Staying Safe on the Internet


Just in time to catch the last few days of National Cybersecurity Awareness Month, my long-time colleague and friend John Bennett has written a helpful and inexpensive ebook about staying safe on the Internet for lay people. Its name is Safety Net, and it is available for the Kindle here:

I was one of the reviewers and I think John did a great job of covering the essentials for Internet safety, and explaining how the bad guys think and work to steal your money and your personal information. I highly recommend it.

Disclaimer: John interviewed me for the book, so I may gain publicity for my consulting practice as a result of your purchase, and, he and I are discussing other information that we might publish together in the future. I do not receive any part of the money that you pay for the book, however.

Product Security Reviews – Where To Start

If your development team is reviewing your product for security vulnerabilities, start where everyone else’s products are vulnerable. In work funded by the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), MITRE Corporation maintains the Common Weakness Enumeration (CWE), a formal list of software weakness types. It was created to:

  • Serve as a common language for describing software security weaknesses in architecture, design, or code.
  • Serve as a standard measuring stick for software security tools targeting these weaknesses.
  • Provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

Each year, MITRE publishes the Top 25 Most Dangerous Software Errors, a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list is now available:

2019 CWE Top 25 Most Dangerous Software Errors

Lessons Learned Operating Uber’s Payment System

Gergely Orosz wrote this article on the lessons he learned operating Uber’s payment system. I enjoy reading about other people’s experiences and perhaps you do as well. Some of the things that Gergely presents here resonate with my experiences running systems for Cengage Learning and InSpeed Networks, and performing reviews of the systems of my consulting clients. At least a few these lessons I learned operating nuclear power plants on submarines in the Navy. Yes, I still have the scars, both mental and physical.

Operating a Large, Distributed System in a Reliable Way: Practices I Learned

HTTP Security Headers and Security Scorecards

If you wander around the exhibition floor of your favorite Information Security conference, you will certainly find companies that sell a security scorecard service for web applications and web sites in general. My first question to these folks is always “how do you score the sites?” In this handy article, Charlie Belmer explains the connection between HTTP Security Headers and Security Scorecard scores, and provides a convenient reference to HTTP Security Headers as well.

HTTP Security Headers – A Complete Guide

Sleep Deprivation

Sailors and other military personnel. Medical residents. Students. Truck drivers. Software developers. All are known to experience extended periods without sleep, required by their jobs or circumstances. Others can’t sleep even when they want or need to. But lack of sleep can have serious implications for the affected individual and for those around them, and often, the sleep-deprived person doesn’t even realize that they are performing at a sub-par level. How to Sleep

What’s happening here?

Since June 1995 I’ve operated my own domain on the Internet. Running web, email, and DNS servers has turned into a full time job, at least if you want them to be reliable and secure, and I already have a full time job. During the month of December 2013 I am shutting down my servers and moving to commercial providers in order to spend more time with my family, and not have to make hard choices when hardware fails or critical patches are released. What you see here is the new web presence, hosted by WordPress.