Topic: Engineering and Vulnerability Management

From the Fall 2018 Issue

Zero Days and Zero Trust: Microsegmentation and Security in a World of Many

Author(s):

Jack Koons, Author,

koons-article-header

In a world where the business model is racing to connect everything, security is failing to keep pace. This sets up a dynamic tension within the organization between the network/infrastructure teams and the security teams. We are placing the current crop of CIO, CISO, and CTOs in an almost untenable position, and levying unrealistic requirements … Read more

From the Fall 2018 Issue

The Paradox of Infosec and the Dropping of a Socket

Author(s):

Gina Yacone, Director of Sales, Braintrace

Data-Breach-Paradox-header

On Sept. 19, 1980, near the small town of Damascus, Arkansas, someone dropped a socket, and it caused a breach. In terms of breaches, it was nuclear! Paradoxical as it may seem, the story of the 1980’s Damascus Titan II explosion showcases how a simple error parallels that of a significant breach of a company’s … Read more

From the Fall 2018 Issue

Modern Data Security: Worse Than you Think

Author(s):

Dr. Edward Amoroso, CEO, TAG Cyber

Amoroso-article-header

Imagine that under some bizarre set of circumstances, a local high school football team is forced to compete against the New England Patriots. Imagine further that the victory stakes for these teenagers are enormous, perhaps even life or death. Let’s complete this nightmare situation with an understanding that the NFL team will not let up … Read more

From the Fall 2018 Issue

SCANNERS and CONSULTANTS and PEN TESTS Oh My!

Author(s):

Caroline Wong, Chief Strategy Officer, Cobalt

Caroline-Wong-article-header

In a world with so many AppSec solutions, it can be tricky to decipher your options. For software security testing alone, there are several different options and hundreds of tools to choose from. This article looks at three of the main security testing options available: scanners, consultants, and Pen Testing as a Service. 1. Scanners … Read more

From the Summer 2018 Issue

Value Chain Maps for Open Source Ecosystems

Author(s):

Chris Corriere, Senior DevOps Advocate, SJ Technologies

Open Source Concept-BigStock

We can’t make it from scratch anymore In his TED Talk, “How I built a toaster – from scratch”1, designer Thomas Thwaites demonstrates how our global society stands on the shoulders of giants. Thomas attempted to reverse-engineer a toaster so he could build one from scratch. However, the simplest toaster he could find had over … Read more

From the Summer 2018 Issue

TEOTWAWKI: The Impending Cryptopocalypse

Author(s):

Adam Firestone, Editor-in-Chief , United States Cybersecurity Magazine

AF-TEOTWAWKI-header

In 1889, the New York publisher John Wiley & Sons published an obscure scientific piece by Daniel S. Troy titled The Cosmic Law of Thermal Repulsion: An Essay Suggested by the Projection of a Comet’s Tail. On page 60 of this text, Troy suggests that if the forces of “thermal repulsion” or “gravitational attraction” were … Read more

From the Summer 2018 Issue

Moving Target Defense with Polymorphic Applications

Author(s):

Danny Gershman, Founder and CEO, Radius Method

Danny Gershman Moving Target Defense

While the internet has existed for several decades, it’s only in recent years that security has become a popular concern. Cybersecurity tools and products now are a multi-billion dollar industry. Security engineers and executives continue to mitigate risk by trying to accurately quantify where their organizations might be vulnerable. Measuring security risk is hard. Typically, … Read more

From the Spring 2018 Issue

Shifting Left: Secure Systems Engineering

Author(s):

Hilary MacMillan, EVP for Engineering, CyLogic

macmillan-feature-image

The Shift Left principle1 is well known in software and systems development, particularly in relation to testing. It’s the idea of performing test activities earlier in the system development life cycle – developing test cases and procedures and performing incremental testing as code is being written. Ideally, test activities start even earlier than this, designing … Read more

From the Spring 2018 Issue

Crowdsourced Security – An Alternative to Pentesting?

Author(s):

Alex Haynes, CISO , IBS Software

cheshire-feature-image

Crowdsourced security programs have grown in popularity to the point where some enterprises have dispensed with traditional pentesting, using the crowdsourced model exclusively for auditing the security of their applications and infrastructure. What is Crowdsourced Security? Crowdsourced security methodologies invite a group of people (a crowd) to test an asset for vulnerabilities. The number of … Read more

From the Spring 2018 Issue

Architectural Security, the Ardennes, and Alfred the Great

Author(s):

David W. Archer, PhD, Principal Scientist, Niobium Microsystems and Galois, Inc.

archer-feature-image

Much of cyber defense today relies on the same approach used in kinetic defense over the last few thousand years. We use hard perimeters (firewalls) to repel attacks, sentries (IDSs) to trigger incident response, and carefully guarded entry points (VPNs, websites) to meet functional requirements (wait…security is still a non-functional requirement?). It is both a … Read more