Movie: Rotor DR1

High rev’ing race drones in a dystopian world.  Geek out, drink beer, and get your drone fix, at $2.99 USD it’s a bargain.  I’m looking forward to watching this movie.  Enjoy!

My OWASP Board of Directors Candidacy, Time to Vote!

owasplogo.jpgI received my OWASP ballot this morning.  If your membership is up to date you will receive yours soon.  It’s time to vote for your favorite OWASP board members.

I am running for the OWASP 2015 Global Board of Directors.  I have been laying low for most of the election process.  Mostly because fishing for ballots is a form of self-promotion that I find distasteful and I think others do as well.  However, I was speaking to a friend, current OWASP board member and project lead, Matt Konda recently at AppSecUSA 2015.  Matt mentioned something about the election process I took to heart.  In a nutshell, he said I’m thinking about the election process all wrong.  Don’t think of the election process as a self-promotion effort; instead, give your friends an opportunity to help.  Your friends would like to see you succeed and they are in a position to help spread the message.  You should provide them an ‘opportunity’ to assist if they wish.  By remaining silent you don’t provide them any opportunity to help you.  Matt could make a really great lawyer if he ever wants to move out of security.  But seriously, he makes a good point.  I help my friends so I should at least provide an option for friends that want to help me.  And if your not interested at all to assist, no worries.  If you want to learn about my views for OWASP check out my interview with Mark Miller on SoundCloud.

If there is anything you would like to do to help me succeed I can use the assistance.  For those interested, there are a few ways you can help.  Send a message to fellow OWASP members and encourage them to vote for me if they don’t have a candidate in mind.
– Twitter, LinkedIn, Facebook, etc.
– Small blog post
– Emails to your friends (perhaps a little over the top but up to you)

I can’t think of other ideas offhand.  A closing thought on other board candidates.  We are all competing for 4 open board seats.  Most of us know each other.  You have a great bunch of OWASP candidates to choose from regardless of how you vote.  It’s a privilege to help whether I serve on the board or not.

EU-US Safe Harbor Ruled Invalid

EU-Flag.jpgYou may be hearing about EU-US Safe Harbor discussion in the news.  At risk is the multinational companies ability to store and process EU data in the US.  Companies like Apple, Facebook, and Google provide EU services through computers located in the US.  Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.

October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.

“…the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country” [4] Court of Justice of the European Union

The ECJ recommended where protections cannot be guaranteed, “suspending the contested transfer of data”[4].  The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs.  Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU.  Either option is not very tenable for US multinationals or citizens of the EU.

Even if Internet bellwethers underwrote efforts to build EU data centers it’s not clear EU data will be safe from US government overreach.  In a developing case between Microsoft and the US government,  the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US [6].  Presumably, the legal precedent established for email would apply more broadly to all data.  I have been covering developments in this area over the last couple of years [1][2] for interested readers.

[1] Securitycurmudgeon.com, Balkanization of US Products and Service Technology Accellerates
[2] Securitycurmudgeon.com, A Crisis of Confidence Costs Real Money
[3] The Register, US tries one last time to sway EU court on data-slurping deal
[4] Politico.eu, Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
[5] Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
[6] Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider

Image: Wikipedia, EU Flag

Iron-Clad Java Book Blooper

manico9780071835886.jpgAbout a year ago I helped some friends on a security book project, Iron-Clad Java: Building Security Web Applications (Amazon).  As we were winding down the project we received some early printed copies of the book from the publisher.  I remembered the feeling of seeing the project in printed form.  However, when I began flipping through the pages I noticed the Foreword was missing.  A missing foreword is not a big deal.  Still security is a really tough job for many of us.  I thought the foreword helped to call out some of the industry challenges while still keeping an encouraging message.  Following is the missing book foreword and our blooper.

***

The greatest challenge in product security today is the fact that security quality is difficult for consumers to evaluate.  A product with little security design consideration and a weak security posture discloses few, if any, outward signs of being insecure.  Software security, like performance and scalability, cannot be effectively evaluated visually and requires specialized tools and training.  In a vacuum, consumers often mistakenly assume strong positive product safety unless news surfaces to shake that confidence.  As a result, with ever increasing pressure on business leaders to be more competitive, deliver more value to customers, security is frequently marginalized in favor of delivering more direct features with tangible business value.  There’s little incentive to pursue security excellence when consumers assume it already exists.  All too often, businesses roll the dice and short product security, explaining away incidents when they occur with excuses like: “hackers are becoming more sophisticated”, “security is too difficult a problem to solve”, or “everyone has bugs”.  As the number and severity of security incidents increases, the public’s patience for excuses grows weary.   Consumers are demanding more secure information systems and more accountability from business leaders and governments.  Product security claims are no longer accepted at face value.  As we transition from an era of plausible deniability to accountability, leaders are increasingly motivated to deepen their security investments.  In the end, strong security is a choice, and it always has been.  Security excellence is no accident.  It’s purposeful, requires dedication, and role appropriate education is essential to success.

In this book, Jim Manico and August Detlefsen tackle security education from a technical perspective and bring their wealth of industry knowledge and experience to application designers.  A significant amount of thought was given to include the most useful and relevant security content for designers to defend their applications.  This is not a book about security theories, it’s the hard lessons learned from those who have been exploited, turned into actionable items for application designers, and condensed into print.

One of the best things I enjoy about the field of security is that it’s small and still possible to reach out and touch your heroes.  Jim and August are my heroes and it’s an honor and privilege to be their technical editor on this project.  The hallmarks of true experts and expert teams are: confident but soft-spoken, good listeners, secure in their abilities and not afraid to explore the ideas of others.   Teams imbuing such qualities produce results like no other and working in this environment is educational for everyone.  Working on this project with Jim and August was a tremendous privilege.  It’s my sincerest hope you enjoy this book as much as we enjoyed bringing it to you. 

Milton Smith

***
I happened to think of posting the book blooper since I noticed the Kindle Edition of the book includes the foreword and it’s the books one year anniversary – Happy Birthday!  Congratulations Jim, August, Kevin, and crew.