Privacy Activists Are Cheering For The NSA Ruling, But It Won't Be A Lasting Victory

Privacy is on trial in the United States. Legal activist Larry Klayman asked US District Judge Richard J. Leon to require the NSA to stop collecting phone data and immediately delete the data it already has. His argument was that US citizens have a right to privacy and this is a violation of the Fourth Amendment of the Constitution protecting citizens from illegal search and seizure. Monday's ruling that this practice is unconstitutional has privacy activists cheering in the streets, but it will not be a lasting victory.  

In the United States, there is not a single privacy law on the books. (You can argue that HIPAA is a privacy law, but nuances exist that can lessen its impact.) What is protected has come from judgments based on the application of the Fourth Amendment regarding search and seizure. US citizens were given "privileges,” thanks to Richard Nixon, which say we have an expectation of privacy when using a phone, which basically means that the government has to get a warrant for a wiretap. (It’s worth noting that in the UK, they don’t get that privilege.)

Data is up for grabs. And everyone is grabbing.

Read more

And They're Off . . . The Mobile Security Dog Race Has Begun!

There is a 14-dog race going on, with a goal to win the wallets of the enterprise for mobile security spend. When lined up in the starting blocks, the racers may all seem to have equal chances, but a few are better poised to cross the finish line first and bask in the glory of the winners' circle. Three of these technologies are the odds-on favorites to lead from start to finish, with the rest of the racers struggling to remain relevant.

Coming off the starting block with the "holeshot" are the mobile device management vendors. With huge engines of revenue, large customer counts, and first-mover advantage, this dog is the odds-on favorite to take the championship trophy. Mobile device management vendors are already expanding their technologies and products into security platforms to diversify their rapidly commoditized product offerings. The move is paying off for the biggest and toughest MDM participants in the race, giving them the early, and potentially insurmountable, lead.
Read more

You Can’t Outsource Accountability

Needless to say, Indian service providers pioneered and developed the outsourced software development space; currently, they generate a combined $3.2 billion of revenue annually. Although Indian software service providers claim high standards, it is apparent that there are still weaknesses in their delivery. I just published a report that highlights the main culprits for this: a lack of executive commitment, poor application coding, and the industrialization of software development:

  • Poor application coding persists despite lessons learned. The security vulnerabilities are hardly obscure: More than two-thirds of applications have cross-site scripting vulnerabilities, nearly half fail to validate input strings thoroughly, and nearly one-third can fall foul of SQL injection. Security professionals and software engineers have known about these types of flaws for years, but they continue to show up repeatedly in new software code.
  • A lack of executive commitment within outsourcing firms leads to poor security. Although most of the service firms’ executive leadership teams mean well, few appear to grasp the true potential for security breaches at their customers, the implications of those breaches, and the part that the outsourced partner must play in preventing them.
  • The industrialization of software development expands the attack surface. Development on an industrial scale can put clients at significant risk. In some cases, offshore development centers serve multiple clients but lack effective network segmentation.
Read more

Application Security Wave Prequalification Announcement

Image Courtesy of VladStudio http://vladstudio.deviantart.com/We are about to kickoff a Forrester Wave on Application Security Testing. The focus of this Wave is on both static application security testing (SAST) as well as dynamic application security testing (DAST) offerings. This Wave will cover both tools and SaaS based delivery methods. What does this mean for you?

  • Vendors:  If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey.  We will be limiting the number of vendors participating in this evaluation. 
Read more

Asia Pacific Governments Must Learn From Recent Cyberattacks

The digital age brings some inherent security risks, like cyberattacks and hacking, that can have a significant impact on governments. The governments of Singapore, Philippines, South Korea, India, and Japan are some of the recent major victims — and the list is growing by the day.

Why are Asia Pacific (AP) governments a soft target for cyberattacks?

  • Aging, vulnerable infrastructure. Many servers that host critical government websites still run outmoded operating systems and are plagued by problems such as obsolete software and insecure coding, making them vulnerable to cyberattacks. For instance, only a handful of government computers in India use the latest version of Java; more than three-quarters of them are running unsupported versions of the software, which has been a common target for malware since 2010.
  • Low adoption of advanced security technology coupled with lack of security expertise. Governments still rely on conventional security controls like antivirus, antimalware, and firewalls that are powerless against sophisticated attacks. The problem is exacerbated by the fact that governments lack highly skilled personnel to combat cyberattacks effectively.
Read more

Centrify Cloud SSO marks the beginning of mobile device manufacturers getting into the IAM space

Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave. 

What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its consumer fingerprint reader already making inroads into authentication) and others (Windows Phone, etc.) will follow suit and offer cloud based IAM and SSO services.