Washing Heartbleed out of your organization may take more than some people realize, according to Tammy Moskites, CISO at Venafi. "Because some organizations didn't understand the "big picture," they failed to fully remediate the problem. They did not revoke and replace all of their digital certificates, leaving their systems vulnerable to ongoing trust-based attacks."
A wide cross-section of devices shared a handful of common security holes, including lack of authentication to access or manipulate the equipment; weak passwords or default and hardcoded vendor passwords like "admin" or "1234″; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.
Hans Zandbelt: Why Is SAML More Secure Than Passwords? First of all it is not just about SAML. SAML is a federated Web SSO protocol just like OpenID Connect or WS-Federation and any arguments for SAML would apply equally to any of the other protocols. Moreover, federated SSO protocols are token-based in nature, e.g. they use tokens to sign on users to applications instead of passwords. Thus any arguments in favor of SAML would apply equally to token-based protocols that have goals that are different from Web SSO, such as OAuth 2.0 or WS-Trust that focus on protecting APIs with tokens instead of passwords. So actually the question should be: "why are tokens more secure than passwords"?
Dan Verton: Condon to Assume Exec. Director Role for Trusted Identity Effort Mary Ellen Condon, a founding member of the federal CIO Council who's held multiple government and private sector IT positions, is taking over as executive director of the Identity Ecosystem Steering Group, the private sector-led organization tasked with developing policies and standards as part of the National Strategy for Trusted Identities in Cyberspace.
Anil John: Quantitative Criteria for Evaluating Identity Resolution Data at the RP Context matters when discussing identity resolution. Within the context of an identity proofing component, there are proprietary approaches used to resolve identity as a precursor to verification and validation. Given that, in this blog post I want to focus on the context of the RP, and see if there are any quantitative criteria it can use to effectively compare the information provided by the identity proofing component.
Keith Axline: The Universe Is Programmable. We Need an API for Everything Think about it like this: In the Book of Genesis, God is the ultimate programmer, creating all of existence in a monster six-day hackathon. Or, if you don't like Biblical metaphors, you can think about it in simpler terms. Robert Moses was a programmer, shaping and re-shaping the layout of New York City for more than 50 years. Drug developers are programmers, twiddling enzymes to cure what ails us. Even pickup artists and conmen are programmers, running social scripts on people to elicit certain emotional results.
Radiant Logic Announces ADAP, an Open Source REST API Layer for LDAP Radiant Logic announced "ADAP" (Adaptive Directory Access Protocol), a REST interface for LDAP directory services. The company is contributing the open source ADAP code to a Kantara Initiative working group, aimed at expanding the traditional Identity Management (IdM) segment to Identity Relationship Management (IRM).
The Future of the Identity of Things (Infographic) Ninety-five percent of C-level executives expect to be using IoT in the next three years, and other observations sure to spur debate.
Lisa Vaas: Bank of England to hire penetration testers to attack financial firms The Bank of England this year will hire penetration testers to poke and kick at the computer-system defences of more than 20 major UK banks and other financial players. As Lee Munson notes, pen testing can be as simple as asking somebody to try to guess your passwords. If even a technically unsophisticated person can guess that you're using "password" or "123456" (please tell us you're not), you know you've got some work to do!
IIW May 6-8; Mountain View, Calif. The Internet Identity Workshop, better known as IIW, is an un-conference that happens at the Computer History Museum in the heart of Silicon Valley.
Glue Conference 2014 May 21-22; Broomfield, Colo. Cloud, DevOps, Mobile, APIs, Big Data -- all of the converging, important trends in technology today share one thing in common: developers.
European Identity & Cloud Conference 2014 May 13-16, 2014; Munich, Germany The place where identity management, cloud and information security thought leaders and experts get together to discuss and shape the Future of secure, privacy-aware agile, business- and innovation driven IT.
Gartner Catalyst - UK June 17-18; London A focus on mobile, cloud, and big data with separate tracks on identity-specific IT content as it relates to the three core conference themes.
Cloud Identity Summit 2014 July 19-22; Monterey, Calif. The modern identity revolution is upon us. CIS converges the brightest minds across the identity and security industry on redefining identity management in an era of cloud, virtualization and mobile devices.
Gartner Catalyst - USA Aug. 11-14; San Diego, CA A focus on mobile, cloud, and big data with separate tracks on identity-specific IT content as it relates to the three core conference themes.
Application Security Forum Nov. 4-6; Yverdon-les-Bains, Switzerland The conference is a well-established annual event dedicated to information, application and software security that features a full-day of training sessions and two days of conference sessions.