Some Favorites From Other Sites

GDPR: Conflicted Compliance - Contradicting rules are a bridge to nowhere

This SC Magazine piece looks at how balancing governance, risk and compliance is complicated enough in the U.S., especially for companies in highly regulated industries. Throw in international requirements and now you're dealing with regulations that contradict U.S. regulations directly. Read full story

A Very V-E-R-Y Long Day Without Software

The Veracode Blog story about making business people better understand how devastating cyber thief and cyber terrorist attacks can be and how remarkably dependent we are today on software. Read full story

GDPR Resistance is Futile

SC Magazine story about U.S. companies that are passionately resisting attempts to comply with GDPR. Why they are doing it and why it's self-defeating. Read full story

Digital transformation: How machine learning could help change business

This piece in Ars Technica discusses ML has more than just a learning curve to overcome before it transforms business. Read full story

Hybrid AI Takes On Cybersecurity

This piece in SC Magazine discusses Hybrid AI's pros and cons. Read full story

Striking the Right Balance Between Security and Functionality

This piece in The Veracode Blog discusses that doing security well is hard work, but it should never block useful functionality for your customers. If security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. And yet two instances from this month suggest that is exactly what is happening. Read full story

Android App Holes Means You're On Your Own

This piece in The Veracode Blog discusses the latest discovery of "132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages," according to the security firm that made the discovery. Read full story

The Wacky World of GRC

This piece in SC Magazine discusses that there are few areas of technology that are as contradictory as governance, risk and compliance. A company might do everything to be secure yet still not be in compliance. Read full story

Incident Response

This piece in SC Magazine discusses the overarching reality that in the first hours and even days following the detection of an incursion you truly know nothing. Were you perhaps breached more than a year ago and just learning of it now? Could someone on your team — intentionally or otherwise — be a factor? Not only do you know nothing in that first post-breach-discovery phase, but your initial probe might be more misleading than informative. So what should you do? Read full story

How About Some Shared Security Responsibility For Developers?

This piece in The Veracode Blog discusses a reminder that app security has not yet arrived at the optimal state. Consider this piece from Kaspersky's Threatpost pointing out how re-used third-party libraries perpetuate security holes long after they have been discovered. Read full story

Some Surprises in the New New York Cybersecurity Regulations

This piece in The Veracode Blog discusses how in the US, there exist no meaningful national cybersecurity rules, but, as a practical matter, that is likely to change this year. But it's not coming from Congress. The catalyst is new rules slated to start in March from the New York State Department of Financial Services. In financial areas, that New York department is typically mimicked by a wide range of other state regulators, along with federal regulators. Hence, de facto national rules. The rules themselves (you can peruse the full guidelines here) are not especially controversial, primarily being security best practices. The rules insist on regular penetration testing and vulnerability assessments. They also establish strict encryption guidelines and require written access-control policies. Notably, however, the way they approach application security is somewhat novel, and the regulations do contain some language that might cause confusion. Read full story

After the Interview: Things One Journalist Wishes You Did

This piece in NewCo Shift discusses how a news story or feature article published by the right media outlet can have a massive impact on your business — good or bad. After all, most reputable publications have far more credibility than does any marketing collateral your company might craft, simply because the press are considered unbiased observers. Read full story

Got an Appointment with a Journalist? Here's What To Do Before the Interview

This piece in NewCo Shift discusses how you made sure that reporters can reach you. Congratulations! You strategized reasons for them to want to talk with you, and now you have an interview lined up with a journalist from a relevant media outlet. Many companies never make it this far, so you've accomplished quite a bit. Now all you have to do is not blow it. Read full story

Apple's Abandonment Of Its Own App Security Deadline Is Bad For So Many Reasons

This piece in The Veracode Blog discusses a great idea for the most effective way to make life easier for cyberthieves, especially those who are focused on ineffective app security. All you have to do is get one of the most powerful brands in computing to publicly declare a security deadline and then have it quietly withdraw that deadline on the eve of it being effective. Read full story

