#88 Aaron Bedra, Threat Modelling

Summary
Aaron Bedra talks to me about threat modelling, why you should do and what to cover.

Details
Who he is, what he does. What is threat modeling and how he approaches it. Types of security, loss of money, loss of life. Should you secure something if it is not valuable. Are we in a post security world? How often your site is attacked. How to decide what to protect. Regulations and breaches. How to protect your system, watch for outgoing data. How to build secure software from the start (it starts with a hug from Aaron!). Hashed passwords are not as secure as you think. Encryption and input validation. How to check third party libraries. Better software practices lead to better security. How much security is enough, "if you are investing more than you could lose, you're doing it wrong".

Links
Aaron's homepage

Download mp3 of podcast

#48 Peter Waegemann, Security in the Medical Industry

Summary
Peter Waegemann author of Knowledge Capital in the Digital Society and I discuss security in the medical industry and why he advocates for less privacy.

Details
Who he is; Peter's background; overview of security in the medical field, more secure than the media suggests, less secure than it should be; Peter's views on privacy/security have changed over the years; why he was booed off stage; fear of breaches vs reality of damage done; the importance of data integrity; how privacy adversely affects outcomes; what the laws or regulations should look like; wrap up.

Download mp3 of podcast

#17 Robert Hurlbut, Software security

Summary
Robert Hurlbut and I discuss various aspects of software security

Details
Background, why security isn’t thought about enough, out of the box security with MVC, XSS, CSRF, model binding and parameter tampering; https everything or just on parts of a site; Microsoft improving security, open source issues, inclusion of open source in hardware security devices; unmanaged code in web apps; typical weaknesses in software, password security; software review process, threat models, code reviews, fuzz testing; healthcare security, medical devices, attack vectors, Barnaby Jack, how to build secure devices; finding good security professionals, conferences and tradeshows; books; dont roll your own security; Robert’s presentation at Boston Code Camp.

Book Recommendations
Iron-Clad Java: Building Secure Web Applications

Writing Secure Code (2nd Edition) (Developer Best Practices)

Software Security: Building Security In

#15 Linus Olsson, Hemlis project

Summary
Linus Olsson of the Hemlis project discusses what Hemlis is, why they are building it and how it works.

Details
Linus I and discuss his background, what is Hemlis, why build it; open source; need for security and privacy, does encryption make you a target, good encryption vs bad encryption; why trust Hemlis, legal requests for data, would he go to jail to protect users; how it works, public key encryption, easier than PGP, type of encryption, back door on phone, base band hacking; open source vulnerabilities; servers, just for relaying, graphs, peer-to-peer not viable; scaling; release date, usability; how to promote your software; pricing, premium features, enterprise solution.

Book Recommendations
The Mom Test: How to talk to customers & learn if your business is a good idea when everyone is lying to you

The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses