In today’s segment, we talk about the long term effects of the HeartBleed incident and acknowledge the highest frequently attacked applications: web apps and point of sales systems.
At 2014 SOURCE Boston, Josh Corman told me that Wolfgang Goerlich had an interesting DevOps story to tell. I sat down and spoke with Wolfgang and was astounded to hear a tale that could have come straight out of Gene Kim’s book, The Phoenix Project. Listen in as Wolfgang describes the process of taking over a project that was mired in technical debt, falling behind in deliverables to stakeholders and in need of a new way of thinking. To me, this story is one of the strongest statements for DevOps that I’ve heard.
About Wolfgang Goerlich
As Vice President of Consulting Services at VioPoint, Wolfgang supports clients by advising, identifying, and assisting in managing information security risk as well as mentoring VioPoint’s consulting team. Wolfgang, known for his outstanding leadership in the technology and information security community, is the co-founder of OWASP Detroit and an organizer of the annual BSides Detroit conferences as well as an accomplished speaker at regional and national security events.
Allison Miller caught my attention at the end of her session at 2014 Source Boston when she ‘Risk Rolled’ the audience and had them sing along with a talking head embedded in her presentation. I knew immediately this was someone I wanted to talk with and get to know.
Allison is the President of the Society of Information Risk Analysts, a relatively new organization that is an interest group for practitioners of information risk management. We talked about the mission of the group and why people would want to participate in a risk based approach to solving problems. Have a listen…
About Allison Miller
Allison Miller (@selenakyle) is Senior Director of Operations at Electronic Arts, where she oversees the business operations of EA’s cross-company digital platform.Allison has over 10 years of experience in designing, building and deploying real-time threat detection and prevention systems. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona, Seattle, Dublin), Nordic Security Conference, BruCon, USENIX/Metricon, and RSA. Prior to joining EA, Miller led Tagged’s Security & Risk Management team, managed PayPal’s Account Risk & Security team and was Director of Product / Technology Risk at Visa International.
She is currently the president of the Society of Information Risk Analysts (SIRA).
As many of you are already well aware of there has been a serious flaw in OpenSSL that is a foundational open source library used for SSL encryption. There are plenty of places to get more information but if you haven’t at least read http://heartbleed.com/ you can start there.
We all have accounts at a lot of different places some more critical than others (salesforce, expensify,home banking etc). I would highly recommend that you take the time today to take measure of the passwords you use and where you use them. If you have a yahoo password that is shared among many accounts better safe to assume this has been breached.
I for one have been systematically changing my passwords and recommending friends and family to do the same. The unfortunate thing about this attack is that it has been around for years and there is already evidence that it has been active in the underground before the public release. With this in hand, I would highly recommend you change your passwords today (and for the truly paranoid it is always a good idea to rotate passwords, I rotate mine for critical sites every 90 days).
There are plenty of password locker applications available for those of you that don’t have a scheme for remembering passwords (and I am sure nobody uses the same password at multiple sites) and if using a mac keychain works great, but I also use pwSafe for my iPhone and iPad.
– Ryan Berg
‘”It’s only metadata” is a mischaracterization that plays into goverment hands.’ — Bruce Schneier
At the 2014 Source Conference in Boston, I was able to sit down with Bruce Schneier after his keynote to clarify his position on several topics he brought up. The twitter stream was on fire during his presentation as he described how the power of government and large corporations affects the internet. Where are the boundaries between personal data and corporate/government usage of that data? What is our responsibility in the equation?
An interesting observation from Bruce is that despite the government’s insistence that they are only collecting metadata, which according to them has no intrinsic value, that presupposes metadata is somehow less important or less personal when it comes to interrogating the data. This despite that it can be used to generate a network of contacts such as “who your friends are, who your family is, what you’re concerned about, where you go, your relationships, your interests”, creating extremely intimate and personal portrait of a person’s life.
About Bruce Schneier
I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I’m the Chief Technology Officer of Trustedsoftwarealliance – 2014-source-boston-bruceCo3 Systems, a fellow at Harvard’s Berkman Center, and a board member of EFF.
Dwayne Melancon, CTO of Tripwire, has an interesting idea: turn your team into gamers, let them build their internal images and support that vision. This isn’t the type of thing you’d expect to hear at a security conference. In this short conversation, I talk with Dwayne about how to implement employee game theory within your project team.
About Dwayne Melancon
I was a contributor to both the Visible Ops Handbook and Visible Ops Security Handbook, working with authors Gene Kim, Kevin Behr, and George Spafford. As part of this effort, I have worked as a researcher with Carnegie Mellon’s SEI, the University of Florida, and the IT Process Institute in their studies and benchmarking of IT best practices. I work with numerous corporations around the world on IT service management improvement and IT security, and have teamed with the Institute of Internal Auditors in its pursuit of Generally Accepted IT Principles.
As a frequent, highly-rated speaker at national and regional itSMF, ISACA, ISSA, IIA and other industry events, I present on how to achieve world-class IT results. Using a framework of essential IT controls, I provide operations, security, and audit audiences with prescriptive steps they can take to improve IT change policies, procedures and systems.
The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen…
About Melissa Elliot
I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.
For three days this week I am at the SOURCE Conference in Boston covering the sessions, meeting with the vendors and most importantly talking with people in the hallways about what they are working on.
I just had an interesting discussion with Melissa Elliot, who is tracking how much data is leaking out of Yahoo on the open WiFi here at the conference. She’s agreed to an audio interview later today, so you’ll want to listen in on that one.
Keynotes at the conference include:
Of special interest to me is the “Wait wait, don’t pwn me!” session moderated by with boB Rudis (and yes, before you ask, that’s boB, with a lower case ‘b’). I’m sure there’s much more to come.
UPDATE: I just spoke with Melissa Elliot, @0xabad1dea, from VeraCode, on the HeartBleed attack on Yahoo. Audio interview will be up within the hour.
It’s only been a week, but preliminary results of the 4th Annual Open Source Development Survey sponsored by NEA, Rugged, Sonatype, Contrast Security and the Trusted Software Alliance show some interesting results with the first 1500+ responses:
In March 2014, Rio Okada and his team in Japan organized the first AppSec APAC event in Japan. I called Rio to ask how the event went. Joining the conversation with me and Rio is Robert Dracea, Tobias Gondrom and Jerry Hoff. During our call we talked about what made the event so successful and how that success might be used in future AppSec events. Have a listen.