Posts

But did you even READ the policy?

-
If you work in a company, almost any company, you have obviously read all the security policies. At least, you have signed off that you have read all the policies, because that’s part of the required annual security training. “Sure, yeah, I read all of them. I know where they are anyway. I think.” There are two reasons why every annual mandatory security training requires you to read the policies. First, you’re actually, you know, supposed to follow them. It’s probably hard to do that if you don’t read them first. Second, so the company can fire you if you fail to follow them. Then again, I haven’t read the Revised Code of Washington, and I have to follow that too, so what’s the point? When you sign off agree to the “…up to and including termination” part at the bottom of most policies. In our legal system this isn’t necessary because of the common law principle of ignorantia juris non excusat —Ignorance of the law is no excuse. This principle is fundamental to the system and in polici...
Post a Comment
Read more

The 5GL Is Here. It’s Vibe Coding, And It Will Harm Your Business.

-
When I was in graduate school an exciting area of research in Computer Science, and especially in Information Systems was how fourth generation languages (4GL) would enhance developer productivity and reduce bugs and rework. 4GLs, like SQL and PHP, offer a higher level of abstraction that allow developers to focus on what they are writing, rather than spending most of the time on how, as in 3GLs (such as Rust, C/C++, Java, Perl, and so on). Today, we have a 5GL, and few people seem to even think of it as a 5GL, or even as a language. Guess what? It is English, or any other natural language you type into an LLM to produce 3GL or 4GL code. Every day, millions of people are typing 5GL  into a vibe coding front end to a Large Language Model (LLM) and out comes 3GL code that in many cases the person who typed the prompt cannot read and understand. This is a critically important moment for Security Professionals and Executives because it upends everything we thought we knew about softwar...
Post a Comment
Read more

Warning: Regulations May Harm Your Security

-
Like many of you, I have spent decades trying to devise security controls that comply with various regulatory requirements. In some cases, they are actual regulations, like FINRA 17a-4, GDPR, HIPAA, NYDFS Part 500, and PCI DSS. In other cases, the regulation is an industry standard to demonstrate adequate controls to business partners and customers, such as NIST CSF and SOC 2 Type II; or a requirement for some customers, such as FedRAMP. While every one of these is well intended and they all have some requirements that are sensible, they also have the potential to cause harm, primarily in one of two ways.  Regulatory Compliant Does Not Mean Secure Regulatory compliance is often presented as a voucher or certification. Management often celebrates that we “passed our certification”. First, most of the regulations are not actually certifications. For instance, as a merchant, you are not “certified” under the Payment Card Industry (PCI) Data Security Standard (DSS). You are assessed,...
Post a Comment
Read more

Single Sign-On

-
There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, s...
2 comments
Read more

Electric Car Charger Basics

-
Congratulations on your electric car purchase, or at least thinking about it. The first thing you need to learn about driving electric is that your car is nearly always going to be fully charged when you go to use it, because you will plug it in as soon as you get home. Unlike a car with an internal combustion engine (ICE), where the first thing you do is check how much fuel you have, with an electric car, you just go, because it is nearly always fully charged! The second thing will learn is that you don’t need to fully charge the car. You just need to charge it enough to get to where you can charge it next. This is very different from an ICE vehicle where you nearly always fill it up. Because you can plug in almost anywhere (there are 800,000 charging stations in the US for instance) you don’t really ever worry about it after the first two weeks of driving electric. Charging Standards The great thing about standards is there are many to choose from. Electric car charging is no differe...
Post a Comment
Read more