Monday, February 15, 2016

Encryption Debate: The issue isn’t strong crypto; It’s easy crypto

An article by Tozny CEO Isaac Potoczny-Jones at NextGov:
Strong cryptography has been around for a long time, but the user interfaces have been terrible. As a result, most individuals and even software programmers struggle to use them effectively. Over the last few years, we’ve seen a push by technology industry leaders to prioritize easy to use encryption technologies in their products on the front end. This is an enormously positive and important development that expands adoption of secure products.  Backdoors and storing encryption keys don’t strengthen crypto; they weaken it, and the lack of good security in commercial and government products and services has left the United States extremely vulnerable to industrial espionage from determined foreign adversaries.
Read More.  

Saturday, February 13, 2016

The tension between Agile, MVPs, and Security

Here's a great article by George V. Hulme, including discussions with Tozny CEO Isaac Potoczny-Jones about the tension between Agile, MVPs, and Security. See also the complete Q&A with Isaac at CSO Magazine.
The first step is just saying, "We're going to include security in the Agile definitions of done," and once you've at least penetrated that level, which I don't think a lot of people have, then they’re going to at least do the right things. You're either going to start to build it either into the user stories or the acceptance testing. But you can’t leave it to the end of the process. If you leave security acceptance testing toward the end (and naturally your schedule is going to slip) then you'll get to the security testing and find there's a lot more work to do. Then you'll be in this unfortunate decision of either having to fix the security issues and let your schedule slip, or choose to let something go out the door that's not secure.
Read More.