With the continued uncertainty lingering in the global economy, I think it is likely that spending on new information security initiatives will continue to be highly scrutinized.  This isn’t to say that security initiatives won’t go forward, just that ...

Over the past few months I’ve noticed a disturbing trend in our industry to talk more about “offensive security.” People are writing and tweeting about “active defenses” or “strikeback capabilities” but it all points to a movement that is at best a ...

I came across this article (see link below) not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem ...

So what is the big deal if a few of my corporate PCs are infected with malware, what’s the worst that can happen? In this post I want to cover what can be done with a compromised PC and why it is a big deal. Many Security Managers minimize the importance ...

While managing Operational Risk for a large IT organization, one of my responsibilities was to work with Corporate Operational Risk to define Key Risk Indicators (KRIs) KRIs were monitored at a corporate level.  We took the easy route by using canned ...

Ready for one last slick web application penetration test trick? In this installment we'll explore a subtle and often overlooked vulnerability related to web application authentication. In response to the login request containing posted ...

Ready for another cool web application penetration test trick? In this installment we'll cover clickjacking, also known as "UI redressing". Clickjacking is an instance of the classic "confused deputy" problem, and occurs when ...