Tuesday, February 7, 2017

Let's say "TLS" instead of "SSL"

A trend I noticed within information security circles is to use the term "SSL" even when we mean "TLS".  TLS is the newer and more secure replacement for SSL.  All versions of SSL, even the latest SSLv3 flavor, are considered to be insecure at this point. 

It's habit to say "SSL".  Our infosec minds auto-translate it to "TLS", but there are interesting, concrete reasons that the IETF chose the name TLS back in 1999.  In addition, words have meaning and many people who don't eat, drink, and sleep security aren't up to speed on the nuances of this stuff.  This includes millions of IT personnel who are responsible for configuring servers in a secure manner.  It also includes newbies who are entering the infosec field every day.

Information security professionals can be arrogant.  If someone isn't as knowledgeable as them, then that person is called stupid. For example, application security experts tend to denigrate developers for writing insecure code.  That bothers me a lot.

Here's another example:

So people who don't know about SSL vs. TLS are not clever.  Nice.

Years ago I didn't know much about security.  I was a developer and appreciated the opportunity to learn from others.  So let us be technically accurate and use "TLS", even if it turns out to be a losing battle in the end.

Read more...

Friday, January 27, 2017

Webinar - Intro to Security Testing

I haven't done much blogging for a while.  I will be doing more posts this year.  At least that's one of my new year's resolutions!  Some of my posts will be original content residing here, but others will be links to articles or posts I've done elsewhere.

I'd like to start 2017 by sharing a link to the webinar I did in 2015 that is aimed at anyone who wants to dip their toes into the world of web application penetration testing.  The webinar was for the benefit of the uTest Community, and you therefore need an account to view the webinar.  It's easy and free to sign up though.

I'm proud to say the uTest community has given my webinar a stellar rating of 4.86 stars out of 5!  If you are new to the field of manual appsec testing, I'm sure you'll find it helpful.  Pro tip: install and learn Burp Suite!

The webinar is here: 
https://www.utest.com/courses/recorded-webinar-introduction-security-testing-dave-ferguson

Enjoy.

Read more...

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP