• Security is quality under attack. Hard-won lessons in software security, from someone who built the programs and wrote the standards.

What`s New

On the use of LLM (“AI”) in security decisions

What will happen if we keep using Large Language Models as the basis of decisions, especially in a field like security? Would taking the statistically average decision from this moment on, at every step, lead to a decay of decision correctness over time, or would it stay stable? The question sits at the intersection of ...

Read More
code library stretching to infinity

AI Software Design Security and Language Choice

Or, rather, the quality of the Artificial Intelligence (AI) generated software in general but it goes for security as well, naturally, since security and quality are but the two sides of the same coin. Software engineers happily embraced the wonderful possibility of being able to program in a natural language – describing the task to ...

Read More

CAST workshop on development security

We are holding our yearly security conference in Darmstadt on the 22nd of March – that’s next week – together with our partners from Fraunhofer SIT and CAST. This time, the focus subject will be DevOps and cloud technologies, including both operations and development preparation for the security in the cloud. The speakers are prepared ...

Read More

A company with an SQL injection name

Finally, someone registered a company that is an SQL injection attack. We saw the license plates on cars doctored to execute SQL injection attacks but this is the first time, I think, that an attempt to crash all business SQL databases in a country is made. The company name is: ; DROP TABLE “COMPANIES”;– LTD ...

Read More

Don’t patch it, it’s fine?

I wrote back in 2013 about my shock at discovering that the companies are now publicly calling to stop the investment in security and avoid fixing security bugs in my article Brainwashing in security. There, we witnessed the head of Adobe security, Brad Arkin, tell us that the companies should not be wasting their precious ...

Read More

Data breach at LinkedIn

Apparently, there was a serious data breach at LinkedIn and many customer records were stolen including “member email addresses, hashed passwords, and LinkedIn member IDs”. LinkedIn sent out a notification informing that the passwords were invalidated. What is interesting in the note is that they included a cryptic note that the break-in was “not new”. ...

Read More

Position yourself on Security Maturity Grid

I wrote up the Security Maturity Grid the way quality management is usually presented. The grid is a simple 5 x 6 matrix that shows different stages of maturity of the company’s security management against six different security management categories (management understanding of security, problem handling, cost of security, etc). The lowest stage of maturity ...

Read More

Worst languages for software security

I was sent an article about program languages that generate most security bugs in software today. The article seemed to refer to a report by Veracode, a company I know well, to discuss what software security problems are out there in applications written in different languages. That is an excellent question and a very interesting ...

Read More

Backdoors in encryption products

After the recent terrorist attacks the governments are again pushing for more surveillance and the old debate on the necessity of the backdoors in encryption software raises its ugly head again. Leaving the surveillance question aside, let’s see, what does it mean to introduce backdoors to programs and how they can be harmful, especially when ...

Read More

CAST Workshop “Secure Software Development”

We are organizing the workshop on “Secure Software Development” now for the third year in a row. As usual, the workshop is in Darmstadt and the logistics is cared for by the CAST e.V. The date for the workshop is 12 November. This year most presentations seem to be in German, so probably it does ...

Read More
Copyright © Holy Hash! All Rights Reserved.