Heartbleed: A great time to think about incident response

by Isaac Potoczny-Jones Heartbleed is the nickname of a dangerous OpenSSL vulnerability that was just announced. A security update was already available before the announcement, and this is definitely a vulnerability where quickly¬†patching makes a big difference. A fast response matters here because malware wasn’t in the wild yet, so many sites likely can prevent […]

Read More

Is the NIST Risk Management Framework poised to become a national cybersecurity standard?

A lot of organizations, including small businesses and critical infrastructure operators, might soon get new technical security requirements from the federal government. This will probably be very costly, especially for small businesses that don’t already implement the kinds of security measures that are standard for large federal contractors. I’ll give a brief overview of two […]

Read More

A Disciplined Approach to Talking About Security

Recently, a thread about a security problem in a piece of open source software got a lot of attention. There was a vulnerability report, a defensive developer, persistent security folks, and of course sideline comments taking one side or the other. This discussion perfectly illustrates why it can be hard to have a civil discussion […]

Read More

Cloud Security Risk Agreements for Small Businesses

Isaac Potoczny-Jones <ijones@galois.com> PDF version. ABSTRACTCloud computing can be particularly beneficial to small businesses since it can decrease the total cost of ownership for IT systems. Unfortunately, one of the major barriers to adoption of cloud services is the perception that they are inherently less secure, exposing the organization to unacceptable risk. There are standard […]

Read More