InfoSec aXioms

I submitted a talk about hacking electric cars charge stations to HackInTheBox in Amsterdam and was accepted. This is when the troubles started. Speaking in a hacker conference is a commitment. I could not just talk about the theoretical weaknesses but really needed to find some juicy stuff.

I had to find real hacks...

After talking so much about application security, I decided to depart from the tried and true and venture into the unknown. At HackInTheBox 2013 in Amsterdam on April 10^th and 11^th I will talk about the security of one of the most important applications we use, our electric grid. Grid security is a wide subject and I will focus on a more specific subject: the security aspects of charging an electric car.

On Feb 12th we will be holding a WAFEC (Web Application Firewall Evaluation Criteria project) panel as part of an OWASP Israel meeting. You can join the panel remotely using OWASP gotomeeting services.

Register here.

In recent weeks I have met several companies focusing on innovating security intelligence. Those encounters brought up an interesting challenge facing such innovations: in most cases innovators have a good idea but find it too expensive to build the required infrastructure. There is no use for an icing for a cake you cannot bake after all.

What are the possible solutions? How productizing innovation actually works? can it be improved?

A recent thread labeled “vulnerability solution” on the SecurityFocus WebAppSec mailing list provides an insight into how much we know or care about information security. Mohamed Ali Ahmed asked about a vulnerability scanner that covers multiple use cases: applications, web applications, databases and platforms.

The answer is far from simple however most answers on the list were single word recommendations for tools that would not provide the solutions. Why so?

Great ideas are critical for innovation, however a common caveat often associated with an ideation process is the lack of systematic analysis of the idea following the initial ideation phase. As good and productive ideators are often also charismatic in selling the ideas, this critical step is often skipped.

A good example from the application security field is new program for software security apprenticeship suggested by Mark Curphey. Mark is the founder of OWASP, one of the more intriguing information security user communities out there, so we should probably hear what he has to say about a community project to make application more secure.

Or should we?

Two classic paradigm shifters from very different disciplines but only three years apart, offer us insight into the role that each and every one of us has in providing security. While those 60s classics focus on physical security, their lesson may apply to cyber security as well.

Within a day I read two very different and intriguing articles based on the same underlying assumption, namely, that there are problems that don’t have a solution because they are not really problems.

Are there such problems? Does Maxwell Wessel, a Harvard Business Review blogger, claim that large companies do not need to innovate because they excel in efficiency hold true for information security vendors?

Next week will be a busy talking week for me with 4 talks at HP Protect and another one at Source Seattle.

Last month I presented at OWASP AppSec EU in Athens a presentation about correlations and their role in application security. You can find the presentation here.