App Security Deserves Far More IT Respect

This piece in The Veracode Blog discusses how app Security today is the Rodney Dangerfield of IT security. Everyone knows about it, but it gets no respect. Isn't it obvious that because apps are granted greater data-sharing with other apps and the ability to update itself—directly to the mothership—without IT signoff, that perhaps this should soar to the top of the danger list? Read full story

How To Get Your Company Execs Quoted As Thought Leaders

This piece in NewCo Shift discusses how reporters absolutely love real thought leaders: smart people who offer surprising and useful insights. But true leadership is quite hard to find. If you make it easy for the media to catch your execs being brilliant, your business may well benefit. Read full story

Free Media is a Gift. Make Sure You Can Be Reached

This piece in NewCo Shift discusses the most persuasive kind of publicity is media coverage. Free media is more valuable than almost any kind of marketing, except word of mouth, because it lets you tell the world the value of your offerings, and it comes with the validation of a third party (the publication). Nowhere is press coverage more crucial than for a budget-constrained start-up or small business. Read full story

New Visa Attack Hole Demands New Fraud Defenses

This piece in Sift Science covers security researchers recently published that multi-merchant attacks gave them unlimited attempts at guessing Visa card fields (but not Mastercard fields), it was a reminder of the inherent fragility of payment card security today. Read full story

Holiday Short-Duration Sites Deliver Long-Duration Headaches

This piece in The Veracode Blog discusses the holiday season and the retail pop-up stores and seasonal sites. Those are all good for merchants, good for gift-seeking shoppers and potentially very good news for cyberthieves hoping for vulnerable sites that can fuel fraud. Read full story

GDPR

This piece in SC Magazine discusses what you need to know about how the EU's privacy rules could impact your business operations. Just because you don't do business directly in the EU, that doesn't mean GDPR won't impact your business. Read full story

Strengthening Your Security With Mundane—But Often-Overlooked—App Maintenance

This piece in The Veracode Blog discusses the often said in security circles that a massive percentage of intrusions and breaches could be thwarted by the IT equivalent of eating your vegetables and exercising regularly. Whereas CFOs are often attracted to—or, in some cases, repelled by—the shiny objects of high-end security defenses, the mundane wash-your-hands-before-eating rules have the most impact. That means not reusing passwords, never clicking on unknown links, logging off before walking away and 50 other boring but amazingly effective tactics. Read full story

The Hidden Operational Costs of Fraud

This piece in Sift Science discusses that it's no secret that fraud is costly for online businesses. But are you tracking exactly where your money is going? A new report from Javelin research found that fraud costs merchants more than 7.5% of their annual revenue — a figure computed by looking at a combination of fraud management costs, false positives, and chargeback losses. Read full story

How Safe Is It Letting Google And Apple Be Your App Security Team?

This piece in The Veracode Blog discusses how malware threats are ever-present in mobile and this needs to be a top concern for IT execs, as they continue to issue millions of mobile devices to enterprise workers daily. Read full story

Processing Payments on the Web: 7 Things to Consider

This piece in PCMagazine discusses seven considerations to think about before you make the jump into payments processing on your e-commerce website. Read full story

Can Security And The App Economy Learn To Get Along?

This piece in The Veracode Blog discusses how the App Economy is streamrolling along and has the very legitimate potential to rewrite so much of how businesses use technology. Uber obliterated Yellow Taxis, Pandora and Spotify has all but made FM radio irrelevant and streaming video has forced TV and movie theaters to sit in the back seat. Read full story

How To Avoid Security Scaring Your Shoppers

This piece in Sift Science discusses how security vs. convenience is always a delicate balancing act in e-commerce. But even if you're doing everything “right,” security communication can be challenging. No shopper goes to a particular merchant because that shopper think that merchant's security is top-notch. Security perception can be a reason that someone decides to not shop somewhere, but it's never a reason they decide to shop somewhere. Read full story

Geolocation Is A Nice Tool For Authentication, But It's Far From Perfect

This piece in Sift Science discusses the truth that geolocation is a very effective—albeit limited—tool to help authenticate a transaction. But Clifford Cook, senior vice president and head of product and marketing for the Retail Payment Solutions division at U.S. Bank is wrong when he says the bank can validate the transaction is legitimate. Not quite. Read full story

