Read the Community Blog

Updated Pattern Naming Convention

The pattern naming convention has been changed to [SP-xxx: Name of area Pattern] where SP stands for Security Pattern. For example SP-019: Secure Adhoc File Exchange Pattern

This allows all patterns to be uniquely referenced, with version information held within the pattern itself. It also means that the patterns are easier to read through in the library, and we can use the same directory structure when working on them offline.

Uniquely ID a browser via fingerprint

How unique and traceable is your browser? A lot more than you realise. This research project from the EFF looks at various characteristics from your browser strings, and in my case when I checked, uniquely identified me in the 1 million plus tests done so far.... Interesting privacy implications given that some companies on the web are starting to use this to track users uniquely across sites...

How to hack an ATM

Just read an interesting article on Ars about hacking ATM's at the recent BlackHat conference.

Reading it reminded me about how important the basic foundations are in IT security. Get the physical security right first, in this case the ATM's used the same $10 security key available from eBay for all machines to increase usability. Then make sure you properly test before you release your software, product, or system. The hack on one machine could be stopped by reducing the attack surface and stopping the remote access facility... or ensuring that only signed code could be run.

It's not secure if you haven't tested!

New pattern modules

We are in the process of revising the patterns in the library to ensure they are consistent, and simplify where possible. One idea is that we should create a few additional modules to reduce the number of controls that are specified on each pattern.

The set of modules could be:

  • DMZ- new module to show standard DMZ environment for hosting applications or connections to untrusted networks or systems
  • High Security Network Zone- new module to show high security environment for hosting sensitive applications such as Finance and HR systems, Payment processing, Source code repository etc
  • Information Security Management System- new module for the baseline controls required for IS management of environment
  • Client- existing module that shows baseline set of controls for clients
  • Server- existing module that shows baseline set of controls for servers

Hoping to make some progress on these in the next month or so. Drop us a line if you want to contribute.

Small addition to the icon library

Finally got around to adding the padlock item to the icon library. Not very exciting, but I thought I'd mention it :-)