While any alternative to the cross-service password sharing anti-pattern is goodness, OAuth 2.0 also introduces some insecure flows to accommodate a broad range of use cases and to be as developer-friendly as possible. A previous post explores these assurance issues,… Continue reading
One of the central pillars of the security model we built in our knowledge base at Burton Group was called “A Systematic, Comprehensive Approach to Information Security.” I’ve always found this model helpful to use in any security analysis so… Continue reading
At the Cloud Identity Summit (CIS) 2013 Andre Durand led off the morning keynotes, followed by Gunnar Peterson and Patrick Harding with strong presentations of their own. Patrick’s presentation “Modern Identity: Automated, Discoverable, Scalable” brought Andre’s conceptual framework (reviewed… Continue reading
Andre Durand, CEO, kicked CIS 2013 (#cisNAPA) off with “Identity – the Enabler of Next” – and if I don’t entirely like where “next” is going, that’s not his fault. Anyway, I’ll share Andre’s 9 observations and 1 AHA moment… Continue reading
In a previous post, “REST Uneasy: Do we need to Worry about OAuth 2.0?” I raised a question which I’ll now attempt to answer in some detail.
The OAuth 2.0 protocol is designed to improve security in scenarios where,… Continue reading
As an information security officer, you don’t want to wait until you’re in the middle of a serious security breach to discover that the forensics, incident reporting and incident responses processes of a cloud service provider (CSP) you’re depending on… Continue reading