[Update 11/13: Please see my follow-up to these issues.]
[Update 3/26: I'm now in contact with Google Security.]
[Update 3/28: I'm aware of Google's official response to the issues raised in this blog. I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me. It would be premature for [...]
Archive for the ‘Uncategorized’ Category
Security issues with Google Docs
Posted in security, tagged google, Google Docs, privacy on March 26, 2009 | 20 Comments »
Chinks in the Armor
Posted in security, tagged defense in depth, xss on March 23, 2009 | Leave a Comment »
Defense-in-depth is a cornerstone of any information security strategy. Corporate networks are routinely segmented into various zones such as “public”, “DMZ”, “extranet” and “intranet” to contain sensitive information deep within several protection domains. Failure of one control should not compromise the entire system.
Defense-in-depth is everywhere. Border routers filter spoofing attacks. The firewalls behind them enforce [...]
Security Compliance
Posted in security, tagged audit, compliance on March 22, 2009 | Leave a Comment »
Having served on a national information security standards working group, I’m keenly aware that compliance is a major driver — if not the primary driver — for security initiatives today.
Compliance rules work best when the threat for inaction is tangible and immediate. Usually, the threat is “we will fail external audit unless we comply with [...]
