) Wednesday, May 24th, 2017 at 1:00 PM EDT (17:00:00 UTC), Chris Wysopal and I are doing a SANS webcast, “Choosing the Right Path to Application Security.” I’m looking forward to it, and hope you can join us! Update: the webcast is now archived, and the white paper associated with it, “Using Cloud Deployment to…

Read More Adam & Chris Wysopal webcast

There’s a very interesting paper on the Cyber Grand Challenge by team Shellphish. Lots of details about the grand challenge itself, how they designed their software, how they approached the scoring algorithm, and what happened in the room. There’s lots of good details, but perhaps my favorite is: How would a team that did *nothing*…

Read More Cyber Grand Shellphish

There’s an interesting report out from the Cyentia Institute, which is run by Wade Baker and Jay Jacobs. (Wade and Jay were amongst the principals behind the Verizon DBIR.) It’s “The Cyber Balance Sheet.” It’s interesting research and if you spend time with executives, worth your time.

Read More Cyber Balance Sheet

There’s a new paper from Mark Thompson and Hassan Takabi of the University of North Texas. The title captures the question: Effectiveness Of Using Card Games To Teach Threat Modeling For Secure Web Application Developments Gamification of classroom assignments and online tools has grown significantly in recent years. There have been a number of card…

Read More Do Games Teach Security?

Simson Garfinkel and Heather Lipford’s Usable Security: History, Themes, and Challenges should be on the shelf of anyone who is developing software that asks people to make decisions about computer security. We have to ask people to make decisions because they have information that the computer doesn’t. My favorite example is the Windows “new network”…

Read More Usable Security: History, Themes, and Challenges (Book Review)

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not available publicly.  What if we had solid evidence to use in breach impact estimation?  This…

Read More Indicators of Impact — Ground Truth for Breach Impact Estimation

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a…

Read More New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"