More than most other engineering areas, information security is an elusive practice. Practitioners are called both geniuses and gurus, sometimes depicted as white coated lab scientists and sometimes as mavericks. Is it a science or a religion? Is it based on empirical evidence, common sense or preconditioned beliefs? Does the data even exist?

This blog attempts to discuss those and related issues by breaking out of the walls of information security, exploring comparative practices as well as relevant research fields such as cognitive psychology and philosophy of science. Some of the specific areas discussed are: risk management, incidents and vulnerabilities statistics, intellectual property, patents and the open source model and information security tools evaluation and categorization.

Subscribe to InfoSec aXioms RSS

Mines, fences and security analytics

Submitted by Ofer Shezaf on 5 August 2015 - 9:21am

Having a fence separating us from a potential intruder gives us a deep sense of safety. Given that all one needs is a wire cutter to cut through a fence, this safety notion is somewhat illusory, but still both common and psychologically helpful.

Security Analytics is many times not more than just another fence. Read more to learn why.

"Who can hack a power plug?", the info security risks in electric cars charging

Submitted by Ofer Shezaf on 13 April 2013 - 10:46pm

I submitted a talk about hacking electric cars charge stations to HackInTheBox in Amsterdam and was accepted. This is when the troubles started. Speaking in a hacker conference is a commitment. I could not just talk about the theoretical weaknesses but really needed to find some juicy stuff.

I had to find real hacks...

"Who can hack a plug?" at HackInTheBox, Amsterdam, April 11th

Submitted by Ofer Shezaf on 9 March 2013 - 11:10pm

After talking so much about application security, I decided to depart from the tried and true and venture into the unknown. At HackInTheBox 2013 in Amsterdam on April 10th and 11th I will talk about the security of one of the most important applications we use, our electric grid. Grid security is a wide subject and I will focus on a more specific subject: the security aspects of charging an electric car.

WAFEC 2.0 panel webcast on Feb 12th

Submitted by Ofer Shezaf on 5 February 2013 - 12:32pm

On Feb 12th we will be holding a WAFEC (Web Application Firewall Evaluation Criteria project) panel as part of an OWASP Israel meeting. You can join the panel remotely using OWASP gotomeeting services.

Register here.

Innovation is the icing, but what about the cake?

Submitted by Ofer Shezaf on 28 January 2013 - 12:20am

In recent weeks I have met several companies focusing on innovating security intelligence. Those encounters brought up an interesting challenge facing such innovations: in most cases innovators have a good idea but find it too expensive to build the required infrastructure. There is no use for an icing for a cake you cannot bake after all.

What are the possible solutions? How productizing innovation actually works? can it be improved?

Do we know anything about security?

Submitted by Ofer Shezaf on 18 November 2012 - 11:36am

A recent thread labeled “vulnerability solution” on the SecurityFocus WebAppSec mailing list provides an insight into how much we know or care about information security. Mohamed Ali Ahmed asked about a vulnerability scanner that covers multiple use cases: applications, web applications, databases and platforms.

The answer is far from simple however most answers on the list were single word recommendations for tools that would not provide the solutions. Why so?

The Science in Ideation

Submitted by Ofer Shezaf on 22 October 2012 - 8:47am

Great ideas are critical for innovation, however a common caveat often associated with an ideation process is the lack of systematic analysis of the idea following the initial ideation phase. As good and productive ideators are often also charismatic in selling the ideas, this critical step is often skipped.

A good example from the application security field is new program for software security apprenticeship suggested by Mark Curphey. Mark is the founder of OWASP, one of the more intriguing information security user communities out there, so we should probably hear what he has to say about a community project to make application more secure.

Or should we?

Crowd Securing

Submitted by Ofer Shezaf on 15 October 2012 - 5:16pm

Two classic paradigm shifters from very different disciplines but only three years apart, offer us insight into the role that each and every one of us has in providing security. While those 60s classics focus on physical security, their lesson may apply to cyber security as well.

Are there problems that do not require a solution?

Submitted by Ofer Shezaf on 29 September 2012 - 2:39pm

Within a day I read two very different and intriguing articles based on the same underlying assumption, namely, that there are problems that don’t have a solution because they are not really problems.

Are there such problems? Does Maxwell Wessel, a Harvard Business Review blogger, claim that large companies do not need to innovate because they excel in efficiency hold true for information security vendors?

What a way to start a year: 5 talks in a week

Submitted by Ofer Shezaf on 4 September 2012 - 4:06am

Next week will be a busy talking week for me with 4 talks at HP Protect and another one at Source Seattle.