You still there? :)

I sure am. And while having been away from writing on the blog for almost a year now, I’m looking forward to using this blog in the future as I did in the past. The past year has been busy with finishing school, starting working etc.

Nothing much has changed with regards to Security. Software is still like swiss cheese. Still, companies generally aren’t that concerned with security - It wont happen to us right? Why would anyone target a Swedish company? That never happens… Luckily, this is what keeps me busy all day - and probably will for some time.

Expect me to be a bit more active here in the future than I have been in the past.

There is an ongoing debate everywere, and has been for years, about certifications, standards and regulations - in both IT/IS Security staff, related processes and procedures, management and of course security products. They are suposed to aid us in separating the wheat from the shafts - security experts from the network administrators, good software developing practices from bad, and not to say the least, good security management practices from bad.

However, I think we in generally put alot of effort in to making complex problems easy. And I think certifications is such a case. In the worst cases, I think certifications might make people, processes and companies lazy when it comes to security. Why? Because they contribute to the feeling of beeing “enough”, altough they might not be. Lets look at some examples:

What is a security expert and a professional? Many of us agree that calling ourselves experts and proffesionals might be a bad thing. We would much rather have someone else call us that, right? Here is where security certifications come in handy, because they label us as professionals and experts (like CISSP, Cerfified Information Security Proffesional), if we only pass some small tests. Most people agree that these certification tests are unrealistic, easy and doesn’t mirror the real world. So, how much expertise does actually such an expert posess? Due to the relative easy of getting such a certification, it is a short route to being aknowledge as a expert.

Similarily, what is a secure product? Common Critera and their product certifications claims to answer to that question, by evaluating products to the specificiations of “a secure product”. However, the level of detail in these specifications are low, they (can) assume unrealistic environments for the product to be placed in and as the name implies, it is all to “common”, and can be applied to all sorts of products. As with personal certifications, product certifications can be a short route to be called and considered secure. Allthough a Common Critera certification process is exhaustive and expensive, it might keep vendors from focusing on the real flaws - and once the certification is in their hand, they might consider their security efforts to be “good enough”. Which might not be the case.

In the real world, there is no guarantee that a CISSP-certified person has the level of expertise required for a security job. Similarily, a common critera certified product doesn’t mean that it won’t have flaws. In my opinion, efforts, results and experience constitutes expertise, and the security of a product isn’t conserned with facts such as “number of vulnerabilities” or “number of zero day expoits”, but how these issues, such as flaws and vulnerabilities are handled.

I've just uploaded my BSc thesis with the subject Sensitive data on a Mobile Device - An analysis of risks, threats and their mitigations. The thesis was finished in late June, but somehow I haven't uploaded it. The following is simply a snip of the entry available under the documents-category.

—
Sensitive Data on a Mobile device - An analisys of Risk, Threats and their mitigations.

Bachelor of Science Thesis

Collaboration with Svenska Handelsbanken and The Royal Institute of Technology
10 academic points, which is 10 weeks of active work

Download as PDF
—