Welcome!

VP Innovation at Axway, Co-founder at Vordel

Mark O'Neill

Subscribe to Mark O'Neill: eMailAlertsEmail Alerts
Get Mark O'Neill via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Mark O'Neill

I saw this tweet this morning and I thought "+1" (I guess I am a geek if I am thinking in Digg/Slashdot shorthand). The problem is that in Information Security, "security" is all-too-often used to mean only encryption. A line is considered "secure" if it's encrypted. But often, the real "security" requirements are much broader and include management (as in access management, identity management), business continuity defense against denial-of-service, and privacy. I think language is a big issue here. I've always found it interesting that in German, the words for "security" and "certainty" (sicherheit, literally "sureness") are the same. In French, the words for "safety" and "security" are also the same (sûreté, again literally "sureness"). So, in those languages, "security" has a broad definition, incorporating senses of dependability, management, and safety. I can s... (more)

The Neglected Flipside of SOA Security

Joe McKendrick kicks off a thread on the current state of SOA Security. As usual, most discussion of SOA Security applies to "how SOA can be made secure". This is understandable. And, as some commentators have pointed out, there is a body of Best Practice out there on how to secure services in an SOA. For example, Randy Heffner provides lots of good advice on how to secure the services in an SOA) But, there has been relatively little debate on the flipside of SOA Security - how SOA can apply to security. Because, really, "SOA Security" is two separate things, solving two separate ... (more)

How To Remove WS-Security Tokens From a SOAP Message

After you've validated a UsernameToken, or checked an XML Signature, it is often good practice to then strip out the WS-Security blocks containing items like tokens and signatures, before sending them downstream to a Web Service. In some cases, you are stripping these out because you don't want the password to remain in the message. In other cases, you may know that the downstream Web Service will choke on the WS-Security block. It also makes the message smaller. The Vordel XML Gateway ships with a built-in stylesheet for stripping WS-Security blocks from SOAP messages. You can s... (more)

Cloud Security or just Password Security?

In CSO Online, Pete Soderling questions whether the recent Twitter hack was more an indictment of weak password practices, rather than Cloud Security itself. Quote: In reading Twitter's description of the attack, it's apparent that once the attacker had obtained the password to a single e-mail account of a Twitter employee, he/she was able to execute password resets (using the 'Forgotten Password' function) on several other accounts. This enabled the attacker to use the compromised e-mail account as a springboard to access additional data stored elsewhere. It's the oldest trick... (more)

Beyond the Amazon Virtual Private Cloud

Amazon's virtual private cloud allows for Amazon EC2 instances to exist within a VPN environment, managed by an organization's existing network security infrastructure. As Steve Riley defines Amazon Virtual Private Cloud; Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources http://stvrly.wordpress.com/2009/09/08/what-can-... (more)