Making a "Linux Foundation" for Cryptography Libraries

Categories: 




One of the things that the recent Heartbleed bug really should alert us to is the fact that our crypto libraries need work. On the one hand, we know that trusting a crypto library developed by a single company is probably a bad idea - such a library gets fewer eyes on it performing code reviews, and also may not be motivated to immediately fix vulnerabilities they are aware. Of the other side of the coin, we have open source libraries, most notably at the moment being OpenSSL, which lack the resources available for a large company to drive development.

Why Engineers Should Care About Security Too

The cutest little kittens in a pair of cups
Your product. Cute little kittens in cups. Don't let the cute kittens get hurt, think about security!

Book Review: RESTful Web APIs by Leonard Richardson and Mike Amundsen

Categories: 

For the past few months, much of my time has been absorbed by my senior design project at UAH. Setting aside the specifics of what my group and I are working on, the design calls for a web service that has an open API to allow for the simple creation of new clients. Looking at the options, it was quickly obvious that we wanted to approach the API design with a RESTful architecture rather than using SOAP, owing to its flexibility and the comparative ease with which a new client can be implemented to use a new RESTful API.

Survey of Automated Malware Identification Systems

This summer I took a course on artificatial intelligence, and wrote a research paper on automated classification of malware.

The paper isn't the best written in the world, and has some interesting formatting thanks to the requirement it be formatted in the ACM style, but that being said it includes quite a bit of material on automated malware analysis, as well as references to more in-depth works. With that in mind, I've attached a copy of the PDF to this post.

Book Review: Hackers by Steven Levy

Categories: 

Hackers is Steven Ley's attempt to trace the roots of hacker culture to its beginnings. That is, hackers in the sense of people for whom learning about and building upon technology is a way of life, not hackers in the sense of criminals breaking into computer systems. This is one of those books that everybody seems to feel you ought to read if you are involved with technology. So what's it all about?

Book Review: Version Control with Git by Jon Loeliger and Matthew McCullough

Version Control with Git is pretty much what you would expect, a book all about using Git as a version control system.

Book Review: CODE by Charles Petzold

Categories: 

CODE takes a reader from humble beginnings of communications using flashing lights, to telegraphs and the invention of the relay, to a (relatively) modern computer by the end of the book, making many stops along the way to detail each stage of the evolution of a modern, digital computer. At first glance this may seem a bit useless - why learn about Morse code or Braille when ASCII or Unicode is far more relevant? Why talk about using old technology like relays when integrated circuits are far superior?

Book Review: Security Engineering by Ross Anderson

Security Engineering is all about designing and building secure systems. Unlike many security books, this one attempts to cover the entire range of security engineering, ranging from cryptography, access control and similar technologies, into security policy, and even into the macro scale of governmental policies. Of course, this is a massive set of subjects to try to cover in a single book, and indeed, Security Engineering weighs in at a little over one thousand pages (though nearly 100 of them go to the bibliography), spread out over 27 chapters.

Book Review: Threat Modeling by Frank Swiderski and Window Snyder

Categories: 

Threat modeling is something that probably should be done whenever developing a complex system, especially software, but all too often isn't. In part this deficiency is caused by lack of knowledge about threat modeling - not many people are talking or writing about it. Much of what is written about threat modeling lacks consistency.

What's the Difference Between a Threat and a Vulnerability?

Not long ago I was working on a threat modeling project, and found that I was rather confused by the distinction between a threat and a vulnerability. This might not seem like a big deal at first, but since the two are dealt with at different stages in the risk assessment process, and vulnerabilities depend on threats, it is critical to have a good understanding of the two.

Pages

Subscribe to Eugene Davis RSS