Lesson 12: Yesterday, I shamelessly recommended to ditch all commercial networking gear. In the same breath, I also made several Cisco configuration recommendations. This is just the way that I work. The idea is that network appliances increase risk, but at the same time — they also allow you to connect to […]

Lesson 11: Welcome back! I know that the last few weeks have been a lull, and even before ShmooCon there wasn’t a lot going on our security blog. However, you’re in for a real treat since I’m back with the daily ITSM Vulnerability Assessment techniques!
It’s no longer Spring break (well it is Spring […]

Taking care of business
Before I get into this post, I wanted to give you some updates on progress of other projects here at TS/SCI Security.
First off, I’ve been working on the OWASP Evaluation and Certification Criteria Project and hope to announce something very soon. Secondly, you’ll want to take a look at today’s post […]

Recently, I finished reading “The New School of Information Security” by Adam Shostack and Andrew Stewart. It’s only about 200 pages, so it’s certainly worth your time to pick up and read. Some people will compare it to “Security Metrics” by Andrew Jaquith (or many others), but I think this book is very […]

Before Mike Rothman posted something about the WhiteHatSec and F5 announcement, I really wasn’t going to say anything negative or positive.  Integrating web application security scanners with web application firewalls at first seems like a good idea.  However, it appears that most people forgot about the issues with WAF’s: they only prevent very few kinds […]