Getting Started With the Upcoming DOD Cybersecurity Maturity Model Certification
The United States Department of Defense (DoD) recently announced the Cybersecurity Maturity Model Certification (CMMC). All companies and subcontractors doing business or proposing to do business with the DoD must be assessed and certified against the CMMC starting in 2020, with the full CMMC slated for publication in January of 2020. This requirement follows a number of high-visibility security incidents involving DoD information.
Client-Side Authorization
“Don’t use client-side authorization” is a well-known security rule. Or at least it should be. I went looking for a canonical reference for it, and could not find one, so I wrote one. Please comment if you know a better reference for this!
Dark Matter and Measuring Security
I am occasionally asked by our clients to measure how secure a thing is. That is perfectly reasonable to want to know. Is it secure enough? Do we need to spend more on security to make it secure enough? Are we getting better or worse? And so, managers are surprised, as well as disappointed, to learn that measuring security is nearly impossible.
ASLR Protection for Statically Linked Executables
We present new research that details crucial security weaknesses in Linux software that has been statically linked. We also provide a solution to temporarily resolve these security issues. Finally, we conclude by demonstrating how to have both RELRO [1] and ASLR [2] security mitigations working with static linked executables in the ELF format.
The Calculus of Threat Modeling
I have been designing secure and security products for 20 years. I always thought of this as “architecture” and it took me a long time to realize that a major part of what I was doing was threat modeling. There are many established approaches to threat modeling, but because I backed into the field, I had rolled my own. This post is to explicitly describe what I have been doing.
A Minimum Viable Risk Management Program
Risk management is a fundamental requirement for all major information security frameworks, but there is little practical guidance for implementing a risk management program at small or young organizations.