Dan Griffin's Blog

See you @ ToorCamp 2012

dan — Mon, 14 May 2012 23:36:42 +0000

I’ll be presenting a talk entitled Hacking Measured Boot and EFI.

The Many Flavors of Authorization Claims

dan — Wed, 09 May 2012 15:04:41 +0000

The May 2012 edition of the JW Secure Informer newsletter is now out. Learn more about authorization claims here.

Great new AWS support for .NET & SQL

dan — Wed, 09 May 2012 14:58:19 +0000

Amazon Web Services has announced built-in support for .NET developers in their easy scale-up fabric, Elastic Beanstalk, as well as support for SQL Server in their hosted relational data store, RDS. Pretty cool stuff for developers using the Microsoft/Windows tool chain. Full announcement is here.

Real security is different from compliance

dan — Mon, 07 May 2012 14:44:32 +0000

Couldn’t resist doing a post on this table, which makes some excellent points:

However, the axis that’s missing here is customer demand. After all, how “real” can security be if nobody’s buying? Not that customers aren’t buying from both columns – they are. But why should there be this dichotomy, perceived or otherwise, between Compliance versus Real Security? Customers as well as technology vendors (not to mention government) share responsibility for that perception. The industry is better served by products that blur those lines.

Check out our Android integration capabilities

dan — Tue, 03 Apr 2012 23:10:14 +0000

Captured by our new Android technology website page, and exemplified by the mobile health claims solution we demonstrated at the RSA conference this year – and which also included a Windows Phone “Mango” version – JW Secure are experts in device identity. Need a custom security solution on Android and don’t want to confuse your users? We’ve got that covered.

Informer v13: Endpoint Security

dan — Mon, 26 Mar 2012 20:28:49 +0000

What is it about networked computers that allow them to be so easily hacked? Find out in the JW Secure Informer newsletter.

Informer v12: Business Agility, Structured Storage

dan — Mon, 26 Mar 2012 20:25:11 +0000

High-growth businesses have advanced IT needs that can only be met by a combination of services and resources that are internal and external, off-premise and on-premise. The best line of business storage solutions are those that offer the interoperability of SQL, the rapid provisioning benefits of the cloud, and the security benefits of on-premise storage.

Learn more in the JW Secure Informer newsletter.

New SmartUtil available for Windows 8

dan — Wed, 14 Mar 2012 22:38:59 +0000

SmartUtil version 1.0.3.1 is now available for download here. It supports Windows versions Vista through 8, including the new virtual smart card device.

Mobile Computing Revealed – Tonight!

dan — Wed, 14 Mar 2012 16:38:32 +0000

Come check out Mobile Computing Revealed, hosted tonight in Bellevue by Seattle Technical Forum. Event details and registration are here. I’ll be presenting Mobile Health Claims, including two of the demos that we did this year for RSA.

Cloud is RAD on steroids

dan — Mon, 05 Mar 2012 21:59:21 +0000

We (JW Secure) used cloud computing as the foundation for all four of the “live” security demos we showed at our booth at RSA last week:

Mobile Health Claims: the backend consists of a consumer banking web service and a custom security token service (STS), both of which are running on Windows Azure. The frontend consists of a mobile checking app for Android and Windows Phone. Device identity is tightly bound to user identity, and only devices with up to date firmware and operating system versions are allowed to perform high-value transactions such as fund transfer.
TPM Health Claims: the backend consists of a Windows web server running in Amazon EC2. The frontend is a web page with an ActiveX control. The control allows the user to sign into online checking only from a host that meets a certain security bar (anti-malware signatures are up to date, firewall is on, etc.). Health data is submitted in the form of SAML claims, signed by a private key protected by the client Trusted Platform Module (TPM).
Secure Boot and Remote Attestation: the backend consists of a line of business (LOB) web service and an STS, both in Azure. The web service implements a purchase order submission and approval workflow and interfaces with a front-end Metro-style GUI. Purchase orders can only be approved if the host TPM is trusted and the boot log is clean.

See a recurring theme? LOB services deployed to the cloud. This is the new state of the art when it comes to Rapid Application Development (RAD). If you’re an LOB development shop and you’re not taking advantage of the latest toolkits (Ruby on Rails, ASP.NET MVC) and cloud application fabrics (Heroku, Azure), then you’re probably not deploying new business capabilities as quickly as you could be.