Product Security Reviews – Where To Start

If your development team is reviewing your product for security vulnerabilities, start where everyone else’s products are vulnerable. In work funded by the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), MITRE Corporation maintains the Common Weakness Enumeration (CWE), a formal list of software weakness types. It was created to:

  • Serve as a common language for describing software security weaknesses in architecture, design, or code.
  • Serve as a standard measuring stick for software security tools targeting these weaknesses.
  • Provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

Each year, MITRE publishes the Top 25 Most Dangerous Software Errors, a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list is now available:

2019 CWE Top 25 Most Dangerous Software Errors

Lessons Learned Operating Uber’s Payment System

Gergely Orosz wrote this article on the lessons he learned operating Uber’s payment system. I enjoy reading about other people’s experiences and perhaps you do as well. Some of the things that Gergely presents here resonate with my experiences running systems for Cengage Learning and InSpeed Networks, and performing reviews of the systems of my consulting clients. At least a few these lessons I learned operating nuclear power plants on submarines in the Navy. Yes, I still have the scars, both mental and physical.

Operating a Large, Distributed System in a Reliable Way: Practices I Learned

HTTP Security Headers and Security Scorecards

If you wander around the exhibition floor of your favorite Information Security conference, you will certainly find companies that sell a security scorecard service for web applications and web sites in general. My first question to these folks is always “how do you score the sites?” In this handy article, Charlie Belmer explains the connection between HTTP Security Headers and Security Scorecard scores, and provides a convenient reference to HTTP Security Headers as well.

HTTP Security Headers – A Complete Guide

Sleep Deprivation

Sailors and other military personnel. Medical residents. Students. Truck drivers. Software developers. All are known to experience extended periods without sleep, required by their jobs or circumstances. Others can’t sleep even when they want or need to. But lack of sleep can have serious implications for the affected individual and for those around them, and often, the sleep-deprived person doesn’t even realize that they are performing at a sub-par level. How to Sleep

What’s happening here?

Since June 1995 I’ve operated my own domain on the Internet. Running web, email, and DNS servers has turned into a full time job, at least if you want them to be reliable and secure, and I already have a full time job. During the month of December 2013 I am shutting down my servers and moving to commercial providers in order to spend more time with my family, and not have to make hard choices when hardware fails or critical patches are released. What you see here is the new mellis.com web presence, hosted by WordPress.