T.E.N. ISE Information Security Award 2019

Honored with the nomination for the T.E.N. ISE Information Security Award 2019 in the Information Security Category. T.E.N. is a technology and information security executive networking and relationship-marketing firm. The award is given to top-ranking decision makers representing organizations in the academic and public sectors, commercial, financial services and health care.

I look forward to meeting all the other nominees in Chicago and seeing some old friends again.

Armenia, here I come!

I'm traveling to Yerevan in Armenia for the first time next week and I'm really looking forward to all the upcoming events, including the opportunity to meet the OWASP Armenia community, give a talk at the American University of Armenia, attend the Hive Ventures Summit, attend the WCIT, meeting the staff and ServiceTitan, and hire our first information security team member overseas.

Interns at ServiceTitan

Provide growth opportunities for my team members is paramount. When HR asked all ServiceTitan interns who wanted to be features on a LinkedIn post about the 2019 internship experience, Sid was the first person companywide to volunteer. Sid had many internship options and I’m glad he chose to join the team.

FACIN is now 40 years old!

Happy 40th birthday, FACIN school of Computer Science at PUC-RS! Thankful for all I learned from you. I am honored to be part of your history and humbled to be one of the 6 selected alumni case studies (in all 40 years) featured in the 40th-anniversary commemorative book.

Pantheon

In ancient Greece, it was said that all-powerful Titans would gather at the Pantheon to make plans for the humans they protected.

During the Pantheon session "Security & Your Business: Best Practices", Sean Valdez and I will demonstrate effective solutions to better secure your business.

Entrepreneurship podcast

In this podcast in Portuguese, Eduardo and I talked about the importance of information security in the development and growth of startups and companies. We touched on case studies and I gave tips on how companies can start protecting their data.

Cybersecurity at the board level

Leaders have a significant responsibility in personally understanding and managing cybersecurity as a key risk area. They must learn how to proactively protect their organizations and customers from the ever-increasing threat of cyberattacks. I felt honored and humbled when a chapter in Brazil of the Young Presidents Organization (YPO), a global network of young chief executives with approximately 24,000 members in more than 130 countries, invited me to fly all the way to South America to speak on the topic of roles and responsibilities to their local group of business leaders.

M&E and Secure Content Creation

The Media and Entertainment (M&E) industry has many “crown jewels” that require protection from hackers and malicious insiders. These jewels include intellectual property like video content and concept art, business data like highly sensitive email conversations and personnel records. They also include the availability of content streams to ensure consistent, accurate delivery of media assets. It’s an area where digital security, innovation, conversion and file content management is converging to redefine the daily experiences of M&E businesses.

This month I passed the strict review and approval process to become a qualified Trusted Partner Network (TPN) assessor. The TPN is a joint venture between two major entertainment industry associations, the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA), the worldwide leaders in third-party entertainment industry assessments.

Reducing Cyber Exposure from Cloud to Containers Mighty Guide

Securing the modern attack surface is a critical challenge you must effectively address to reduce cyber exposure and protect your enterprise. The Mighty guide Reducing Cyber Exposure from Cloud to Containers provides insights and lessons from 29 industry leaders (e.g., @daveshackleford, @csima, @lady_nerd, @planetlevel, @weldpond) on this topic.

OWASP AppSec Cali 2018 - THE BEST EVER!!!

Great weather, great speakers, greater trainers, great organization = sold out and awesome! Hollywood quality recordings of the talk are coming out soon.

Goodbye #LA and @AppSecCali it was a blast. Probably the best appsec event in the USA. @RAGreenberg @CassioGold
Nice to catch up with you again. Not forgetting @manicode - old friends again. pic.twitter.com/YnVucvA4Yr

— EoinKeary (@EoinKeary) February 1, 2018

Great hanging out @AppSecCali with the founder of OWASP Los Angeles! https://t.co/TrVsBn1VzK

— Richard Greenberg (@RAGreenberg) February 2, 2018

Life is good at #AppSecCali!

I had a good recap chat with @RAGreenberg and @CassioGold from @AppSecCali.

Follow @ITSPmagazine for this an more podcasts from the #appsec event. #owasp #CyberSec #infosec #cybersecurity @SelenaTempleton @sean_martin pic.twitter.com/HUwdJ45Jas

— Marco Ciappelli (@MarcoCiappelli) January 31, 2018

Security Test of the 2018 presidential elections voting machines: experience and results

Brazil's Superior Electoral court (TSE) selected me to test the electonic voting machines that will be used in the 2018 presidential elections. In this interview (in Portuguese) conducted by the TSE, all security researchers who provided relevant findings described their work and explained why the test is important.

Forbes Technology Council

Feeling grateful for being hand-selected to become part of Forbes Technology Council and having the opportunity to submit thought leadership articles on industry-related topics for publishing on Forbes.com.

Bug bounty Webinar

I'm presenting a 30 minutes webinar on Bug Bounty. Learn how to get started in implementing a successful program and avoid common pitfalls. Click here to register.

Penetration test of Brazil's Electronic Voting System

The Brazilian government selected as one of the security researchers who will test the nation's electronic voting system. I'm honor and excited with the oportunity to contribute with the security of this critical infrastructure component.

Bug bounty panel at AppSec USA 2017

The video is out! Check it out.

Bitcoin Hardfork

On August 1st Bitcoin was split into Bitcoin (BTC) and the clonecoin Bitcoin Cash (BCH). The means of this split was both a source code “hard fork,” creating an incompatible and independent crypto currency, in conjunction with a clone of the entire blockchain. Everyone who had bitcoins (BTC) before the fork has the same number of coins in bitcoin cash (BCH). In an article for the ITSP magazine, I explained the security and risks related to this split by discussing the motives, technical differences, and the consequences to the eco-system.

Read the full article: Bitcoin’s Fork And Its Security Implications (two part article)

AppSec USA 2017

AppSec USA 2017 lineup is looking promissing. I look forward to some of the keynotes too.

This year I'll be discussing bug bounty with a great team of panelists from companies such as GDS, PayPal, ITSP Magazine, and Baker McKenzie. Will I see you there?

Innovate Pasadena CyberSecurity

According to ITSP TV, the panel at ADP was extremely informative. Check out the video: Passwords, Password Management, and Two-Factor / Multi-Factor Authentication

Stroz Friedberg Blog

A short and yet informative blog post on Bug Bounty: Bug Bounty Programs: Good Preparation is Key to Success

ITSP Magazine

Honored to be listed as an Expert on ITSPmagazine.

My first blog contribution is the article: Dodging SHA-1’s Collision Course

AppSec Cali 2017

4th Annual AppSec California to Open the Year With a Must-Attend Powerhouse Application and Web Security Conference Full Agenda and Expert Speaking Panel Announced Full article

How to protect yourself online

With so many breaches out there, computer users often ask me how to protect their passwords. Here is a short blog article I wrote for Stroz Friedberge about the topic: Passwords: You think you know. But do you?

17th annual Cyber Security Symposium

UNC Charlotte 17th annual Cyber Security Symposium was a sold out event. Humbled with the opportunity to take the main stage. Although this is an academia event, there were more far more professionals than students. Kudos to the organization for a great event!

RSA Conference 2016 is starting today

Very excited to be speaking at RSA this year! The title of my talk is "Dissecting Bitcoin security". Bitcoin is a game changer invention and can be applied in various different systems. Unfortunately the media put a very bad spin on the crypto currency and made people shy away from the technology. I hope my talk help people understand what the technology is about and why it's so relevant for security pros.

OWASP Top 10 Proactive Controls 2016

Happy New year! OWASP Top 10 Proactive Controls 2016 is out. Enjoy!

RSA 2016

Super excited about my upcoming talk at RSA 2016! With 33,000 attendants RSA is one of the biggest, best known and most respected security events of the year.

OWASP Top 10 proactive controls

Jim Manico is leading the upcoming release of OWASP Top 10 proactive controls. His approach this time was to make the document world editable on Google docs. I applaud Jim for leading this project in such an open manner. It’s both a pleausure and honor to work with him again! I look forward to sharing the end result with the rest of the world.

(ISC)2 Congress

(ISC)2 congress was a massive success with over 20,000 attendants. Happy to be able to contribute to the show as a speaker. Below is a picture of Monday's lunch. I always wonder how the kitchen is able to serve everyone at the same time. One day I'll ask for a tour at the kitchen... It will make me a better man (and a better cook).

OWASP AppSec California 2015 videos are out!

Working with Jim Manico is a joy! I hope we can present again soon.

OWASP AppSec California 2015 Rocks!

Following the huge success of the previous event, OWASP AppSec California is promissing to be one of the hottest conferences in 2015. The line up of keynotes and speakers is top notch and the venue is truly unique. Seating is linmited so you really need to hurry up to get in!

FS-ISAC, here I come!

Reviewing my talk for next week. Really excited about contributing and collaborating with FS-ISAC on critical security threats facing the global financial services sector.