The App Security Battle Is Winnable, But Only If You Suit Up

This piece in The Veracode Blog discusses about how dangerous are your app security holes. Sadly, they are quite dangerous and getting far more so. In a study released Tuesday (Oct. 18) that examined billions of lines of code from 300,000 assessments performed over the last 18 months, a stunning 97 percent of Java applications contained at least one component with a known vulnerability. Read full story

Message Encryption Is Great—Depending On Who Has The Key

This piece in The Veracode Blog discusses how corporate execs are understandably worried these days about all of their electronic communications. Whether messages can be intercepted by corporate spies working for the opposition, government investigators snooping for terrorists or cyberthieves looking to steal what they can get, anything that is intercepted can wind up somewhere else. See Edward Snowden. Read full story

Has The Media Finally Figured Out The Importance Of App Security?

This piece in The Veracode Blog discusses how non-tech media outlets have figured out that applications make wonderful entry points for cyberthieves. Given the layers of complexity that many enterprise apps feature today, it's hardly surprising that they boast massive security holes. That message seems to be finally sinking in. Read full story

Will There Ever Be a Global Standard for Online Payments?

This piece in Sift Science discusses a single, standard way to pay for anything securely online. Sounds great, right? But does this ambitious vision actually stand a chance of happening? Read full story

Why Apple Won't Ever House A Security Backdoor

This piece in The Veracode Blog discusses how much has been written about Apple's official stance against giving law enforcement an encryption backdoors into its customers' files. And Apple's firm position against a backdoor has been painted as a marketing decision, as it gives people a really good reason to buy Apple devices instead of Android or something else. Read full story

Verified by Visa is Abandoning Passwords. But Is It Too Little, Too Late?

This piece in Sift Science discusses the surprise timing of the world's largest card brand's pledge to abandon passwords for just this one program wasn't to make them disappear by this year's holiday shopping season. Or for next year's holiday shopping season. No, Visa's announced plan was to rid its Verified By Visa world of "password1234" by April 2018. Good to see that this authentication risk is being taken so seriously. Read full story

Security's Weak Communications Skills Can Undermine Safety

This piece in The Veracode Blog discusses how it's hardly a revelation that hardcore security veterans are not at the pinnacle of clear communication. And the more technical the talent, in general, the weaker the communication. For most in IT and almost everyone in corporate outside of IT, this is generally dismissed as a fact-of-life. Read full story

Gift Cards: The Cyberthief's Best Friend

This piece in Sift Science discusses the happy partnership between a fraudster and his gift cards. It's the perfect way to launder stolen funds while also getting a multi-day head start over law enforcement. Much of the reason involves how retailers handle—and, most critically, track—gift cards. Read full story

Can one CISO ever beat an army of IoT devices?

This piece in SC Magazine discusses the security threat from the Internet of Things (IoT) has grown real because far too many of those sneaky IoT devices fly in under the radar. Corporate maintenance, facilities and operations departments are not accustomed to requesting IT's signoff on purchasing light bulbs or door locks. And yet, when those devices have their own independent — or dependent — communications capabilities, they are an easy backdoor for cyberthieves. Read full story

Could How A Shopper Types Be The Best Authentication?

This piece in The Veracode Blog discusses how it's not what you say, but how you say it. That piece of advice, which has given to countless politicians and executives over the decades, might be the premise behind an intriguing knew approach to biometric authentication. Although to be precise, it's closer to "It's not what you type, but how you type it." Read full story

What Went Wrong With EMV? So Much.

This piece in Sift Science discusses how EMV payments were supposed to modernize payment card security in the U.S. But guess what? They haven't. There is still a fine chance that they will eventually be a huge fraud help in the U.S., but looking into the many deployment problems delivers a frighteningly accurate snapshot of U.S. bureaucracy. Read full story

Why Age Verification Needs To Be A Key Part Of Your Security Strategy

This piece in The Veracode Blog discusses how not only is e-commerce being radically changed due the mobilization of shoppers, but it's disproportionately happening with younger consumers. At the same time, law enforcement and government regulatory attention is being focused on age violations. And yet, the vast majority of companies have age-verification systems that provide almost no legal protections. Read full story

