Author Archives: Graham

About Graham

I make it faster and easier for you to create high-quality code.

YOUR development team needs security engineers

Posted on 2010-09-16 by Graham

It can definitely be tempting if your engineers don’t have a whole lot of security expertise to get a consultant in. Indeed this can be a great way to bootstrap a security process, however it then needs to be owned … Continue reading →

Posted in Uncategorized | Leave a comment

On McAfee

Posted on 2010-08-19 by Graham

Today, Apple’s CPU/motherboard supplier Intel announced that it will acquire McAfee, in a deal worth nearly $7.7B. While this is definitely big bucks, it doesn’t seem like terrifically big security news. Intel probably don’t want the technology. McAfee is the … Continue reading →

Posted in Uncategorized | Tagged Business | Leave a comment

On voices that matter

Posted on 2010-08-18 by Graham

In October I’ll be in Philadelphia, PA talking at Voices That Matter: Fall iPhone Developers’ Conference. I’m looking forward to meeting some old friends and new faces, and sucking up a little more of that energy and enthusiasm that pervades … Continue reading →

Posted in code-level, iPad, iPhone, Talk, threatmodel, tool-support | Leave a comment

On stopping service management abuse

Posted on 2010-07-26 by Graham

In chapter 2 of their book The Mac Hacker’s Handbook (is there only one Mac hacker?), Charlie Miller and Dino Dai Zovi note that an attacker playing with a sandboxed process could break out of the sandbox via launchd. The … Continue reading →

Posted in launchd, Mac, sandbox | Comments Off

On private methods

Posted on 2010-07-20 by Graham

Let’s invent a hypothetical situation. You’re the software architect for an Objective-C application framework at a large company. This framework is used by many thousands of developers to create all sorts of applications for a particular platform. However, you have … Continue reading →

Posted in code-level, iPad, iPhone, Mac, PCAS, software-engineering | Leave a comment

On authorization proxy objects

Posted on 2010-07-19 by Graham

Authorization Services is quite a nice way to build in discretionary access controls to a Mac application. There’s a whole chapter in Professional Cocoa Application Security (Chapter 6) dedicated to the topic, if you’re interested in how it works. The … Continue reading →

Posted in Authorization, code-level, Mac, PCAS, software-engineering | Comments Off

NSConference MINI videos available

Posted on 2010-07-16 by Graham

During WWDC week I talked at NSConference MINI, a one-day conference organised by Scotty and the MDN. The videos are now available: free to attendees, or $50 for all 10 for non-attendees. My own talk was on extending the Clang … Continue reading →

Posted in code-level, NSConf, software-engineering, tool-support | Leave a comment

On Trashing

Posted on 2010-07-16 by Graham

Back in the 1980s and 1990s, people who wanted to clandestinely gain information about a company or organisation would go trashing.[*] That just meant diving in the bins to find information about the company structure – who worked there, who … Continue reading →

Posted in Business, Data Leakage, Policy, Twitter | Leave a comment

On detecting God Classes

Posted on 2010-07-08 by Graham

Opinion on Twitter was divided when I suggested the following static analyser behaviour: report on any class that conforms to too many protocols. Firstly, a warning: “too many” is highly contextual. Almost all objects implement NSObject and you couldn’t do … Continue reading →

Posted in code-level, iPad, iPhone, Mac, software-engineering, tool-support | Leave a comment

On Fitt’s Law and Security

Posted on 2010-07-01 by Graham

…eh? Don’t worry, read on and all shall be explained. I’ve said in multiple talks and podcasts before that one key to good security is good user interface design. If users are comfortable performing their tasks, and your application is … Continue reading →

Posted in iPad, iPhone, Mac, threatmodel, UI, user-error | 1 Comment