Aug 08 2013

Security Development Lifecycle Training

Last year we tried to outsource our classroom-based training (CBT) for our SDL effort to a third party…that didn’t go so well. I don’t want to mention the name of the company we used but we were disappointed enough with the first round of the training and we decided to go our own route.  To that end I was tasked with creating the content for the training…and I have been heads down most of the time this year working on several classes:

  • Threat Modeling
  • Secure Coding in C and C++
  • Secure Coding C#

The Threat Modeling class has been completed (although it could stand to be updated and cleaned up a bit).  The Secure Coding in C and C++ class was completed but the feedback I got from my second group of attendees was that they’re doing development on the ARM processor platform and they wanted to see the exploits in the hands-on lab exercises on that platform.  The Secure Coding in C# is still being built out.

The good news is that I have been able to get a Debian Linux image built (with a GUI interface) for the Secure Coding in C and C++ class using the QEMU ARM emulator.  The next step is to setup the networking so that I can pull additional packages into the image and build out a complete development environment.  This has been driving me crazy for the past couple of months because the installer for the image and the QEMU disk image were constantly giving me problems.  Today was a “Good” day…


No responses yet

Mar 24 2011

Smart Grid Security Vulnerabilities?

Published by under Security,Smart Grid

I’ve been working for Itron for the past 14 months of which the last 5 have been as the Security Engineering Team lead for the company.  I need to keep abreast of current security trends in terms of the Smart Grid industry (I’m not going to go into the discussion of Smart Grid vs. AMI at the moment) and every so often I come across some rather glaring mistakes in information that, if not corrected, can lead to significant, unnecessary concerns about the security of Smart Grid or AMI deployments.  Normally I’m not that picky about correcting such mistakes but this one, in my opinion, needed some response as opponents of Smart Grids could use this as part of their arguments against Smart Grid technology and deployments.

Case in point is Guido Bartels‘ “Combating Smart Grid Vulnerabilities” article in the March 2011 issue of the Journal of Energy Security.  On the whole, this article is spot on.  I think Mr. Bartels does an excellent job in laying out the case for the efforts being done to secure Smart Grid deployments by utilities and by vendors as well.  I only have one small issue with the article and that is the incorrect use of a graph titled “Number of New Smart Grid Vulnerabilities”.  This graph, developed by IBM‘s X-Force can also be found here.  This graph is actually a histogram of the number of new vulnerabilities identified by IBM’s X-Force Research and Development team over the period of 2000 to the first half of 2010.  Unfortunately it is incorrectly labeled in the article and I hope that the editors will do their readers a kind service by correcting the faulty title of the graph.

No responses yet

Aug 24 2009

ISSA Journal Article

Published by under architecture,Security

I wrote an article that was published in the ISSA Journal in August 2009. The topic of the post was “De-perimeterized Architectures” and focuses on the Jericho Forum‘s work on a next generation architecture that accommodates the fact that the network perimeter is becoming more porous and passing more and more traffic in newer protocols than ever before.

A direct link to the article is here. (Be aware that you need to be a member of ISSA and must login to the ISSA website to read the article).

No responses yet