How Mobile Payments Can Win the Fraud Perception Game

This piece in Sift Science discusses about when it comes to payment fraud fears and shopping behavior, there's a big difference between what people say, and what they actually do. For example, studies show that debit card use is on the rise —despite the fact that the absence of zero liability protections for debit means that credit cards are much safer overall. Those same consumers will tell surveys that they would never shop with a retailer who has suffered a major data breach—and yet those retailers never sustain a detectable drop in revenue. Read full story

All Marketplaces Should Be Concerned with Third-Party Fraud

This piece in Sift Science discusses one of the pitfalls with interpreting judicial decisions is that it's easy to generalize—as in "this case means you had better no longer do X and Y"—whereas judges tend to be extremely specific (as in "this case with these exact players in these exact circumstances shouldn't do X and Y.") A classic example of this kind of misleading analysis is happening with an e-commerce fraud case called Gucci Vs. Alibaba. Read full story

If Security Isn't A Priority For Appdev, What Chance Does A Deployed App Have?

This piece in The Veracode Blog discusses one of the biggest security threats is that enterprise mobile app testing is overwhelmingly focused on functionality and not security. Pen testing of apps to see what data they—or some third-party app it is integrated with—are actually retaining is hardly ever done prior to deployment, if then. Why? Read full story

Multi-Factor Authentication For E-Commerce Makes Sense—Or Does It?

This piece in Sift Science discusses how fraud prevention has always been about striking the right compromise between convenience and security — and this is especially true in the world of e-commerce. Although multi-factor authentication will work wonderfully in banking and legal—where the end-user is just as worried about security as your CISO—in online retail, it's dicey. People don't typically visit an e-commerce site concerned about credit card fraud. Why make your virtual storefront more difficult to interact with than your competitors'? Read full story

False Decline Costs Are Worse Than We Thought

This piece in Sift Science discusses how research does little more than confirm what we already suspect — and that, in effect, forces us to confront an uncomfortable reality. Such is the case with new data about false declines. Fresh research from Business Insider puts the false decline problem front-and-center: "U.S. e-commerce merchants will lose $8.6 billion in falsely declined transactions in 2016, according to our estimates. This amounts to over $2 billion more than the $6.5 billion in fraud they will prevent." Read full story

Fighting fraud is one thing. Catching fraudsters is quite another.

This piece in The Veracode Blog talks about crowdsourcing security holes—aka bug bounties—has become an increasingly-popular tech firm tactic, bordering on Silicon Valley standard-operating-procedure. But as tempting as such an approach is, it's not without serious drawbacks. Read full story

Forcing Monthly Password Changes Only Helps The Thieves

This piece in The Veracode Blog discusses about when protecting app data, the default response for years has been passwords. And as long as a company's data is solely being defended by passwords, it makes sense to insist that they be changed regularly, no? Would not such mandated periodic changes shorten the life of the access-controls for thieves? Turns out that the answer is "no" to all of the above. Read full story

Fighting fraud is one thing. Catching fraudsters is quite another.

This piece in Sift Science discusses how fighting e-commerce fraudsters is a constantly changing game of point counter-point, where we develop defenses against today's attacks and then the fraudsters craft new attacks to sidestep our defenses. Wash, rinse, repeat. We've actually gotten quite good at defending against the common attack types, while cutting-edge approaches using predictive analytics help protect against more sophisticated attacks by detecting patterns that appear to be fraud. Read full story

Your Mobile Apps Retain A Lot More Than You Know. I Guarantee It

This piece in The Veracode Blog discusses a fact about mobile apps that is as true for Fortune 100 companies as mom-and-pops: Rare is the company that understands what data its mobile app retains. Read full story

The Fraudsters Who Don't Need To Hide

This piece in Sift Science discusses that online retailers know how fraudsters generally act: they conceal themselves behind bogus names and disposable IP addresses. Those HTML hoodlums are risking arrest by various levels of law enforcement, so they have to hide in the shadows. But what if that's not always true? What if some fraudsters are using their real names and aren't hiding at all? Read full story

