Poll Time – What One Problem in Web Security Do You Want to Fix?
It is poll time. Doing a little planning and trying to figure out what people view as the biggest architectural weaknesses on the web security wise. I'm mainly focused on things within HTTP and HTML/JS/CSS themselves, not things at the TLS layer.There is a small poll on the right hand ... Read More
A quick clarification on HSTS (HTTP Strict Transport Security) policy on non-standard ports
Been having an interesting blog comment and twitter discussion with John Wilander.He wrote a post and some tweets and even filed a Mozilla bug against the HSTS behavior in FF-4.I posted this to his blog, but thought I'd post it here too.Essentially there is some confusion about how HSTS works, ... Read More
New Role – Internet Standards and Governance
Not that I expect everyone to watch my job title changes, but I recently made one and figured I'd go ahead and blog about what I'm working on these days.For the past 2+ years I've been running the Secure Development Program at PayPal. This involves rolling out secure development methodology, ... Read More
Bank Fraud Detection Must Balance False Positives and False Negatives
Krebs posted this morning about commercial bank customers again and Gunnar also picked up on the theme.In Krebs piece he quotes the customer saying:"When I first talked to the bank, my question to them was, ‘We’ve always done the same five payroll transactions a month, this was outside the norm, ... Read More
Laws of Supply and Demand Still Apply in Software Development
I read Gunnar's post the other day "Still Waiting to Meet a Developer Who Wants to Write Insecure Code" and he echoed something I've also been saying for a long time. In all of the training events I've ever done, times I've worked with developers, I've rarely met a developer ... Read More
