Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management


Point of View: Federal Personnel Data Breach


Government agencies are in serious danger from cyber threats. While many have a continuous network security program in place, most have spent very little time securing their applications.  We are going to continue to see breaches of government agencies… at least the ones they choose to disclose.

I was offended to see the Obama administration comment, “The administration has never advocated that all intrusions be made public.”  Breach visibility and transparency are critical to getting in front of our security issues.  I thought the Obama administration shared this belief as well.  Yet apparently when it’s their agencies getting hacked, they aren’t quite as quick to push for disclosure.  Time to eat your own dogfood, executive branch.

I’ll just grade the disclosure…  Overall I think was a D/D+.  They came off as belligerent, didn’t acknowledge their fault in the breach, and provided very few details.  How about the people whose sensitive information was in the e-QIP database, including me.  What am I supposed to do now?

  • Tone – F, not at all apologetic for their role in the breach
  • Timeline – C, some details, 3 months is way too long to disclose
  • Scope – D, still investigating, unclear if control was lost
  • Size – B, they seem sure, I am unconvinced
  • Root Cause – F, no details whatsoever about defenses or attacks
  • Discovery – C, seems their IDS detected it
  • Remedy – F, none, not even credit card monitoring?
  • Future: F, no details about what measures are being taken to prevent future breaches
  • Blame: F, immediately blaming China with no public proof. Attribution takes a LONG time.
  • Oddities: F, if the IDS detected the attack, how were they able to complete the exploit?  Something is screwy here.
Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.