A good reason to upgrade to iOS 8

An integer overflow exists in the handling of PDF files that leads to arbitrary code execution. The vulnerability affects iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later and can be exploited remotely by simply viewing a malicious PDF file.

Technical Details: CVE Name: CVE-2014-4378

Thanks to the unpatched vulnerability CVE-2014-4377 which leaks valuable information about memory layout to the browser Javascript interpreter, the combined usage of both flaws allow attackers to bypass Data Execution Protection (DEP), Address Space Layout Randomization (ASLR) and code signing. Fortunately Apple corrected CVE-2014-4377 in Apple OS X with Security Update 2014-004. The recommended solution of iPhone users is to upgrade to iOS 8.

The best time of DI year!

Really excited about today's talk at the Digital Insight Innovation Conference! Why? Because it's a departure from the talks I often do target to highly technical professionals. My DI talk covers how to deal with many of the issues financial institutions requested our assistance during the last year and it's based on a collection of free tools and best practices that users (and your customers or members) can adopt to improve their banking security.

Ransom attacks against Macs and iOS devices

Ransomware attacks are on the rise, and some emerging attacks are going beyond PCs to target mobile devices used by banking customers.

Ransomware is a kind of malware (malicious software) that criminals install on the victims computer, usually through a malicious email attachment or webpage link, and demand a ransom paid to the creator of the malware in order for the restriction to be removed.

A new type of Ransom exploitation against Apple devices has been reported in Australia but recently spread to the United States. This attack differs from previous Ransomware attacks because the attack is based on Apple’s Find My iPhone application so software needs to be installed on the device. Victims reported finding their phones suddenly locked, with a message from Find My iPhone saying that the device had been "hacked by Oleg Pliss.". The hackers then directed owners to pay up to $100 for a device unlock via PayPal.

It’s not immediately clear how attackers are gaining access to the Apple IDs to take over the devices. One possible explanation is that criminals have obtained access to a leaked list of email addresses and passwords, exploiting the fact that many individuals will reuse the same account details for their Apple ID.

This attack can be proactively avoided by following some security best practices:

• Set an access passcode on all your devices
• Enable two-factor authentication
• Use of a strong and unique password for each account on the web

CIO Event North America

The CIO series which currently operates in Europe, the Middle East, Africa, and many cities in North America is coming to Los Angeles. The event's mission is to create a world-class platform of end-user driven academia to help executives make the right decisions for their organization. I'll be speaking at the Los Angeles event along with the Coca-Cola CIO, E&Y CTO​, Carefusion CIO and LA Unified School District CIO.

Black Hat Brazil - part II

Wow! The organization committee highlighted my talk as one of the exciting conference briefings! Pressure is on! Better to brush up my Portuguese for next week!

OWASP LA Rules!!!

I am thrilled to share this one: my excellent friends Tin Zaw, Richard Greenberg, Edward Bonver, Stuart Schwartz and Kelly FitzGerald were voted the best OWASP chapter leaders in the world and will receive the WASPY Awards during the Global OWASP AppSec USA 2013! Great job people!

Speaking of OWASP AppSec USA 2013, let me take a momento to plug this excellent conference and the impressive line up of speakers. If you never been to a Global AppSec (USA, Europe, Latin America or Asia) before, I highly recommend to check it out!

Black Hat Brazil

The Black Hat Briefings are a series of highly technical information security conferences that bring together some of the the most prestigious names from the full spectrum of security thinkers. The conference organization does a suberb job staying on the leading edge of new security trends as they emerge.

I was thirlled with the announcement of the first Black hat briefing in Brazil and even more thirlled when I was selected as one of the speakers! Brazil has long been reputed as the king of the banking Trojan. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy. The local informaiton security industry needs events such as BlackHat to learn and fight the ever-increasing number of new attack methods in cyberspace.

Hot Topics in Security

Wow! My roundtable session "Hot Topics in Security" at the Digital Insight Innovation Conference is indeed a hot session! Only a few days after the conference registration opened, the session reached maximum capacity. The organizers scheduled a second session on Tuesday for all of you who could not sign up for the first one.

Android Master Key Attack explained

The Bluebox research team recently pre-announced an Android vulnerability that allows an attacker to inject malicious code to an application. Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

The Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu. Simply put, APK files are zip files that could contain files with duplicate filenames inside. Unfortunately when duplicate names exist, the entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK - the injected one that can contain the malicious payload and is not checked for signature at all.

