Welcome to Security Crossing

Sentry picture

It is easy to lose hope when the press points out the errors and security vendors spread fear, uncertainly and doubt. The reality is there are people building high quality and secure applications, and I can help you use the best practices they use. Make no mistake building secure applications requires a controlled proactive effort, but it has been accomplished by organizations of all sizes and budgets. Check out my projects page for a sample of past work. I focus on what it takes to build high quality products, the fact they are secure too is just a nice bonus.

Typical Security Review Failure Rates

Posted by Ken Graf on January 31, 2009
Failure rates

Study of 300 applications the first application security review almost always (92%) resulted in failure. Typically my review was the first time the application had been reviewed for security. After a few weeks to implement process changes and fix bugs a second review resulted in reducing the failure rate to 20%.

A third round of reviews did show additional applications could pass, but it highlighted SDL and systematic issues in about 8% of all organizations.

Key take-aways 1) Applications that have not considered security are almost always insecure, this is what the press loves to report. 2) Most applications can readily adapt process changes to be secure, this is the security vendors little secret. 3) Around 10% of organizations have difficulty with implementing the required process changes, there are a variety of factors that I would be happy to disucss with you in more detail.

Original paper based on my work for Watchfire:

Massachusetts Data Security Law

Posted by Ken Graf on April 14, 2009

Payment Card Industry Data Security Standard (PCI-DSS) has received a lot of attention lately. Mainly for organizations that have been seen as compliant yet where still hacked. Security Crossing can help you with both compliance and not being hacked

PCI is giving merchants a compliance blueprint, which includes meeting 6 milestones on the following 12 requirements:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Requirement 12: Maintain a policy that addresses information security for employees and contractor.