User-Interface design: an overlooked security matter

Human error is one of the most overlooked threat to most IT systems. A low level of user acceptance of the security features can be one of the most challenging part of the transformation of a company into a secure organization. KISSS: Keep it Simple, Stupid and Sexy. The last S from this new version […]

Risk management as a decision tool: a synthetic diagram

Whatever the reference you might use (ISO27001, NIST CybersecurityFramework,the Australian ISMF, the german IT Grundschutz,…), all information security framework has risk management as its core. Some people think of risk management as a painful and lenghty process used to justify security expanses or to achieve compliance with a standard. It can be just that. But, first of […]

If there was only one, what would be the security behaviour change you’d like to see?

If you have a very limited budget and you can only focus on one security awareness activity focused on on message, on one behaviour, what would it be? Tough question. It was asked by Dr Jessica Barker during the last (ISC)² Secure Summit in Amsterdam. There was hundred of security professionals in the room. The […]

How do penalties affect your security policies effectiveness?

One of the requirements of any decent policy (and law) is having a penalty link to its non-respect. In penal law, « Nulla lege sine poena » (no law without punishment) is one of the corollary of the famous principle « Nulla crimen, Nulla poena sine lege  » (no crime, no punishment without a law). From a behavioural point […]

No, a virtual machine is not as safe as a physical one!

This week, during the CanSecWest 2017 Conference in Vancouver, British Columbia, is held the PWN2OWN™ CONTEST organized by Zero-Day Initiative ( A team carried on an attack on Microsoft’s Edge browser allowing them to escape a VMware Workstation virtual machine in which it ran. This exploit fetched them 105 000$ of reward. On the same […]

9 tips to improve the security of your web applications

Should you be a student, a TV Show fan, a small online-shop, a small enterprise or a large corporation, you likely have a web site connected to the world wid web. You probably didn’t developped your website in PHP or in Java by yourself but rather used one of the existing (some being free of charge) framework […]

Quand les contrôles vous font perdre le contrôle

Cela fait quelques temps que ce constat revient tout au long de mes diverses missions: certains contrôles font plus de mal que de bien. Particulièrement, les indicateurs et systèmes de mesure en tout genre. Quand nous mettons en place un système de gestion de la sécurité (qu’il soit conforme à la norme ISO27001 ou non), de gouvernance IT […]

%d blogueurs aiment cette page :