Kim Cameron on GOOGs single sign on design vulnerability

I spoke with Kim Cameron a few days ago about Google’s single sign-on (SSO) design bug. I wanted his take on the bug because he’s one of the best in the area of identity, single sign-on etc etc… his response can only be described as scathing.


"Open-source projects certified as secure" – huh?

I really got a chuckle out of this news item, especially this line: “Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.” So we finally have the security silver bullet! Run this tool on your code, fix the bugs,…


Common Criteria: Is it Safe?

My colleague, Eric Bidstrup, has posted a thought provoking commentary about the Common Criteria. I think it’s fair to say Eric is simply voicing what a great many people think about the (lack of) value of CC.


Security Education v. Security Training

David Ladd, a partner in crime, has just made a post on the SDL blog about Security Education. He starts: “There has been a lot of hoopla lately around “secure programming skills” – with not-so-thinly veiled condemnations of academicians and the role of the university in addressing the IT security problem.” It’s a very interesting,…


My Take on Windows Vista Security “Vulnerabilities”

I love looking at and analyzing security bugs, but I also enjoy observing how people react to knowledge of security bugs. Over the last few weeks, I’ve seen a number of interesting articles about Windows Vista security that made me smile. So I thought I would paraphrase the articles and re-write them with an opposing…



Howdy once again from RSA. It’s raining. So much for sunny California! Jeff and I just gave our talk about Windows Vista Security Engineering. It was a packed room. In fact, when we got to the room we saw a bunch of people milling around outside. We went to the door to enter and we were told…


What is it that makes security hard?

I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?” or my favorite variant, “what the heck keeps you interested in security when it…


A couple of interesting security blog posts

 Jeff has an uncanny ability to dig into details that most folks gloss over: Exposed? : Examining Secunia Unpatched Warnings – Part 3 I have to concur with Kai: People like this just frost me: Security considered a burden for users