<iframe src="//www.googletagmanager.com/ns.html?id=GTM-MDM5X7" height="0" width="0" style="display:none;visibility:hidden">

Application and Cybersecurity Blog

Automotive Cybersecurity Best Practices

Posted by Gene Carter on July 27, 2016 at 8:59 AM


Recently the Automotive Information Sharing and Analysis Center (Auto-ISAC) released "Automotive Cybersecurity Best Practices" for carmakers and their suppliers. This document expands on their "Framework for Automotive Cybersecurity Best Practices" published in January 2016. This is the first time the automakers have addressed cybersecurity in a formal manner and a strong sign they are treating hacker threats seriously.

I am encouraged that the auto industry leveraged the experience of other industries when approaching this task. The Best Practices document builds upon guidelines from NIST and ISO/IEC in creating its cybersecurity guidance. While cars need different security measures from mobile phones or websites, there are elements that are the same across these platforms and the automakers have emphasized the relevant teaching from industries with a longer history of security-conscious software development.

Read More

Topics: Automotive, Gene Carter, Embedded Security, best practices

Chrome Takes on Quantum Computers

Posted by Gene Carter on July 25, 2016 at 11:36 AM

Recently, Google announced they are testing a quantum resistant cryptographic algorithm for the Chrome browser, specifically the new Canary version used for experimentation. If you are unfamiliar with quantum resistant algorithms, you can watch the short video or read a series of blog posts.

I applaud Google's effort to take this important first step toward addressing the existential challenges of quantum computing by creating a more future-proof way for users to securely communicate over the internet. I urge the other browser vendors to follow suit.

Read More

Topics: Encryption, Crypto, Gene Carter, Embedded Security, Quantum Computing, Security News

Why You Should Have Trust Issues with Pokemon Go (and every other phone app)

Posted by Joe Basirico on July 14, 2016 at 10:18 AM


I want to run into traffic, fall into a pond, catch Pokémon while my wife is in labor, and find a dead body; let's check out this Pokémon Go thing!

Pop quiz: Is this a valid login screen for Google Account services?

Read More

Topics: Joe Basirico, Privacy, Online Security Safety, Internet of Things, Mobile Security, Information Security

Making Application Security Fun and Approachable

Posted by Ed Adams on June 23, 2016 at 10:55 AM

WISP2.jpgApplication security is often overlooked, under-funded, or ignored. Part of the reason for this is because it can be a complex, difficult aspect of IT security…but mostly it's because it's simply misunderstood.

When I speak with CISOs and other InfoSec professionals, the perception is that AppSec is a frustrating, vexing problem for them: the tools are expensive, burdensome, and inaccurate; developers won't take procured training; and, there's a distinct sense of being overwhelmed with dependence so many applications and so much code to run their business. Despair and lack of visibility leaves organizations with the question "Where do we start?" and that question frequently never gets answered.

Read More

Topics: AppSec in Practice, Ed Adams, Application Security, Education

Learn about Ransomware and How to Protect Yourself

Posted by Kevin Poniatowski on June 13, 2016 at 12:05 PM

Ransomware first appeared as a method of stealing money from individuals, but it is now being used to restrict access to organizations such as hospitals, financial organizations, and even local law enforcement. Over the past few years, ransomware has taken hold of the cybercriminal world, and each year we continue to see its popularity grow among cybercriminals. Why? Ransomware is not only profitable but easy for an attacker to use. Simply infect the computer using a malicious link sent through an email, website, or chat message.

Read More

Topics: Security Awareness, Security Tips, Kevin Poniatowski, ransomware

Why Attackers Target Social Media and How to Protect Your Accounts

Posted by Geoffrey Vaughan on June 8, 2016 at 8:59 AM

Social media and dating sites can be loaded with people looking to misuse your personal information. It can also be a great source for attackers to gather information about you to attack your other services (banking, email, etc.).

Recent news shows data from 117 million compromised accounts was being sold from the 2012 LinkedIn breach, far worse than the 6.5 million accounts originally thought. The Myspace breach, occurring one year later in 2013, is reported to be one of the largest password leaks with 427 million passwords stolen. Other breaches include 65 million Tumblr accounts, 6 million Facebook accounts, and 250,000 Twitter accounts all occurring in 2013. Why is this only now becoming news? Much of this data has been recently made available for sale, stirring up commotion in the social media world. Even Facebook Founder Mark Zuckerburg reported having his Twitter, Pinterest, and LinkedIn accounts hijacked likely from the data that recently became available from the 2012 LinkedIn breach.

Read More

Topics: Security Awareness, Social Media, 2fa, Security News, Security Tips, geoffrey vaughan

Diffusion of Innovation: How Adapting will Strengthen your SDLC

Posted by Zak Dehlawi on May 27, 2016 at 3:35 PM

As software security zealots, we sometimes forget the human aspect of software development. Why wouldn't developers and organizations do every available security activity to make their software more secure? Isn't security indispensable? Isn't security king? There are some obvious reasons why they can't. For example, a lot of software security practices can be costly to implement from a pure financial or time sense. However, there are human factors that we don't always consider as well, so we might need to borrow from the fields of sociology to answer those questions.

Read More

Topics: Security Engineering, devops, best practices, zak dehlawi

Learn About Application Security Contract Language

Posted by Jason Taylor on May 20, 2016 at 12:00 PM

When you buy 3rd party software or outsource application development, you inherent all the
vulnerabilities that the vendor fails to eradicate. To mitigate financial and operational risk, it’s important that security and technology professionals write clearly defined security requirements into contracts.

Read More

Topics: Jason Taylor, Application Security, SDLC

US GAO Tells US DOT to Define its Role in Automotive Cybersecurity

Posted by Gene Carter on May 10, 2016 at 8:07 AM

Recently, the US Government Accountability Office publicly released GAO-16-350 VEHICLE CYBERSECURITY: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack.

For this 61 page report, the GAO interviewed 32 selected industry stakeholders, including 8 automakers, 8 automotive parts suppliers, 3 automotive cybersecurity firms offering vehicle cybersecurity products, and 13 subject matter experts, including 7 leading researchers. Security Innovation’s Chief Scientist, William Whyte, was one of the subject matter experts interviewed.

Read More

Topics: V2V, Connected Cars, Automotive, Gene Carter, Security News

NIST Weighs in on Post-Quantum Cryptography

Posted by Gene Carter on May 2, 2016 at 4:34 PM

The National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce, recently released a Report on Post-Quantum Cryptography. In the report, they review the threat posed by quantum computers on today’s most popular cryptography and review the possible quantum-resistant solutions.

Read More

Topics: Encryption, Crypto, Gene Carter, Quantum Computing

Sign Up for Blog Alerts!

Posts by Topic

see all
CISO's Guide to Application Security