Kudos to Microsoft for heading down this path and taking one more step closer to better password security. It is still not a perfect world scenario, but it is better than the basic controls inherent to the OS.
This is yet another Federal example of “Do as I say…not as I do.” There is no excuse for the Federal government not following and meeting or exceeding the standards it sets for websites and website security.
This is an excellent step forward in the effort to protect sensitive Google data. U2F is a strong, reliable authentication mechanism and will afford Google more flexibility as this program moves forward. There are certain limitations with mobile devices and third party applications that will need to be navigated, but if someone finds him or her self in a highly sensitive or high-risk situation, then this is the best security option available to date for the Google email ecosystem.
This article is an very intriguing read. The economics of software are hard, whether the applications are public facing and for resell or the development is internal to an organization. Security is far too often an afterthought or a nice to have in the development cycle. True devops programs and security officers should partner. Instead, they complete.
Sadly, the only real mechanism that addresses these problems today is fear – fear of penalties and fear of non-compliance. We should be motivated by security itself – a desire to protect customer data, to provide a more secure, robust service. It will take consumers willing to demand such a high-caliber standard before the market will adjust and the economics will justify a more mature, secure development cycle.
Companies struggle to maintain PCI compliance within a year of meeting it, according to a new payment security report by Verizon.
Sadly, this is not surprising. Many businesses are chasing compliance and not seeking real security. They are trying to check boxes and not secure data. True data centric security requires dedication and effort. It is not a package to purchase or a spreadsheet to fill out.
Though unabashedly sales centric, this blog post by Fortinet provides a good overview of the intentions and goals associated with CIPA (Children’s Internet Protection Act). It is well worth a read as both a parent and a potential technology provider in the K-12 space.
This article is concerning, but not particularly surprising. Industrial security controls have, for far too long, been focused on obscurity and not true controls and monitoring.