The solution to this issue involves the device manufacturer to provide an OS patch that will check for APK files with duplicate file names. Reputable app stores are already doing the same to ensure no malicious code is available for download. End users should avoid downloading applications from questionable sites. Users who wonder if their devices were compromised should download and run the Blue Box Security Scanner.

Free online training

SAFECode released some training material last week. Some of the main contributors are members of my former staff at Symantec.

If you are looking for this type of material, also consider Jerry Hoff’s excellent OWASP AppSec Tutorial Series

Lastly, my good friend Zully released a number of good videos about bitcoin security at Khan Academy.

Another Pleasant Surprise!

This year OWASP initiated the first annual Web Application Security Person of the Year (WASPY) award and I'm truly honored to be among the finalists.

Kate Hartmann, one of the few OWASP full time employees, once told me that babies are the number one project killer in the community, something I can now testify... As sad as this statement may sound for a security practitioner, I believe this is the ultimate proof that the organization is indeed moved by passion. People dedicate countless hours and really love what they do. If you don't believe my words, listen to Ivan Ristic's interview in the OWASP podcast when he talks about OWASP!

I really cannot count how many individuals I met and I come to admire and built a friendship. OWASP not only made me a better professional but also a better person.

I'm sincerely touched with this nomination. Thanks OWASP! See you in Austin!

Can you Spot the Flaw?

Here is a function with a single line of code:

memcmp returns an integer which is implicitly casted to char. If memcmp happens to return a non-zero number that has a zero last byte, check_scramble will return 0 (password was ok), despite the fact that the password was incorrect.

One line of incorrect code resulted in this: CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL

This is extremely hard for someone doing coding reviews of 1,000s of lines of code to spot or to find during a pen test. On the other hand it’s trivial for a static source code analysis tool (or even a good compiler) to find.

Moral of the story:

1. Check your compiler warning. In Visual Studio set your compiler warning to level 4.
2. Use a static source code analysis tool. If you have Visual Studio Team Edition, enable the code analysis option.

Global OWASP AppSec LatAm 2011 videos are out

In English:

• Bryan Sullivan - You Are Not Amy Winehouse: A New Plan for Reaching the Developer Community
• Michael Craigue - Security Development Lifecycle - A History in 3 Acts
• Chris Evans - Dosh4vulns -- Google's vulnerability reward programs
• Rob Rachwald - How Security Researchers Are Hurting the Business of Hacking
• Dinis Cruz - Making Security Invisible by Becoming the Developer's Best Friends
• Maximiliano Soler Mantra - The Security Framework Slides

In Portuguese:

• Alexandre Braga - Como não escolher a sua senha! Será a senha gráfica o futuro das senhas?
• Rodrigo Montoro - HTTP Header Hunter: Looking for malicious behavior into your http header traffic
• Magno Logan - Segurança em Sites de Compras Coletivas: Economizando dor de cabeça!
• Wagner Elias - Automatizando análise passiva de aplicações web

The Great Cypher, Mightier than the Sword

David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.) Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled "Making Sense of Software Security Advice: Best vs. Practiced Practices". Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.

Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current registration rate when you use my personal discount registration code. Simply enter the following code when you register online:

My personal discount registration code: ZSPDdJaIoqK

This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012. The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit: https://www.rsaconference.com/events/2012/usa/index.htm. Be sure to register using the discount registration code above to receive the $200 savings.

Secure Software Programming: One of the Three Best Security Career Bets

SC Magazine published a really nice article about the need for security last month. According to the latest edition of Foote Partners, developers who posses security certifications can earn pay premiums averaging eight to 12 percent of base pay and even more with additional experience.

Secure coding (and security testing) are hard to do, and market demand far exceeds the available talent supply. It takes years of hands-on practice, as well as training, to develop the skills.

The right tool for the right job (SAFECode and BSIMM)

After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM as a Secure Development Lifecycle framework.

This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance. If you are responsible for a large software security initiative, I highly recommend reading this paper.

The Gold Standard

Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.

Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.

Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the (ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one day event.

OWASP AppSec LatAm 2011

It took more than a year to organize OWASP AppSec LatAm 2011 but the results worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world class infrastructure. The variety and quality of PUC-RS’s main restaurant is comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.

Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue conversational style and candidness made his presentation a must see for everyone who wants to jump start a security initiative at an enterprise. I highly recommend both.

The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!

BSIMM 3 is out

Every craftsman needs a set of tools to perform its duties and security practitioners are no different. Released this past Tuesday, the Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is one of the essential tools security professionals need to know about. BSIMM is an inventory of existing security practices from over forty large-scale, IT dependent organizations across seven business vertical categories.

