Blog Posts

9 Basic Rules for Using Crypto in Application Development


At its simplest, cryptography (or crypto in nerd parlance) is the study and practice of secure transmission of secrets between two parties, given the presence of a third party. In the wide expanse of information technology systems and applications, crypto forms the foundation of trust for many interactions that require confidentiality. One example is an online banking web application that requires a secure means of transporting the user’s authentication credentials from their web browsers to the back end server that house the bank’s

Continue Reading

What We See


He stood arms akimbo, staring at himself in the mirrors of the dusky gym of his apartment complex. Breathing heavily through pursed lips, he seemed to admire himself. At his feet, lay three pairs of dumbbells, 25, 30, and 35 pounds respectively. His dumbbell routine was part of today’s upper body workout. He remembered how Maria had glanced at his chest as they chatted on that last walk with their friends. Well, we can’t afford to disappoint the ladies, he thought,

Continue Reading



An ode to the dreamers… The mountains, they call The heights, they beckon Will I stay Will I watch The mountains, they call The heights, they beckon The sounds, they draw Will I go Will I be lost

After NSA leak aids Cybercriminals, should Governments keep hoarding Security Backdoors?


Earlier this month, May 2017, hospitals, corporations, and government offices in 74 countries around the world, were hit by ransomeware attacks. Ransomware is malicious software that locks a computer and it’s data with strong cryptographic algorithms, until the owners of the computer pay a ransome. Interestingly, the computer code used in crafting the malicious software that compromised those systems with ransomeware was derived from code developed by the United States’ National Security Agency (NSA). The NSA had identified security flaws in

Continue Reading

Daily Stand-ups, the Bane of Agile Software Development – Part 2


See Part 1 of this series here. You might even be an agile pastor and in that case you’re probably thinking… “what an outrageous idea!”. May it is, but I still remember Rebecca. She is a wicked smart software engineer I once worked with. As I attended multiple meetings with different software teams as the designated “Security Expert”, I gained a different perspective on Agile development. Rebecca always seemed tense. Actually, everyone on the team was smart, but they always seemed very

Continue Reading

8 Basic Rules for Handling Passwords Securely


Authentication, Authorization, Authentication… some say passwords have failed. They may be right, but passwords are still here. Software developers should expect users to select strong passwords and likewise, software users expect their data (including passwords) to be stored securely by software vendors. There never seems to be a wrong time to talk about this considering the almost constant trend of data breaches. Here are 8 basic rules for handing passwords securely: Provide Brute Force Protection at Authentication Points: This defeats

Continue Reading

Windows Driver Security and Fuzzing Resources


An IOCTL (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. It’s an interface in a system call by through which the user space can communicate with device drivers. Ioctl interfaces are a primary attack surface for drivers (especially in less audited 3rd party or non-OS code) since they parse input from the user space – hence that input should be validated properly. Vulnerabilities in

Continue Reading

Why did Jesus Come?


As Easter draws near, the questions that often come to our minds (depending on our backgrounds) are: Who is Jesus? What was he about? Why did he die? Is he for real? I’ll take a stab at a slightly different question, Why did he come? That’s a loaded question. The others are important too, but understanding why he came or was needed on earth in the 1st place is a key that unlocks a tonne of insights into the rest

Continue Reading

Learning Information Security


I often get asked, “How can I can become a security expert?” or “What certifications can I take to improve my information security skills?”. Daniel Miessler’s insightful Guide to Information Security Certifications describes the content, cost, and purpose of numerous internationally acclaimed information security certifications.