Akshay on the business of security

Shrinking Budgets: Application Security Tools vs Process Tradeoff

2009-04-30T08:25:54Z

An all too familiar scene repeated itself two weeks ago. My good friend & CISO of a mid-sized technology company, lets call him Alok, went into a budget planning meeting and came out as a shadow of his former self. To be more precise a 85% version of the Alok that I know. He had just been handed a 15% reduction in budget. Like most managers, Alok, started taking stock of his mini-empire and prioritizing things that he could do without. Luckily he had already expected a cut and so had planned...(read more)

Akshay’s Uncertainty Principle: Observing Some Metrics Changes Them

2009-03-27T04:12:45Z

You’ve probably heard of the famous Heisenberg Uncertainty Principle in Quantum physics. It states “The more precisely the position is determined, the less precisely the momentum is known in this instant, and vice versa.” --Heisenberg, uncertainty paper, 1927 This principle is related to the observer effect. In physics, the term observer effect refers to changes that the act of observation will make on the phenomenon being observed. Ok, now to get to the point. Read more… - Akshay If...(read more)

Response to InfoSec X Prize Part 1

2009-03-06T20:11:00Z

So I’ve been quite amazed by the amount of discussion and feedback i have received from colleagues and peers on my original post on creating fundamental change through competition. I will be posting some of the written replies that I received and which people have kindly consented to having me post. Read more… - Akshay digg_url = "http://blogs.msdn.com/akshay_aggarwal/archive/2009/03/06/response-to-infosec-x-prize-part-1.aspx";digg_title = "Response to InfoSec X Prize Part 1";digg_bgcolor = "#FFFFFF";digg_skin...(read more)

Baking Security In: A Comic Strip View of SDL

2009-02-20T21:07:00Z

So how do you t ake your average developer who scoffs at security from the careless and brash aka Kevin, to the poster child for good development practices aka Kevlarr. Well, the Microsoft SDL team has the answer for you. The team recently started publishing a series of web comics detailing the travails of the dev team at Contoso who are under attack from the League of Malware. Along the way they battle with foes such as Spam Bot and Social Engineer while getting help from Vigil...(read more)

Microsoft IT Solutions: Full Drive Encryption using BitLocker

2009-02-10T21:01:00Z

One of the challenges that I have been focusing my team on this fiscal year has been creating new solutions that leverage the learning that Microsoft IT has had in deploying technology or solving problems. Microsoft IT generally has to deploy new technologies from Microsoft several months before they are generally available for general release in a process known as dogfooding . Often it needs to develop and deploy solutions multiple times as the product cycles through from betas to release candidates...(read more)

Note to Fannie Mae: Dealing with Logic Bombs

2009-02-03T22:05:00Z

Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks. Read more…...(read more)

The InfoSec X Prize: Fundamental Change Through Competition

2009-01-23T01:06:34Z

Today I had a thought provoking conversation with Dr. Peter Diamandis , Chairman and CEO of Zero Gravity Corporation & X Prize Foundation, on radical & fundamental change. Change that advances the status quo rather than relying on incremental change for gradual advance. Arguably the Ansari X Prize (and others in the hopper) have achieved some breakthrough successes. Most notable achievements of the X Prize are: Achieving fundamental advancement in technology using competition driven philanthropy...(read more)

Business During Downturn: The Chain Of Trust

2009-01-22T06:48:43Z

Business during economic downturns brings to the surface the tiny fractures that were unnoticeable during the good times. It is a fertile ground to relearn some of the lessons of the past & form wisdom for the future. I am going to try and capture some of the learning during this new series Business During Downturn . The past few months have convinced me that individuals & organizations that pay close attention to the basics fare better going into a economic downturn. In particular, establishing...(read more)

Meter This: Practical Application Of Power drain Attack

2008-07-26T00:47:53Z

Last week while feeding my caffeine addiction I came across an article in the New York Times titled Can’t Find a Parking Spot? Check Smartphone . In order to reduce traffic congestion and fuel consumption, the city of San Francisco is implementing a new system that will help detect empty parking spots in downtown. Now clearly this is a step in the right direction, both from an environmental and convenience perspective. I have spent a huge amount of time driving around SFO looking for a parking space,...(read more)

My BlueHat Talk

2008-07-15T23:08:27Z

Just got word that my talk Suddenly Psychic: Knowing everything about everyone was accepted at Microsoft's BlueHat Security Conference on October 16-17th. Sometimes when you go blue... you really go blue. Over the course of the next few months my buddy Nitesh Dhanjani and I will be presenting our research on how the business, psychological and behavioral aspects of our virtual and real-world personas impact our security and privacy. In particular, I am excited about two aspects of this talk. The...(read more)

Towards enabling secure infrastructure outsourcing

2008-07-14T18:29:58Z

Many enterprise customers are increasingly evaluating the benefits of infrastructure outsourcing (ITO) to their businesses. In the past year, several CIOs have expressed concerns around the impact to the security and privacy of digital assets resulting from infrastructure outsourcing. In this post I will discuss the business drivers and security concerns around ITO and propose safeguards that enterprises can consider. The drivers for infrastructure outsourcing stem from the impact of global delivery...(read more)

Application Security Development Lifecycle 5A: Is Threat Modeling Right For You?

2008-06-11T18:06:24Z

Several enterprises are increasingly investing time and money in building application security tasks into their existing SDLCs. Some of them have also reached the conclusion that proactive approaches , like threat modeling, have more ROI than reactive approaches. As a result, some enterprises with nascent appsec programs have turned to threat modeling as a panacea for their security problems. However, threat modeling may not be the solution to their immediate problems. Now I recognize that this may...(read more)

OWASP Conference Update

2008-06-09T04:42:40Z

I will be presenting at the OWASP conference in Denver, CO this Tuesday, June 10th. The presentation will focus on the value that organizations especially ISVs can derive from threat modeling of line of business applications. For some time now, I've been brainstorming with my team on the competitive value of proactive security approaches like threat modeling. This presentation will empower business decision makers to make an informed decision on whether threat modeling is right for their business....(read more)

Application Security development Lifecycle 4: Finding the right security talent

2008-06-01T22:45:00Z

After about an hour of nodding his head vigorously in agreement with some of our lessons learnt, my customer jumped up and exclaimed, " Great!! Now where do I find another 20 people like these?" (pointing to my team)... I thought about it a while and so Mr. B here is your answer: Information security education has been pursued by several tertiary education (i.e. universities) for several decades now. In 1999, the NSA got into the act and issued a list of National Centers of Academic Excellence in...(read more)

How Microsoft IT does Secure Application Development: Webcast

2008-05-27T19:20:00Z

Technorati Tags: Conference , SDLC , SDL , IT , ISV I will be discussing Microsoft IT's approach to secure application development, with a special focus on how we integrate security into the IT line-of-business SDLC, in a webcast this Thursday May 29th. This webcast will be part of the Microsoft's IT Manager Webcast series. This series aims to share deep knowledge focused on Enterprise IT orgs and ISVs. Title: IT Manager Webcast: How Microsoft IT does Secure Application Development (Level 200) Register...(read more)