news

Strategies for Securing Agile Development: An Online Conversation

There’s no question that agile development methods, which emphasize collaboration and shorter, iterative development cycles, are ascendant. Many factors contribute to agile’s growing popularity, from constrained budgets to increased user demands for features and accountability. Though traditionally associated with small and nimble software and services startups, agile methodology has been embraced by organizations across industry verticals – many (like John Deere) whose name doesn’t scream “app store” or “Silicon Valley Startup.” But if agile is here to stay, a nagging question is how to pivot to agile’s fast-paced and iterative release schedules without skimping on important areas like code security. After all, the conventional wisdom is that security slows things down: imposing time- and labor intensive code audits and testing on the otherwise results-driven development cycle. Fortunately, agile and secure development aren’t mutually exclusive. Tomorrow (Thursday), the Security Ledger and Veracode will collaborate on a Hangout and discussion of how to build, automate and deliver secure software using the agile […]

Continue Reading

Microsoft Issues Critical, Emergency Patch: MS14-068

Microsoft on Tuesday released a critical security patch outside of its normal, monthly software update cycle to fix what it described as a serious, privately reported vulnerability in Microsoft Windows Kerberos Key Distribution Center (KDC). If left unpatched, the security hole could allow an attacker to impersonate any user on a domain, including domain administrators. They could use that access to install programs; view, change or delete data; or create new accounts on any domain-joined system, Microsoft said. The security hole affects a wide range of Windows versions and is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, Microsoft said. Kerberos is an encryption technology that is the default authentication method for Windows systems, starting with Windows 2000. The Kerberos Key Distribution Center is a standard network service for issuing temporary session keys to users and computers […]

Continue Reading

Infographic: After A Year of Breaches, Are Retailers More Secure?

After a year in which some of the U.S.’s top retailers found themselves on the wrong side of sophisticated, cyber criminal hacking groups, you may be tempted to search for a silver lining. Maybe the up side of all the attacks on retail networks and point of sale systems is an improved security posture overall? After all: if your neighbors to the left and right have their house broken into, you may well beef up your locks and alarms, even if your house hasn’t been targeted. Or, at least, that’s how the thinking goes. But Boston-based BitSight took a look at how the retail sector is faring security-wise as 2014 draws to a close. BitSight is an interesting company. They market a kind of reputation monitoring service: assessing security posture for companies by observing how they look from the outside. Think of it as a kind of Experian or TransUnion for security. […]

Continue Reading

Biggest Threat to Critical Infrastructure? Lack of Imagination

The threats to critical infrastructure in the U.S. and elsewhere are so plentiful that even trying to enumerate them is futile (and not a bit depressing). But – if we were to rank them in order of importance – what would be at the top of that list? Clearly, as this blog has noted, software security is a major concern. Recently, the Industrial Control System CERT (ICS-CERT) warned about a sophisticated malware campaign targeting users of HMI (human-machine-interface) technology from leading vendors.  In at least some cases, the systems targeted were exposed directly to the Internet, making compromise simple. In other cases, industrial control system software is deployed with default administrator credentials, or easy to guess passwords. In other words: while some attackers are persistent and clever, many critical infrastructure owners make their job pretty easy. So, perhaps, its not software insecurity that belongs at the top of the list, […]

Continue Reading

With $200k Fine, FTC Finds Trust-e Not Very Trusty

The U.S. Federal Trade Commission fined TRUSTe, a for profit organization that is a leading provider of online reputations, $200,000 for misleading consumers about its web site monitoring services. On Monday, the Commission announced a settlement with TRUSTe over allegations that the company failed to perform annual compliance checks on more than 1,000 domains that earned its TRUSTe Certified Privacy Seal” between 2006 and 2013. The company also acknowledged making misleading statements about its for-profit status. “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” said FTC Chairwoman Edith Ramirez in an official statement. “Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” TRUSTe is a critical player in the online trust business. The company provides seals to businesses that meet […]

Continue Reading
1 45 46 47 48 49 76