To Weak Authentication, A Thief Looks Exactly Like A Cop

This piece in The Veracode Blog discusses an uncomfortable truth for IT to internalize: enabling access for a friend facilitates access for an enemy. This is what was behind the anti-backdoor argument that Apple aggressively made, albeit for non-altruistic sell-more-hardware reasons. In effect, if you provide an easy way for government investigators to access data, there's no reason to believe that bad guys won't use a variation of that to steal data. Read full story

Birkenstock Surrenders to the Fraudsters

This piece in Sift Science discusses how fraud-fighting is ultimately an ROI equation. How much time and how many resources can you justify, and how much will this investment reduce your fraud? Given that it's almost never cost-effectively possible to bring fraud down to zero, it's a balancing act. But one major manufacturer—Birkenstock, of sandal fame—has crunched the numbers and decided to give up and let the fraudsters win. Birkenstock has decided to no longer supply products to Amazon as of January 1. Read full story

Keeping Your Breach a Secret and Other Self-Destructive Decisions

This piece in The Veracode Blog discusses a delightful bit of survey happiness out of Ireland: a vendor survey found that "almost half of Irish businesses wouldn't disclose a data security breach to impacted third parties, including customers and suppliers." Even worse, these results likely underestimate how many execs agree with that thinking, but are shrewd enough to not share that with someone taking a survey. Read full story

Big Sales Events Shouldn't Mean Relaxed Fraud Defenses

This piece in Sift Science discusses the reasons for the increase in fraud attempts is essentially the same, whether it's in a store or online. Thieves take advantage of crowds, inexperienced temporary sales people and a perceived relaxing of fraud practices to hide their fraudulent behavior. Why do thieves expect fraud defenses to be relaxed during big sales events? Because, unfortunately, they often are. Read full story

App Encryption Soaring, But How It's Being Done Is Where Things Get Interesting

This piece in The Veracode Blog discusses a very interesting new Ponemon Institute report on app encryption, which concludes that app encryption usage is sharply increasing, as it has consistently for years. The report found 37 percent of the companies examined this year embrace enterprise encryption, up from 15 percent in 2005. Read full story

Is Mobile Authentication Really E-Commerce's Best Shot?

This piece in Sift Science discusses the struggle that e-commerce businesses have with payment fraud—affectionately known in the payments world as CNP (card not present) fraud—strategies all come down to a single concept: authentication. With a physical CP (card present) transaction, there are plenty of easy ways to authenticate. In a virtual reality, that task becomes a lot more challenging. Read full story

Think Your Data Leaks Are Limited To Your Databases? Think Again

This piece in The Veracode Blog talks about security professionals and how they spend an awful lot of time trying to protect sensitive corporate information, locking it away in virtual vaults, as they should. But they often neglect to protect the people who have the keys/combinations to those virtual vaults—in some cases, protecting those key-holders from themselves. Read full story

Obscured Data Can Be A Psychological Security Trap

This piece in The Veracode Blog talks about how encryption and tokenization are great security tools—when executed properly—as they sidestep protecting data and instead attempt to make the data worthless to thieves. It's a great strategy. But when it's executed improperly, it can insidiously weaken security. This happens when IT gets cocky and overconfident that the data would indeed be worthless to attackers and starts to get lax implementing strong prevention tactics, such as firewalls. Read full story

How Can Enterprises Still Be Victimized By Attacks That We've Known About For Decades?

This piece in The Veracode Blog talks about another major security hole reported last week (June 8). This report, from Talos, is about a hole that allows malicious files to be launched when anyone clicks on a PDF from within the Google Chrome browser. Read full story

The Peril Of Confusing A Security Researcher With A Cyberthief

This piece in The Veracode Blog talks about the security researcher's lot is not an easy one. This player is an essential part of the security ecosystem, an experienced security person who tries and finds security holes in systems so that they can be flagged and fixed. The problem is that the good guy security researcher—at a glance—looks and acts an awful lot like a bad guy cyberthief. From the CISO's desk, how is one to tell the difference? Read full story

It's Time To Rethink The Password. Yes, Again

This piece in The Veracode Blog talks about another prominent person in software security suggests that the password needs to be done away with—and they invariably say it as though it's a new idea. In reality, the security community has effectively agreed for more than a decade that passwords are no longer sufficiently secure to protect the sensitive data it is tasked with protecting. Read full story

