Curphey - Latest Comments

Re: Is Threat Modeling Overrated ?

Anon — Mon, 23 Apr 2012 14:24:32 -0000

I don't think you understand the definition of threat, vulnerability and impact. Threat modeling is about understanding risk, not simply the threat. Maybe the only shortcoming of threat modeling is that is should more appropriately be called "risk modeling" as that is what is it and does when done properly.

Re: Is Threat Modeling Overrated ?

Anonymous — Mon, 23 Apr 2012 14:21:01 -0000

Maybe the reason you see TM as over-rated is that you were involved in TAM, which is unless and a piece of crap!

Re: Is Threat Modeling Overrated ?

mcurphey — Tue, 20 Mar 2012 21:59:47 -0000

I think we are saying the same thing. Architectural Risk Analysis is a high value activity but threat modeling as practiced doesn't live up the hype that seems to surround it IMHO.

Re: Is Threat Modeling Overrated ?

Andre Gironda — Tue, 20 Mar 2012 12:30:58 -0000

I think I am failing to understand your message:

Ok so acronyms like STRIDE and perhaps BIA are out?
Tools are mostly out, except when they are tied to static analysis and penetration-testing?

But what you seem to like is standards like SecureUML, which is really a subset of OOA&D, which has already been ported for security needs as the Architectural Risk Analysis stage of development.

Personally, I would rather just utilize the Architectural Risk Analysis techniques and call it a day. If we want to deprecate the use of the phrase "threat-modeling", then I'm ok with that. It was always confusing.

Re: Is Threat Modeling Overrated ?

mcurphey — Tue, 20 Mar 2012 12:14:41 -0000

No Threat Modeling Overrated, Software Risk Analysis Underrated

Re: Is Threat Modeling Overrated ?

Andre Gironda — Tue, 20 Mar 2012 11:59:48 -0000

So, by "overrated" you mean "underrated"?

Re: Escaping the Management Trap

Andrew van der Stock — Tue, 06 Mar 2012 04:51:05 -0000

Congrats Mark on the next phase. Does this mean relocation to SF?

Re: Solid Application Security Frame ?

Dennis Groves — Tue, 28 Feb 2012 17:21:42 -0000

Key management. Where every you have Cryptography or Data Security - you have a key management problem. People are still hard coding secrets.

Re: Software Security Weekly

David — Thu, 23 Feb 2012 10:34:00 -0000

Can you share your theme/plugins you are using in textmate? And where is the link to this mailing list?

Re: Contributing Authors to the Practical Software Security Book

David Rook — Wed, 08 Feb 2012 07:21:14 -0000

Hi Jz - I can only say that you should judge me by my results. Wait until you read the book :)

Re: Software Security Weekly

jonathan_wallace — Tue, 07 Feb 2012 16:23:04 -0000

How does one go about signing up for the weekly email?

Re: Cryptography Section of Practical Software Security Book

Maarten Mestdagh — Tue, 07 Feb 2012 11:32:50 -0000

Maybe some guidelines on what level of cryptography is wanted for what kind of information (so no overshoot that takes down application performance)

Re: Cryptography Section of Practical Software Security Book

@hvcco — Tue, 07 Feb 2012 09:19:10 -0000

What about crypto/key management protocols and associated failures? Problems with CA trust etc? Or is that covered under the "Often fails" section?

Re: Cryptography Section of Practical Software Security Book

mcurphey — Thu, 02 Feb 2012 11:54:25 -0000

Noted, thanks!

Re: Cryptography Section of Practical Software Security Book

mcurphey — Thu, 02 Feb 2012 11:53:55 -0000

Hi Andrew, good to hear from you again and hope London is still treating you well. All great feedback as always. I am going to refactor the structure a little based on your feedback. I think a first class section on "keys & key management" and a first class section on algorithms makes perfect sense. When I have an updated TOC I'll post and well make sure you are added a reviewer!

Re: Cryptography Section of Practical Software Security Book

mcurphey — Thu, 02 Feb 2012 11:51:18 -0000

I am not sure but have added that to my notes. The book is targeting the 95% majority developers and those topics maybe edge cases / advanced but we will certain consider it. Thanks for the feedback!

Re: Cryptography Section of Practical Software Security Book

mcurphey — Thu, 02 Feb 2012 11:50:13 -0000

Thanks for feedback, yeah all of that will def be covered in the section! Cheers!

Re: Contributing Authors to the Practical Software Security Book

mcurphey — Thu, 02 Feb 2012 11:49:32 -0000

Next year!

Re: Contributing Authors to the Practical Software Security Book

mcurphey — Thu, 02 Feb 2012 11:49:13 -0000

I regard Dinis as a friend but David is a MSFT MVP and so will have more respect from most developers. If the book was about breaking stuff then Dinis would be a great fit but it's about building secure software. Pravir is a top resource for Java.

HTML5 will be covered in the technologies section.

Cheers!

Re: Git Cheat Sheet

mcurphey — Thu, 02 Feb 2012 11:47:34 -0000

Thanks Howard. The video was superb!

Re: Cryptography Section of Practical Software Security Book

Hollydollyforce — Thu, 02 Feb 2012 06:21:32 -0000

I think Andrew covered your question !!! It would be very cool if you could include some of these new topics!

Re: Cryptography Section of Practical Software Security Book

Andrew Yeomans — Wed, 01 Feb 2012 07:16:10 -0000

FPE - format preserving encryption/tokenisation.

Re: Cryptography Section of Practical Software Security Book

Andrew Yeomans — Wed, 01 Feb 2012 06:54:37 -0000

Password hash functions (i.e. salted, often iterated, intended to be slow unlike integrity check hashes). For both logon passwords and for password-protected data files.
The mess of Digital Cert formats (all those PKCS numbers, DER, BER, .cer, .crt, .pem, .key, etc) and how to convert, e.g. with openssl.
Other newish crypto - homomorphic, M-out-of-N, cryptographic dispersal/crypto-splitting, steganography.
Guides on key strengths for different algorithms - see http://www.keylength.com/ and implementations (e.g. how strong is the crypto in MS Office, pkzip). Including cracking approaches, when can rainbow tables be used, GPUs, http://xkcd.com/936/
Certificate validity checking - OCSP, LDAP lookup, cert chains. Identity and authorization certs. CA compromises. EV and SGC certs.
SMTP/TLS and IBE (include with PGP & S/MIME) for email encryption.
Crypto hardware - smartcards, TPM, HSM, link encryptors.

Re: Cryptography Section of Practical Software Security Book

Chris — Wed, 01 Feb 2012 03:28:22 -0000

How about secure scetches, fuzzy extractors, and other notions of cryptography which are new and not so popular yet (e.g., identity based cryptography...)...

Re: Cryptography Section of Practical Software Security Book

fkoehn — Tue, 31 Jan 2012 19:59:30 -0000

How about "Stupid ideas in cryptography"
- inventing your own protocols
- using encryption certificates for signing or vice versa
- Is it truly random?
- How to use salts/seeds