Reviewing BSIMM data over the years is a great way to compare and contrast how the industry is evolving. In addition, BSIMM provides a considerable list of activities organizations with an established security initiative should consider to adopt next.

A Pleasant Surprise!

(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?

There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.

Unfortunately sometimes I see people leaving not for profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that this community services and work for an enterprise is symbiotic. In fact all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business and the community. I hope other companies start to see things this way.

Protect The Stuff That Matters

Symantec released Norton Internet Security 2012 (NIS 2012) this week. According to independent research, the product is both the fastest antivirus solution and the product with the highest detection rate on the market.

Be sure to check the new product advertisement campaign titled "Protect The Stuff That Matters". In my opinion this is hands down the best marketing campaign the company ever did.

An Interview with Cassio Goldschmidt

The Pontifícia Universidade Católica do Rio Grande do Sul's (Pontifical Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I'm an alumnus of the school of Informatica and a big fan of the university.

As of 2009 the university had 10 courses with 5 stars, computer science being one of them.  There are also 21 courses with 4 stars according to the the Guia do Estudante: Computing and Mathematical sciences and Engineering and Production.

The magazine is in Portuguese. Click on the picture to download and read the article on page 40.

Registrations for OWASP Global AppSec Latin America are now open!

The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early bird registration discounts is August 31st. Check out the videos about Brazil and Porto Alegre in the conference visitor's guide.

(ISC)2 Americas Information Security Leadership Award 2011

I’ve been selected as a finalist for the Americas Information Security Leadership Award (ISLA) 2011. The ISLAs Program is held annually by the International Information Systems Security Certification Consortium's ((ISC)²) to recognize outstanding leadership and achievements in workforce improvement of information security and management professionals. The gala dinner ceremony will be one among the many great events planned for the 57th ASIS Internation 2011 conference/(ISC)² Security Congress.

If you attend the conference, don't miss Richard Tychansky, Hart Rossman and Symantec's Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session here.

OWASP Global AppSec Asia 2011

Sebastien Deleersnyder, Mano Paul and I will be the keynote speakers at OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities and research institutes. Major news media will be covering the event.

There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in People’s Republic of China I respect so much their technical knowledge, work ethics and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.

2011 CWE/SANS Top 25 Most Dangerous Software Errors

SANS and MITRE released today the "Top 25 Most Dangerous Software Errors". This list ranks the most widespread and critical errors that can lead to serious vulnerabilities in software and is a great educational tool to help programmers to prevent the kinds of vulnerabilities that plague the software industry.

I've been a contributor of this list since the first release in 2009. It amazes me to see vulnerabilities such as CWE-120 ('Classic Buffer Overflow') still on the top of list for the following reasons:

1. Programmers really have to go out of their way to create classic buffer overflows in modern languages such as C# and Java. These languages, not C/C++, are the language of choice for many developers nowadays creating new systems.
2. Static code analysis tools do an excellent job finding instances of buffer overflows.
3. Modern compilers offer several ways to prevent exploitation of this type of flaw without changing a single line of code.
4. Some companies did an outstanding job bringing awarness to this issue and providing great security training to their development teams, including QA.

Without necessarily producing better software, the industry in general found a way to innovated itself out of a widespread problem. Buffer overflow flaws are still prevalent out there because we use a lot of legacy systems. I just don't find a lot of new instances being discovered, at least in our tests. If anything, this type of flaw is identified and fixed during the development phase using static source code analysis tools that are integrated to build systems.

ISSA Los Angeles 2011 Security Summit

I just came back from the ISSA speaker dinner and I'm really excited about tomorrow's event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital) and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.

Other speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).

Better Software 2011

As much as I love to manage a global team that is as passionate about Software Security as Symantec's Product Security, I'm still a software developer at heart. Needless to say, I had a real blast presenting at Better Software. "Cosmic Truths about Software Quality" by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.

According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don't care about security?

Valentine's day

Valentine's this year will be a bit different... I'm returning to Berkeley to present a talk about my book, this time to the NetEcon group. Next, I'll head to RSA Conference and finally end the day at a business dinner with my boss and a Symantec business partner.

Black Hat

One of the best things about being one of the first speakers to present at a conference is that it's possible to actually pay attention to the the other talks. ;-)

While there were several good talks, I highly recommend watching two: Bryan Sullivan's "Hey You, Get Off Of My Cloud: Denial of Service in the *aaS Era" and Tom Brennan, Ryan Barnett's "Checkmate with Denial of Service".