If Government Data Threats Get Companies To Take Data Security Seriously, It May Be All Worthwhile

This piece in The Veracode Blog talks about how perceived security threats motivate IT people the same way they do everyone else. People react to how much a threat scares them, which sometimes has little relation to how truly threatening that threat is. Read full story

Security Needs to Start Deep Within the OS: And It Needs to Start Now

This piece in The Veracode Blog talks about how enterprise security is today at its most fundamental level, an afterthought. We take the OS, apps, databases, network controls as they are given to us, and then we try and Band-Aid on top of it the best security we can. We use firewalls and filters and VPN tunnels and encryption to try and limit the damage software vulnerabilities can do. As a practical matter, enterprise CISOs have little choice. Or do they? Read full story

When US-CERT Issues an Alert, Does IT Listen?

This piece in The Veracode Blog talks about the US-CERT (the U.S. Computer Emergency Readiness Team) who issued an alert about an old SAP security hole after a vendor flagged that attackers were still using it. Read full story

One Problem With Perimeter Security: Today's Networks Shouldn't Even Have A Perimeter

This piece in The Veracode Blog where a security consultant argues that healthcare enterprises need to re-envision security and pull information from the network perimeter and back into servers, where everything is easier to control. It's a compelling argument until you get realistic, practical and focus on the reason enterprise networks exist in the first place. Read full story

Survival Instinct

Report for SC Magazine where some believe preparing an incident response plan is a useless precaution. Regardless, we must have them. Read full story

Peripheral Security Issues Today Are Anything But Peripheral

This piece in The Veracode Blog talks about Microsoft's optional security alert relating to peripherals and specifically mice. Until the patch is implemented, Microsoft said, the peripheral could receive plain English—aka QWERTY—key packets in keystroke communications issued from receiving USB wireless dongles to the RP addresses of wireless mouse devices. Read full story

Badlock Is A Serious Hole, But How It Was Preannounced Is A Disgrace

This piece in The Veracode Blog talks about something unnerving—and even a tad repugnant—about announcing that there's a massive security hole and that it won't be patched for weeks. Welcome to Badlock. Read full story

What's Worse Than Missing An Attack Because It Was Obscured In A Sea Of False Alerts? Not Much

Penned for The IBoss Blog a piece concerning IT security professionals today, one thing that is of minimal concern is an attack that goes undetected. Read full story

The Apple-FBI Security Lesson: Redundant Protections Are Essential

Penned for The Veracode Blog a piece concerning a security lesson that can be taken from this FBI versus Apple surrealistic encounter, it's that security redundancy is truly important. We're talking multi-layered security, where any one or two layers can completely fail and security is still maintained. Why? Let's look at the latest in the FBI-Apple encryption dance. And if any of you bought into this "this Apple fight is over" rhetoric, you haven't been paying attention. Read full story

Hospitals Are Security's Biggest Nightmare

This piece in The Veracode Blog talks about cyberattacks on hospitals that represent the true security nightmare scenario. It combines privacy risks far more severe than attacks on the largest banks or retailers with life-and-limb risks that rival remote takeovers of nuclear power plants and cars. Read full story

More SMBs let their guard down on cybersecurity

Wrote for Third Certainty about despite rising cyber exposures and intensifying attacks, small and midsize businesses actually may be regressing when it comes to defending their networks. Read full story

The Best Point-of-Sale (POS) Software of 2016

Reviewed Restaurant POS offerings for PCMagazine. Read full story

Jump directly to the individual reviews:
Aldelo POS Pro
PAR Brink POS
Posera Maitre'D POS
Revention POS
Action Systems Retaurant Manager
Menusoft Systems Digital Dining

Vulnerabilities still leave DNS—and businesses—wide open to attack

Looked at encryption and other protection measures for Third Certainty and explored whether they actually may make security more difficult. Read full story

JP Morgan Chase capter offers frank lessons about insider theft

Wrote for Third Certainty about whether employees must be enlisted—and monitored—as part of security given that perimeter protection is no longer enough. Read full story

Cyber Arms Race Goes Nuclear With Quantum Computing

This piece in Fortinet discusses strong encryption, the security professional's arms race. Read full story